1881958 – Non admin users behave as admin users and have their permissions

Bug 1881958 - Non admin users behave as admin users and have their permissions

Summary: Non admin users behave as admin users and have their permissions

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	ovirt-engine
Classification:	oVirt
Component:	General
Sub Component:
Version:	4.4.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	ovirt-4.4.3
Target Release:	---
Assignee:	Eli Mesika
QA Contact:	Ivana Saranova
Docs Contact:
URL:
Whiteboard:
Depends On:	1808320
Blocks:	1822372
TreeView+	depends on / blocked

Reported:	2020-09-23 13:43 UTC by Ivana Saranova
Modified:	2020-11-11 06:41 UTC (History)
CC List:	8 users (show)
Fixed In Version:	ovirt-engine-4.4.3.6
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-11-11 06:41:43 UTC
oVirt Team:	Infra
Embargoed:
Dependent Products:
Flags:	pm-rhel: ovirt-4.4+ aoconnor: blocker+

Attachments	(Terms of Use)
screenshot to comment #7 (139.31 KB, image/png) 2020-09-29 14:18 UTC, Eli Mesika	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
oVirt gerrit	111497	0	master	MERGED	db: fixing MAC POOL user role type	2021-01-13 13:24:47 UTC

Description Ivana Saranova 2020-09-23 13:43:30 UTC

Description of problem:
Non admin user without any admin role or permissions can access Admin Portal and do most of the actions only permitted to admin users. In VM portal he can see all the VMs just as an admin user does.

Version-Release number of selected component (if applicable):
ovirt-engine-4.4.3.3-0.19.el8ev.noarch

How reproducible:
Always

Steps to Reproduce:
1. Have non admin user without any admin permissions or roles
2. Log in to admin portal (or VM portal)
3.

Actual results:
Non admin user can access admin portal and behaves like admin user in both admin portal and VM portal.

Expected results:
Non admin user cannot log into admin portal and does not have admin rights in VM portal.

Additional info:

Comment 1 Martin Perina 2020-09-23 14:42:31 UTC

Are you sure that your user doesn't have any administrator role assigned on any object? And the user is not a member of any group (recursively) which has any administrator role assigned on any object?

Comment 4 Ivana Saranova 2020-09-23 15:26:34 UTC

I forgot to add that I cannot reproduce this issue on ovirt-engine-4.4.2.6-0.2.el8ev.noarch

Comment 6 Michal Skrivanek 2020-09-25 07:17:40 UTC

please add OST test to check a regular user can't get into webadmin, this is not the first time it slipped through

Comment 8 Eli Mesika 2020-09-29 14:18:22 UTC

Created attachment 1717557 [details]
screenshot to comment #7

Comment 15 Ivana Saranova 2020-10-05 12:32:20 UTC

Please, move to ON_QA when the package has been provided to QE. Moving back to MODIFIED.

Comment 16 Ivana Saranova 2020-10-19 11:21:36 UTC

Steps:
1) Create a new user with the ovirt-aaa-jdbc-tool
2) Log in as admin to AdminPortal and add UserRole/PowerUserRole to the new user
3) Try to login to AdminPortal as the new user
4) Login to VM Portal and check if user behaves as an admin there
5) Create a new group and new user with the ovirt-aaa-jdbc-tool
6) Add the new user to the group
7) Log in as admin to AdminPortal and add the UserRole/PowerUserRole to the new group
3) Try to login to AdminPortal as the new user
4) Login to VM Portal and check if user behaves as an admin there

Results:
New user cannot login to AdminPortal and does not behave as an admin in VM Portal.

Verified in:
ovirt-engine-4.4.3.6-0.13.el8ev.noarch

Comment 17 Sandro Bonazzola 2020-11-11 06:41:43 UTC

This bugzilla is included in oVirt 4.4.3 release, published on November 10th 2020.

Since the problem described in this bug report should be resolved in oVirt 4.4.3 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.

Note You need to log in before you can comment on or make changes to this bug.