Enable OCP token based authorization to restrict access to the inventory to only those OCP users with "*" access to the associated Provider CR. Authorization was implemented in the inventory in 2.0 but not enabled (disabled by default). In 2.0, the UI started passing the token header. This should just involve a (1) change in the controller to default the setting and test with the UI.
Found that the UI requires a change to pass the correct token header. PR incoming.
How to verify: The primary goal is to ensure that inventory data is limited to caller that is authenticated by the Openshift cluster. MTV currently does not support non-admin use cases, therefore it will be tested only by a getting on rest-api endpoints result in 401 (Unauthorized) when no token is included in the request. 403 (Forbidden) when the token is invalid.
mtv 2.1.0-44 verified 401/403 + UI Sanity
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Migration Toolkit for Virtualization 2.1.0), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2021:3278