2144346 – Search returns all entities the permissions allow if the user is not admin

Bug 2144346 - Search returns all entities the permissions allow if the user is not admin

Summary: Search returns all entities the permissions allow if the user is not admin

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Virtualization Manager
Classification:	Red Hat
Component:	ovirt-engine
Sub Component:
Version:	4.5.3
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	ovirt-4.5.3-async
Target Release:	---
Assignee:	Eli Mesika
QA Contact:	Barbora Dolezalova
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	2078946 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-11-20 21:42 UTC by Germano Veit Michel
Modified:	2023-01-11 11:25 UTC (History)
CC List:	4 users (show)
Fixed In Version:	ovirt-engine-4.5.3.5
Doc Type:	Bug Fix
Doc Text:	Previously, search conditions were not applied properly when a non-admin user tried to search for Clusters or Data Centers over the REST API. In this release, both admin and non-admin users can search for clusters properly using the REST API.
Clone Of:
Environment:
Last Closed:	2023-01-11 11:25:38 UTC
oVirt Team:	Infra
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	oVirt ovirt-engine pull 766	None	open	Search correctly entities with user role	2022-12-04 14:53:16 UTC
Github	oVirt ovirt-engine pull 768	None	open	backport: Search correctly entities with user role (#766)	2022-12-05 12:14:12 UTC
Red Hat Issue Tracker	RHV-48061	None	None	None	2022-11-20 21:42:36 UTC
Red Hat Knowledge Base (Solution)	6986645	None	None	None	2022-11-20 22:00:08 UTC
Red Hat Product Errata	RHSA-2023:0074	None	None	None	2023-01-11 11:25:55 UTC

Description Germano Veit Michel 2022-11-20 21:42:16 UTC

Description of problem:

When doing a search with a user (not admin), the API returns all objects the user has access to, not just the searched one like when doing with admin user.

Version-Release number of selected component (if applicable):
rhvm-4.5.3.2-1.el8ev.noarch

How reproducible:
Always

Steps to Reproduce:
1. Create 2+ Clusters (no need to initialize or anything, just have them there)
   engine=# select name from cluster;
     name   
   ---------
    Default
    Other
   (2 rows)

2. Create 1 additional internal user, give system permissions as Power User
   ovirt-aaa-jdbc-tool user add germano --attribute=firstName=Germano
   ovirt-aaa-jdbc-tool user password-reset germano --password-valid-to="2025-08-01 12:00:00-0800"

3. As admin user, search for 'Default' cluster, note only Default is returned.
$ curl -s -k -u "admin@internal:redhat" -H "Content-type: application/xml" https://rhvm.lab.toca.local/ovirt-engine/api/clusters?search=name%3D%22Default%22 | grep "^        <name>"
        <name>Default</name>

4. As "user" user, do the same search. Note both are returned
$ curl -s -k -u "germano@internal:redhat" -H "Content-type: application/xml" "https://rhvm.lab.toca.local/ovirt-engine/api/clusters?search=name%3D%22Default%22" | grep "^        <name>"
        <name>Default</name>
        <name>Other</name>

Actual results:
* incorrect search results returned
* as consequence ovirt_vm is broken when using non-admin user, as specifying cluster will actually pick the first from the list and not the searched one.

Expected results:
* same results returned as admin user

Additional info:

Looks like Search is not called at all for non-admin, goes to GetAllClusters

admin
-----
2022-11-21 07:37:13,772+10 DEBUG [org.ovirt.engine.core.bll.Backend] (default task-2) [] Executing query Search with isFiltered : false for user admin@internal-authz.
2022-11-21 07:37:13,773+10 DEBUG [org.ovirt.engine.core.bll.SearchQuery] (default task-2) [88617e5f-0f05-4400-aa08-4ecb12b25651] Executing generic query: SELECT * FROM ((SELECT  cluster_view.* FROM  cluster_view   WHERE  cluster_view.name ILIKE 'Default' )  ORDER BY name ASC) as T1 OFFSET (1 -1) LIMIT 2147483647

user
----
2022-11-21 07:38:37,589+10 DEBUG [org.ovirt.engine.core.bll.Backend] (default task-2) [] Executing query GetAllClusters with isFiltered : true for user germano@internal-authz.
2022-11-21 07:38:37,592+10 DEBUG [org.ovirt.engine.core.bll.GetAllClustersQuery] (default task-2) [4b876e47-ecf9-467f-8a3d-725a476c3cbe] Query GetAllClustersQuery took 3 ms

Comment 1 Casper (RHV QE bot) 2022-11-20 22:00:38 UTC

This bug has low overall severity and is not going to be further verified by QE. If you believe special care is required, feel free to properly align relevant severity, flags and keywords to raise PM_Score or use one of the Bumps ('PrioBumpField', 'PrioBumpGSS', 'PrioBumpPM', 'PrioBumpQA') in Keywords to raise it's PM_Score above verification threashold (1000).

Comment 2 Eli Mesika 2022-12-04 15:36:40 UTC

*** Bug 2078946 has been marked as a duplicate of this bug. ***

Comment 7 Barbora Dolezalova 2022-12-20 11:21:47 UTC

I followed the reproduction steps and it works as it should (same results returned as admin user).

Verified in ovirt-engine-4.5.3.6-0.zstream.20221207085812.gitdecf5699b99.el8.noarch

Comment 9 errata-xmlrpc 2023-01-11 11:25:38 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: RHV 4.4 SP1 [ovirt-4.5.3-3] security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:0074

Note You need to log in before you can comment on or make changes to this bug.