Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 603899 - User assigned role with dynagroup, resourcehub shows wrong content
User assigned role with dynagroup, resourcehub shows wrong content
Product: RHQ Project
Classification: Other
Component: Core Server (Show other bugs)
All Linux
urgent Severity urgent (vote)
: ---
: ---
Assigned To: Joseph Marques
Corey Welton
Depends On:
Blocks: rhq_triage jon-sprint11-bugs
  Show dependency treegraph
Reported: 2010-06-14 15:24 EDT by Jeff Weiss
Modified: 2014-11-09 17:50 EST (History)
3 users (show)

See Also:
Fixed In Version: 2.4
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-08-12 12:52:12 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jeff Weiss 2010-06-14 15:24:21 EDT
Description of problem:
User should only see groups to which he's assigned, but when assigned to a dynagroup he can see ALL dynagroups, and no resources of the dynagroup to which he's assigned.  

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Create a role with Control and Configure permissions
2. Create a user.
3. Create a dynagroup, say that lists all agents.
4. Assign the user and the dynagroup to the role you created.
5. Log in as that user and go to the resource browser
Actual results:
resource browser counts show (1) but no items shown under Resources.  Under groups the count is also (1) but all dynagroups are listed, not just the one you assigned to the role.

Expected results:
The dynagroup and/or the resources which belong to it should be shown, nothing else.  The counts should match the number of items displayed.

Additional info:
Comment 1 Joseph Marques 2010-06-21 14:13:26 EDT
raising this to urgent.  this isn't a matter of the counts being wrong, this is a matter of being able to see resources to which a user is entitled.  right now, the permissions appear to be too aggressive; upon logging in (after following the reproduction steps) no resources can be seen at all.
Comment 2 Joseph Marques 2010-06-21 14:15:11 EDT
Underlying exception in the server log is as follows:

14:11:35,854 ERROR [PagedListDataModel] Could not retrieve collection for PageControlView[BrowseResourcesUIBean]
org.rhq.enterprise.server.authz.PermissionException: Subject [simple] requires InventoryManager permission for requested query criteria.
	at org.rhq.enterprise.server.resource.ResourceManagerBean.findResourcesByCriteria(ResourceManagerBean.java:2044)
	at org.rhq.enterprise.server.resource.ResourceManagerBean.findResourceCompositesByCriteria(ResourceManagerBean.java:2024)

This is why the resource browser shows nothing.
Comment 3 Joseph Marques 2010-06-21 14:27:07 EDT
commit 22e6fee94ca7f2aabd2defad3922b04544488980
Author: Joseph Marques <joseph@redhat.com>
Date:   Mon Jun 21 14:23:31 2010 -0400

    BZ-603899: fix the overly aggressive authorization for the resource browser
Comment 4 Corey Welton 2010-06-23 09:11:54 EDT
I think the first part of this is fixed, but not the second?

When logging in as user, I do, now, see resources (all the agents) as expected.  However, when I go to groups, I am still seeing all groups created -- not just the one I have explicitly assigned to the user.  

Returning to dev for consideration.
Comment 5 Joseph Marques 2010-06-23 11:12:53 EDT
Corey, good catch.  You're right, I didn't even realize there was a second part to this fix.
Comment 6 Joseph Marques 2010-06-23 11:13:04 EDT
commit b9ca90d9414a7e09eeac2fb9e2423a3f607eafe7
Author: Joseph Marques <joseph@redhat.com>
Date:   Wed Jun 23 10:22:25 2010 -0400

    BZ-603899: add missing authorization check to ResourceGroupManager.findResourceGroupCompositesByCriteria
Comment 7 Corey Welton 2010-06-24 08:56:43 EDT
QA Verified.
Comment 8 Corey Welton 2010-08-12 12:52:12 EDT
Mass-closure of verified bugs against JON.

Note You need to log in before you can comment on or make changes to this bug.