Bug 603899 - User assigned role with dynagroup, resourcehub shows wrong content
Summary: User assigned role with dynagroup, resourcehub shows wrong content
Status: CLOSED CURRENTRELEASE
Alias: None
Product: RHQ Project
Classification: Other
Component: Core Server (Show other bugs)
(Show other bugs)
Version: 3.0.0
Hardware: All Linux
urgent
urgent vote
Target Milestone: ---
: ---
Assignee: Joseph Marques
QA Contact: Corey Welton
URL:
Whiteboard:
Keywords:
Depends On:
Blocks: rhq_triage jon-sprint11-bugs
TreeView+ depends on / blocked
 
Reported: 2010-06-14 19:24 UTC by Jeff Weiss
Modified: 2014-11-09 22:50 UTC (History)
3 users (show)

Fixed In Version: 2.4
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-08-12 16:52:12 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Jeff Weiss 2010-06-14 19:24:21 UTC
Description of problem:
User should only see groups to which he's assigned, but when assigned to a dynagroup he can see ALL dynagroups, and no resources of the dynagroup to which he's assigned.  

Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:
1. Create a role with Control and Configure permissions
2. Create a user.
3. Create a dynagroup, say that lists all agents.
4. Assign the user and the dynagroup to the role you created.
5. Log in as that user and go to the resource browser
  
Actual results:
resource browser counts show (1) but no items shown under Resources.  Under groups the count is also (1) but all dynagroups are listed, not just the one you assigned to the role.

Expected results:
The dynagroup and/or the resources which belong to it should be shown, nothing else.  The counts should match the number of items displayed.


Additional info:

Comment 1 Joseph Marques 2010-06-21 18:13:26 UTC
raising this to urgent.  this isn't a matter of the counts being wrong, this is a matter of being able to see resources to which a user is entitled.  right now, the permissions appear to be too aggressive; upon logging in (after following the reproduction steps) no resources can be seen at all.

Comment 2 Joseph Marques 2010-06-21 18:15:11 UTC
Underlying exception in the server log is as follows:

14:11:35,854 ERROR [PagedListDataModel] Could not retrieve collection for PageControlView[BrowseResourcesUIBean]
org.rhq.enterprise.server.authz.PermissionException: Subject [simple] requires InventoryManager permission for requested query criteria.
	at org.rhq.enterprise.server.resource.ResourceManagerBean.findResourcesByCriteria(ResourceManagerBean.java:2044)
	at org.rhq.enterprise.server.resource.ResourceManagerBean.findResourceCompositesByCriteria(ResourceManagerBean.java:2024)

This is why the resource browser shows nothing.

Comment 3 Joseph Marques 2010-06-21 18:27:07 UTC
commit 22e6fee94ca7f2aabd2defad3922b04544488980
Author: Joseph Marques <joseph@redhat.com>
Date:   Mon Jun 21 14:23:31 2010 -0400

    BZ-603899: fix the overly aggressive authorization for the resource browser

Comment 4 Corey Welton 2010-06-23 13:11:54 UTC
I think the first part of this is fixed, but not the second?

When logging in as user, I do, now, see resources (all the agents) as expected.  However, when I go to groups, I am still seeing all groups created -- not just the one I have explicitly assigned to the user.  

Returning to dev for consideration.

Comment 5 Joseph Marques 2010-06-23 15:12:53 UTC
Corey, good catch.  You're right, I didn't even realize there was a second part to this fix.

Comment 6 Joseph Marques 2010-06-23 15:13:04 UTC
commit b9ca90d9414a7e09eeac2fb9e2423a3f607eafe7
Author: Joseph Marques <joseph@redhat.com>
Date:   Wed Jun 23 10:22:25 2010 -0400

    BZ-603899: add missing authorization check to ResourceGroupManager.findResourceGroupCompositesByCriteria

Comment 7 Corey Welton 2010-06-24 12:56:43 UTC
QA Verified.

Comment 8 Corey Welton 2010-08-12 16:52:12 UTC
Mass-closure of verified bugs against JON.


Note You need to log in before you can comment on or make changes to this bug.