Bug 751091 - Resource tree fails to render for non inventory manager
Resource tree fails to render for non inventory manager
Product: RHQ Project
Classification: Other
Component: Core Server (Show other bugs)
All All
medium Severity urgent (vote)
: ---
: JON 3.0.0,RHQ 4.3.0
Assigned To: Jay Shaughnessy
Mike Foley
: 750897 773235 (view as bug list)
Depends On:
Blocks: jon30-sprint8
  Show dependency treegraph
Reported: 2011-11-03 10:03 EDT by Jay Shaughnessy
Modified: 2012-02-07 14:19 EST (History)
3 users (show)

See Also:
Fixed In Version: 4.3
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-02-07 14:19:59 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jay Shaughnessy 2011-11-03 10:03:08 EDT
Non-inventory managers will get a permission error trying to render
the resource tree when navigating to any resource detail view.
Comment 1 Jay Shaughnessy 2011-11-03 10:05:41 EDT
This problem is due to the fix that went in for bug 734592.  It used a
ResourceCriteria.fetchParentResource(true), which for security
reasons requires Manage Inventory global perm.

The fix will have to avoid that call.
Comment 2 Jay Shaughnessy 2011-11-03 11:45:54 EDT
master         commit: a65ee3a2aff51ebba00fc897839d4719467830c0
release_jon3.x commit: 09e73f804a69af9899213f75944cc8443cfa905a

Remove use of ResourceCriteria.fetchParentResource(true) to support
AutoGroup naming. Instead, make use of the fact that the needed
resource information is available in an ancestral ResourceTreeNode.
This approach avoids the need for inventory manager perm (required
for fetchParentResource) and also the potential inabaility to
query for the resource on-demand, as it could be unavailable (locked)
to the user (but the locked resource tree node has what we need).

Test Notes:
* Testing should be done with Inventory manager and Non-Inventory Manager
* bug 734592 should be re-qualified as this reimplements the fix 
previously made for that bug. A suggested test sequence:

0) IF ALREADY IMPORTED, UN-IMPORT the  RHQ Server resource

1) Import RHQ Server resource

2) As rhqadmin, ensure tree rendering and autogroup naming is correct

3) Create a new recursive group test-734592-group
3.1) Add all of the children of the RHQ Server resource (this is made 
easier by adding the RHQ Server, letting it recursively add the children
and then going back and removing the RHQ Server resource)

4) Create a role test-734592-role
4.1) just the default read perms
4.2) assign the new test group

5) Create a new user test-734592-user 
5.1) Assign the new test role

6) Login as the new test user

7) Navigate to a Datasource resource

8) The tree should render and the RHQ Server should show as locked

9) Click on the Datasources AutoGroup node.

10) Verify that the  AG name is correct (no nulls, shows name of RHQ 
Server resource).

Perform any other relevant testing that you can think of.
Comment 3 Heiko W. Rupp 2011-11-03 12:45:18 EDT
*** Bug 750897 has been marked as a duplicate of this bug. ***
Comment 4 Mike Foley 2011-11-04 13:14:56 EDT
verified 11/4/2011
Comment 5 Lukas Krejci 2012-01-27 14:51:44 EST
*** Bug 773235 has been marked as a duplicate of this bug. ***
Comment 6 Mike Foley 2012-02-07 14:19:59 EST
changing status of VERIFIED BZs for JON 2.4.2 and JON 3.0 to CLOSED/CURRENTRELEASE

Note You need to log in before you can comment on or make changes to this bug.