Bug 753883 - MODIFY_RESOURCE Resource perm should be required in order to delete ResourceErrors
MODIFY_RESOURCE Resource perm should be required in order to delete ResourceE...
Product: RHQ Project
Classification: Other
Component: Core Server, Core UI (Show other bugs)
Unspecified Unspecified
high Severity medium (vote)
: ---
: RHQ 4.3.0,JON 3.0.0
Assigned To: Ian Springer
Mike Foley
Depends On:
Blocks: jon30-sprint9 jon30-sprint8
  Show dependency treegraph
Reported: 2011-11-14 13:33 EST by Ian Springer
Modified: 2013-08-05 20:42 EDT (History)
3 users (show)

See Also:
Fixed In Version: 4.3
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-02-07 14:24:19 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Ian Springer 2011-11-14 13:33:21 EST
ResourceManagerBean.deleteResourceError() currently only checks that the subject has VIEW_RESOURCE.

We should:

1) update ResourceManagerBean.deleteResourceError() to require MODIFY_RESOURCE

2) update the GUI (ResourceErrorsView) to gray out the Delete button if the user does not have MODIFY_RESOURCE
Comment 1 Ian Springer 2011-11-14 18:03:25 EST

[master c6e550f]
[release_jon3.x 3a8916b]
Comment 2 Mike Foley 2011-11-15 13:36:09 EST
i see some correct behavior ... but also have a question.

first...the correct behavior:
i created a group.
i created a role that included this group.  for this role, i first did not set manage inventory....and had read permission (but not write) for inventory.  
i created a user that belonged to this group.
i logged in as this user, and this user could view,  and not delete the group.


i added write permission for inventory.  
i logged in as the user again.
this user still could not delete the group.


i added global permission for manage inventory.
i logged in as the user again.
this user could delete the group.

so now my questions:  
1) does VIEW_RESOURCE and MODIFY_RESOURCE corresspond to the resource permissions for inventory  or to the global authorization for manage inventory?
2) test #2 above ... is that behavior correct?  i sort of expected that to PASS.
3) can you clarify the test to verify this?  it is not clear to me .
Comment 3 Ian Springer 2011-11-16 11:47:58 EST
That's the expected behavior. The global MANAGE_INVENTORY permission is required to delete a group (it's also required to create groups). If a user only has the inventory-write perm (aka MODIFY_RESOURCE) for a group, that's not sufficient to delete it.
Comment 4 Charles Crouch 2011-11-29 11:02:15 EST
This is related to the hudson failure on Monday 28th, so setting back to ON_QA to confirm this is resolved in the release branch
Comment 5 Sunil Kondkar 2011-12-02 04:31:34 EST
Verified in build#114 in release_jon3.x branch

Changed the JBoss AS 5 server principal and credentials to incorrect values. It displayed a yellow triangle showing resource errors.

Created a compatible group of JBoss AS 5 resources. Created a user. Created a role with 'Inventory-read' (VIEW_RESOURCE) permissions and assigned compatible group and user to this role.

Logged in as the user and navigated to the summary tab of the JBoss AS 5 resource.
Clicked on the yellow triangle showing resource errors.

Selected the error and observed that the 'Delete' button is not enabled as expected.

Logged in to RHQ as rhqadmin and changed the role permissions to resource level inventory-write (MODIFY_RESOURCE).

Logged in as the user and verified that selecting the error in JBoss AS 5 resource error modal enables the 'Delete' button. Clicking the 'Delete' button deletes the error from modal and displays message in UI and message center.

Marking as verified.
Comment 6 Mike Foley 2012-02-07 14:24:19 EST
changing status of VERIFIED BZs for JON 2.4.2 and JON 3.0 to CLOSED/CURRENTRELEASE
Comment 7 Mike Foley 2012-02-07 14:26:28 EST

Note You need to log in before you can comment on or make changes to this bug.