Red Hat Bugzilla – Bug 754479
Revisit permission handling for AgentManagerBean methods
Last modified: 2011-12-15 10:33:47 EST
This is a follow-up for bug 669521. Relevant comments clipped:
In the future:
- We may want to also ensure the calling Subject "canView" the resource
- We may want to add explicit permission checks on
getAgentClient(subject, resourceId) and not just defer the perm check to
getAgentByResourceId(), because getAgentClient() arguable should require
MANAGE_INVENTORY in addition to MANAGE_SETTINGS (or maybe even superuser).
- We need to similarly figure out how to handle
pingAgentByResourceId(subject, resourceId), which (against
the inline docs) also defers to getAgentClient(subject, resourceId) for
agree - for now, assume SETTINGS is necessary only to view the agent
We should leave this issue open for further discussion for future release.
Not sure SETTINGS is the perm we want - seems INVENTORY is the more
appropriate one to use.