Bug 754479 - Revisit permission handling for AgentManagerBean methods
Revisit permission handling for AgentManagerBean methods
Status: NEW
Product: RHQ Project
Classification: Other
Component: Core Server (Show other bugs)
4.2
All All
medium Severity medium (vote)
: ---
: ---
Assigned To: RHQ Project Maintainer
Mike Foley
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2011-11-16 11:16 EST by Jay Shaughnessy
Modified: 2011-12-15 10:33 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jay Shaughnessy 2011-11-16 11:16:17 EST
This is a follow-up for bug 669521. Relevant comments clipped:

jshaughn:
In the future:
- We may want to also ensure the calling Subject "canView" the resource
specified.

- We may want to add explicit permission checks on
getAgentClient(subject, resourceId) and not just defer the perm check to
getAgentByResourceId(), because getAgentClient() arguable should require
MANAGE_INVENTORY in addition to MANAGE_SETTINGS (or maybe even superuser).

- We need to similarly figure out how to handle
pingAgentByResourceId(subject, resourceId), which (against
the inline docs) also defers to getAgentClient(subject, resourceId) for
permission handling.

mazz:
agree - for now, assume SETTINGS is necessary only to view the agent 
info.

We should leave this issue open for further discussion for future release. 
Not sure SETTINGS is the perm we want - seems INVENTORY is the more 
appropriate one to use.

Note You need to log in before you can comment on or make changes to this bug.