Bug 754479 - Revisit permission handling for AgentManagerBean methods
Summary: Revisit permission handling for AgentManagerBean methods
Keywords:
Status: NEW
Alias: None
Product: RHQ Project
Classification: Other
Component: Core Server
Version: 4.2
Hardware: All
OS: All
medium
medium vote
Target Milestone: ---
: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-11-16 16:16 UTC by Jay Shaughnessy
Modified: 2022-03-31 04:28 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 669521 0 urgent CLOSED getting agent clients is now too restrictive 2021-02-22 00:41:40 UTC

Internal Links: 669521

Description Jay Shaughnessy 2011-11-16 16:16:17 UTC 
This is a follow-up for bug 669521. Relevant comments clipped:

jshaughn:
In the future:
- We may want to also ensure the calling Subject "canView" the resource
specified.

- We may want to add explicit permission checks on
getAgentClient(subject, resourceId) and not just defer the perm check to
getAgentByResourceId(), because getAgentClient() arguable should require
MANAGE_INVENTORY in addition to MANAGE_SETTINGS (or maybe even superuser).

- We need to similarly figure out how to handle
pingAgentByResourceId(subject, resourceId), which (against
the inline docs) also defers to getAgentClient(subject, resourceId) for
permission handling.

mazz:
agree - for now, assume SETTINGS is necessary only to view the agent 
info.

We should leave this issue open for further discussion for future release. 
Not sure SETTINGS is the perm we want - seems INVENTORY is the more 
appropriate one to use.
Note You need to log in before you can comment on or make changes to this bug.