Hide Forgot
Description of problem: Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. Created a non admin user (shveta) 2. Launched an instance from admin 3. Revoked all access of deployable for non-admin user(shveta) 4. non admin user can still login and stop that instance. Actual results: Expected results: Additional info: rpm -qa|grep aeolus rubygem-aeolus-image-0.2.0-1.el6.noarch aeolus-conductor-0.7.0-4.el6.noarch aeolus-conductor-doc-0.7.0-4.el6.noarch aeolus-configure-2.4.0-3.el6.noarch rubygem-aeolus-cli-0.2.0-3.el6.noarch aeolus-all-0.7.0-4.el6.noarch aeolus-conductor-daemons-0.7.0-4.el6.noarch
adding to ce-sprint-next
adding to ce-sprint
removing ce-sprint-next tracker
Stopping an instance won't depend on deployable permissions. However, if the non-admin user in question wasn't the one that launched the instance, this is still a bug -- conductor should be verifying that the user has 'Use Instance' permissions on the instance being stopped.
What page did you access to stop the instance? I attempted to test this out and, as non-admin user without depoyment rights, when I clicked on the deployment URL I got an 'insufficient privileges' error page, so I could not get to the instance list. If you could provide the URL of the page on which you were able to stop the instance on which you shouldn't have had access, that would help me track this down.
This is changed/fixed recently it seems. Error not reproducible . Verified in rpm -qa|grep aeolus aeolus-conductor-0.8.0-7.el6.noarch aeolus-configure-2.5.0-4.el6.noarch aeolus-conductor-daemons-0.8.0-7.el6.noarch rubygem-aeolus-image-0.3.0-2.el6.noarch rubygem-aeolus-cli-0.3.0-3.el6.noarch aeolus-all-0.8.0-7.el6.noarch aeolus-conductor-doc-0.8.0-7.el6.noarch