769573 – Role enforcement in Cumin

Bug 769573 - Role enforcement in Cumin

Summary: Role enforcement in Cumin

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise MRG
Classification:	Red Hat
Component:	cumin
Sub Component:
Version:	2.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	medium
Target Milestone:	2.2
Target Release:	---
Assignee:	Trevor McKay
QA Contact:	Daniel Horák
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	737979 811230 828434 828935
TreeView+	depends on / blocked

Reported:	2011-12-21 11:18 UTC by Stanislav Graf
Modified:	2018-11-29 21:38 UTC (History)
CC List:	7 users (show)
Fixed In Version:	cumin-0.1.5419-1
Doc Type:	Bug Fix
Doc Text:	Cause Cumin allowed the assignment of roles to user accounts but role enforcement was never implemented. Consequence There was no mechanism for distinguishing between administrative users with access to all displays and functions in the user interface and general users with access only to management of their own submissions. Change Role enforcement has been implemented, but will be off by default after installation and may be turned in /etc/cumin/cumin.conf. General users will see only displays under the Grid User tab when enforcement is enabled. All users will default to the "user" unless they are specifically assigned to the "admin" role with the cumin-admin command. Result Site administrators may now selectively grant administrative privileges to certain users. Other users will be able to manage their own jobs but will not have visibility to other jobs through Cumin.
Clone Of:
Environment:
Last Closed:	2012-09-19 17:42:07 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	837047	1	None	None	None	2021-01-20 06:05:38 UTC
Red Hat Bugzilla	842998	1	None	None	None	2021-01-20 06:05:38 UTC
Red Hat Product Errata	RHSA-2012:1278	0	normal	SHIPPED_LIVE	Moderate: Red Hat Enterprise MRG Grid 2.2 security update	2012-09-19 21:40:26 UTC

Internal Links: 837047 842998

Description Stanislav Graf 2011-12-21 11:18:42 UTC

Description of problem:
When I create 2 users each in different role, there is no distinction between their privileges in cumin web interface.

This is how you can create two users with different roles:

[root@rhel6i ~]# cumin-database install
...
The database is installed
ecode=0
[root@rhel6i ~]# cumin-admin list-users
  ID Name                 Roles
---- -------------------- --------------------

(0 users found)
ecode=0
[root@rhel6i ~]# cumin-admin list-roles
  ID Name
---- --------------------
   1 user                
   2 admin               

(2 users found)
ecode=0
[root@rhel6i ~]# cumin-admin add-user cuser cuser
User 'cuser' is added
ecode=0
[root@rhel6i ~]# cumin-admin add-user cadmin cadmin
User 'cadmin' is added
ecode=0
[root@rhel6i ~]# cumin-admin remove-assignment cadmin user
User 'cadmin' is no longer assigned to role 'user'
ecode=0
[root@rhel6i ~]# cumin-admin add-assignment cadmin admin
User 'cadmin' is assigned to role 'admin'
ecode=0
[root@rhel6i ~]# cumin-admin list-users
  ID Name                 Roles
---- -------------------- --------------------
   3 cuser                user                
   4 cadmin               admin               

(2 users found)
ecode=0


Version-Release number of selected component (if applicable):
cumin-0.1.5098-2

How reproducible:
100%

Steps to Reproduce:
1. cumin-database install
2. cumin-admin add-user cuser cuser
3. cumin-admin add-user cadmin cadmin
4. cumin-admin remove-assignment cadmin user
5. cumin-admin add-assignment cadmin admin
6. cumin-admin list-users
7. Go to cumin web interface and try to find difference
  
Actual results:
Cumin user and admin roles have the same privileges.

Expected results:
Cumin user and admin roles have different privileges

Additional info:

Comment 6 Trevor McKay 2012-04-11 19:47:31 UTC

Fixed in revision 5295.

Comment 7 Trevor McKay 2012-04-25 20:29:18 UTC

Additional notes on testing:

1) Role enforcement is complete, but it is turned off by default currently for backwards compatibility. At some point in the future it will be turned on by default, after an adjustment period. With role enforcement off, there should be no difference between user and admin accounts as noted above.

2) To turn on role enforcement, set the "authorize" parameter in /etc/cumin/cumin.conf file in the [common] or [web] section:

authorize: True

3) (Re)start Cumin

4) Log in as the cadmin user. There should be no difference with older versions of Cumin and with the current version when role enforcement is turned off. Cumin will open to the Administrator->Grid tab.

5) Log in as the cuser user. The entire "Administrator" tab will be missing -- Administrator->Grid and Administrator-Inventory, and everything below. Only "Your account", "Grid user", and "About" should be visible.

How this works with the other personas:

1) In the 'default' persona (so named for historical reasons), the cadmin user will open to the Administrator->Overview tab showing Deepest Message Queues, Busiest Systems, and Longest Running Grid Submissions. In addition to Administrator->Grid and Administrator->Inventory, there will be an Administrator->Messaging tab.

The cuser user will see the same view as in the 'grid' persona. There will be no Messaging tab for the cuser user.

2) In the 'messaging' persona, no grid components are visible. Just Messaging and Inventory. There is no role enforcement in the Messaging persona, since the most likely case is "cuser sees nothing at all and cadmin sees everything". In this scenario sites that run Cumin in the messaging persona would likely assign everyone the 'admin' role, so there seems little point.

Comment 8 Trevor McKay 2012-05-04 20:01:19 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause
    Cumin allowed the assignment of roles to user accounts but role enforcement was never implemented.

Consequence
    There was no mechanism for distinguishing between administrative users with access to all displays and functions in the user interface and general users with access only to management of their own submissions.

Change
    Role enforcement has been implemented, but will be off by default after installation and may be turned in /etc/cumin/cumin.conf.  General users will see only displays under the Grid User tab when enforcement is enabled.  All users will default to the "user" unless they are specifically assigned to the "admin" role with the cumin-admin command.

Result
    Site administrators may now selectively grant administrative privileges to certain users.  Other users will be able to manage their own jobs but will not have visibility to other jobs through Cumin.

Comment 20 Stanislav Graf 2012-07-25 08:45:03 UTC

I have verified steps in comment 7

Comment 23 Trevor McKay 2012-07-26 16:11:37 UTC

As QE has noticed, the "banner" code is not available in cumin-0.1.5419 and so the redirection messages can be viewed as log entries in web.log.

Comment 26 Daniel Horák 2012-07-27 09:53:39 UTC

Verified on RHEL 8.8, 6.3 - i386, x86_64 with condor-7.6.5-0.19 and cumin-0.1.5419-4.

>>> VERIFIED

Comment 27 Daniel Horák 2012-07-27 09:54:34 UTC

(In reply to comment #26)
> Verified on RHEL 8.8 
RHEL 5.8

Comment 53 errata-xmlrpc 2012-09-19 17:42:07 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-1278.html

Note You need to log in before you can comment on or make changes to this bug.