Bug 784988 - JON 3.0.1 RC#1 CLI permissions with users other than rhqadmin
JON 3.0.1 RC#1 CLI permissions with users other than rhqadmin
Product: RHQ Project
Classification: Other
Component: CLI (Show other bugs)
Unspecified Unspecified
high Severity medium (vote)
: ---
: JON 3.0.1
Assigned To: Ian Springer
Mike Foley
Depends On:
Blocks: jon310-sprint11/rhq44-sprint11
  Show dependency treegraph
Reported: 2012-01-26 15:41 EST by Mike Foley
Modified: 2013-08-05 20:42 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-02-01 11:11:08 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Mike Foley 2012-01-26 15:41:58 EST
Description of problem:  CLI permissions with users other than rhqadmin

Version-Release number of selected component (if applicable):  JON 3.0.1 RC#1

How reproducible:

Steps to Reproduce:
1.  create a new role.  accept the defaults.  expressly note that the new role has implied read permission on the inventory. 
2.  create a new user.  assign the role created in step #1.
3.  using the CLI ... login using the new user, eg. 
Actual results:

New user (with implied read permission on inventory) cannot read inventory

mfoley@localhost:7080$ [mfoley@foleymonsterbox1 bin]$ ./rhq-cli.sh -u mfoley -p password
RHQ - RHQ Enterprise Remote CLI 4.2.0.JON.3.0.1.GA
Remote server version is: 3.0.1.GA (784c8ce:5cde182)
Login successful
mfoley@localhost:7080$ var myresource = ProxyFactory.getResource(10034)
Wrapped org.rhq.enterprise.server.authz.PermissionException: [Warning] User [Subject[id=10001,name=mfoley]] does not have permission to view resource [10034] (<Unknown source>#1)
var myresource = ProxyFactory.getResource(10034) 

Expected results:  user with implied read permission for inventory can use CLI commands that read inventory

Additional info:
Comment 1 Mike Foley 2012-01-30 11:25:56 EST
12/30/2012 BZ triage meeting mfoley, ccrouch, loleary, asantos
Comment 2 Ian Springer 2012-01-31 17:32:42 EST
I think you might be confusing the INVENTORY-read Resource permission with the MANAGE_INVENTORY global permission. INVENTORY-read is the permission that is always implied. However, since it is a Resource permission, it only applies to the set of Resources that are members of one or more of the groups associated with the role. For example, for the user to view Resource 10034 (assuming the user did not have MANAGE_INVENTORY or MANAGE_SECURITY), that Resource would have to be in one of that user's role's groups.

Note You need to log in before you can comment on or make changes to this bug.