Hide Forgot
Description of problem: Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: i created a user "akarol" and launched few ec2 instances as "akarol" . Then i revoked all the default roles permissions.I also revoked zone and application permissions. As "akarol" i was able to stop the instances. also while stopping the instance ,no status message got displayed.the instance just got stopped. Expected results: non-admin should not be able to stop instances if all the permissions are revoked. Additional info: rpm -qa | grep aeolus aeolus-conductor-doc-0.8.0-36.el6.noarch rubygem-aeolus-cli-0.3.0-10.el6.noarch aeolus-all-0.8.0-36.el6.noarch aeolus-conductor-0.8.0-36.el6.noarch rubygem-aeolus-image-0.3.0-10.el6.noarch aeolus-configure-2.5.0-15.el6.noarch aeolus-conductor-daemons-0.8.0-36.el6.noarch
Hmm. I wonder if you still had instance permissions. When a user launches, both the 'deployment' and 'instance' are owned by the launching user. We track permissions at both levels so you can share a single instance _or_ the whole deployment/app. If you still had those this is NOTABUG. cascading permission deletion/"revoke everything granted to a user"/etc is out of scope for now, but I imagine we'll need to handle something like this in the future.
*** Bug 798212 has been marked as a duplicate of this bug. ***
I have retested this in two different scenario, 1. Revoked all the global roles --> user is still able to stop VM as the user have local permissions like (zone user, application owner roles) 2. after revoking the local permissions zone user, application owner roles user was unable to view zone and applications respective. on: rpm -qa | grep aeolus rubygem-aeolus-image-0.3.0-12.el6.noarch aeolus-conductor-0.8.7-1.el6.noarch aeolus-conductor-doc-0.8.7-1.el6.noarch aeolus-conductor-daemons-0.8.7-1.el6.noarch aeolus-configure-2.5.2-1.el6.noarch aeolus-all-0.8.7-1.el6.noarch rubygem-aeolus-cli-0.3.1-1.el6.noarch
From the last comment, it sounds like this is working fine -- at least the description in the comment sounds like what I'd expect it to do.
As per the comment#3 "after revoking the local permissions zone user, application owner roles user was unable to view zone and applications perspective." I have the similar observation after revoking rights.Marking this bug as Verified.