798204 – Non-admin user able to stop instances even if all the roles are revoked.

Bug 798204 - Non-admin user able to stop instances even if all the roles are revoked.

Summary: Non-admin user able to stop instances even if all the roles are revoked.

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	CloudForms Cloud Engine
Classification:	Retired
Component:	aeolus-conductor
Sub Component:
Version:	1.0.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	beta6
Assignee:	Scott Seago
QA Contact:	pushpesh sharma
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	798212 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-02-28 10:08 UTC by Aziza Karol
Modified:	2014-08-04 22:30 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-08-30 17:17:00 UTC

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Aziza Karol 2012-02-28 10:08:22 UTC

Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
i created a user "akarol" and launched few ec2 instances as "akarol" .
Then i revoked all the default roles permissions.I also revoked zone and  application permissions.


As "akarol" i was able to stop the instances.
also while stopping the instance ,no status message got displayed.the instance just got stopped.

  

Expected results:
non-admin should not be able to stop instances if all the permissions are revoked.

Additional info:
rpm -qa | grep aeolus
aeolus-conductor-doc-0.8.0-36.el6.noarch
rubygem-aeolus-cli-0.3.0-10.el6.noarch
aeolus-all-0.8.0-36.el6.noarch
aeolus-conductor-0.8.0-36.el6.noarch
rubygem-aeolus-image-0.3.0-10.el6.noarch
aeolus-configure-2.5.0-15.el6.noarch
aeolus-conductor-daemons-0.8.0-36.el6.noarch

Comment 1 Scott Seago 2012-02-29 17:45:37 UTC

Hmm. I wonder if you still had instance permissions. When a user launches, both the 'deployment' and 'instance' are owned by the launching user. We track permissions at both levels so you can share a single instance _or_ the whole deployment/app.

If you still had those this is NOTABUG. cascading permission deletion/"revoke everything granted to a user"/etc is out of scope for now, but I imagine we'll need to handle something like this in the  future.

Comment 2 wes hayutin 2012-03-19 18:16:51 UTC

*** Bug 798212 has been marked as a duplicate of this bug. ***

Comment 3 Rehana 2012-04-04 09:24:04 UTC

I have retested this in two different scenario,

1. Revoked all the global roles --> user is still able to stop VM as the user have local permissions like (zone user, application owner roles)

2. after revoking the local permissions zone user, application owner roles user was unable to view zone and applications respective.

on:

rpm -qa | grep aeolus
rubygem-aeolus-image-0.3.0-12.el6.noarch
aeolus-conductor-0.8.7-1.el6.noarch
aeolus-conductor-doc-0.8.7-1.el6.noarch
aeolus-conductor-daemons-0.8.7-1.el6.noarch
aeolus-configure-2.5.2-1.el6.noarch
aeolus-all-0.8.7-1.el6.noarch
rubygem-aeolus-cli-0.3.1-1.el6.noarch

Comment 4 Scott Seago 2012-04-04 13:28:24 UTC

From the last comment, it sounds like this is working fine -- at least the description in the comment sounds like what I'd expect it to do.

Comment 5 pushpesh sharma 2012-04-05 06:56:32 UTC

As per the comment#3 "after revoking the local permissions zone user, application owner roles user was unable to view zone and applications perspective."

I have the similar observation after revoking rights.Marking this bug as Verified.

Note You need to log in before you can comment on or make changes to this bug.