Bug 807444 - provider account access to environments/clouds is not enforced during push
provider account access to environments/clouds is not enforced during push
Status: CLOSED CURRENTRELEASE
Product: CloudForms Cloud Engine
Classification: Red Hat
Component: aeolus-conductor (Show other bugs)
1.0.0
Unspecified Unspecified
medium Severity medium
: 1.0.2
: ---
Assigned To: Scott Seago
wes hayutin
: Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-03-27 15:43 EDT by Dave Johnson
Modified: 2012-12-13 14:48 EST (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-12-13 14:48:32 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dave Johnson 2012-03-27 15:43:14 EDT
Description of problem:
===========================================
Had a system with multiple ec2 accounts configured, created a cloud/zone, and associated a single ec2 account.  Added a image template which showed the single ec2 account that was originally associated however after clicking the 'Build' link for that image, the rest of the configured ec2 accounts showed up and allowed pushed seemingly ignoring the fact that only a single ec2 account was associated with the cloud.


Version-Release number of selected component (if applicable):
==============================================================
aeolus-conductor-0.8.3-1.el6.noarch
Comment 1 Dave Johnson 2012-03-27 15:55:49 EDT
This can also be seen on the deployables page
Comment 2 wes hayutin 2012-03-27 16:07:08 EDT
Recreate:

1. create ec2 provider account called ec2_A
2. create ec2 provider account called ec2_B
3. create environmentA
4. give environ
Comment 3 wes hayutin 2012-03-27 16:08:59 EDT
Recreate:

1. create ec2 provider account called ec2_A
2. create ec2 provider account called ec2_B
3. create environmentA
4. give environmentA/CloudA access to provider account ec2_A
5.build a template in cloudA
6.push a template in cloudA

Notice that during the push process that all ec2 provider accounts are available to the component outline/image
Comment 4 Scott Seago 2012-03-28 12:09:45 EDT
This definitely looks like a regression, as it was working as expected with the initial roll-out of environment-scoping of images.

It's slightly confusing to refer to "access" since that implies permissions -- the issue here has to do with the linking of clouds and provider accounts and, apparently, build/push isn't properly restricting building and pushing to only those accounts that are linked with the environment.
Comment 5 Rehana 2012-05-08 10:02:32 EDT
Recreate:

1. Create a new cloud with two provider accounts ie vsphere,rhevm
2. build image to both the account using 'build all'
3. now remove the rhevm account from cloud
4. pushed image to vsphere
5. view the image detail page

Observed that, the rhevm provider detail without account was present, after some time the account details also came up with Image UUID and image URI 

on:
rpm -qa | grep aeolus
aeolus-conductor-0.8.13-1.el6_2.noarch
aeolus-configure-2.5.3-1.el6.noarch
rubygem-aeolus-image-0.3.0-12.el6.noarch
rubygem-aeolus-cli-0.3.1-1.el6.noarch
aeolus-all-0.8.13-1.el6_2.noarch
aeolus-conductor-doc-0.8.13-1.el6_2.noarch
aeolus-conductor-daemons-0.8.13-1.el6_2.noarch
Comment 6 Mike Orazi 2012-07-26 11:53:45 EDT
We should also check the cli and open a corresponding bug.  If the same thing happens via cli please clone this for the cli.
Comment 7 Scott Seago 2012-08-31 15:25:09 EDT
Ok here's another one I can't replicate now -- it looks like the bug has been fixed more recently
Comment 8 pushpesh sharma 2012-09-21 07:25:56 EDT
1. create ec2 provider account called ec2_A
2. create ec2 provider account called ec2_B
3. create environmentA
4. give environmentA/CloudA access to provider account ec2_A
5.build a template in cloudA
6.push a template in cloudA

Notice that during the push process only ec2_A accounts is available to the component outline/image.Bo other accounts are added.(there were 2 more)

Verified on :-

[root@dhcp201-113 ~]# rpm -qa|grep aeolus
rubygem-aeolus-image-0.3.0-12.el6.noarch
aeolus-all-0.13.8-1.el6cf.noarch
aeolus-conductor-0.13.8-1.el6cf.noarch
rubygem-aeolus-cli-0.7.1-1.el6cf.noarch
aeolus-configure-2.8.6-1.el6cf.noarch
aeolus-conductor-daemons-0.13.8-1.el6cf.noarch
aeolus-conductor-doc-0.13.8-1.el6cf.noarch
[root@dhcp201-113 ~]#

Note You need to log in before you can comment on or make changes to this bug.