Bug 808031 - "global provider user" is unable to view the provider accounts
"global provider user" is unable to view the provider accounts
Product: CloudForms Cloud Engine
Classification: Red Hat
Component: aeolus-conductor (Show other bugs)
Unspecified Unspecified
unspecified Severity high
: rc
: ---
Assigned To: Scott Seago
wes hayutin
: Triaged, ZStream
Depends On:
Blocks: 819944
  Show dependency treegraph
Reported: 2012-03-29 07:57 EDT by Rehana
Modified: 2012-12-04 10:01 EST (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
The “Cloud Resource Provider” page requires edit permissions, which denies users with access to view the page. This update provides these users to a read-only version of the page.
Story Points: ---
Clone Of:
: 819944 (view as bug list)
Last Closed: 2012-12-04 10:01:56 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
rails log (8.30 KB, application/octet-stream)
2012-03-29 07:57 EDT, Rehana
no flags Details
ss1 (179.21 KB, image/png)
2012-03-29 07:58 EDT, Rehana
no flags Details

  None (edit)
Description Rehana 2012-03-29 07:57:45 EDT
Created attachment 573648 [details]
rails log

Description of problem:

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.Create new user with "global provider user" role (along with the default roles)
2.click on "cloud resource provider"

Actual results:
it displayed 'You have insufficient privileges to perform the selected action '(PFA:ss1.png)

Expected results:
As per the doc "global provider user" is allowed "View Provider" and "User Provider"(URL;https://www.aeolusproject.org/redmine/projects/aeolus/wiki/Roles_list)

Additional info:

rpm -qa | grep aeolus

attached rails.log
Comment 1 Rehana 2012-03-29 07:58:22 EDT
Created attachment 573649 [details]
Comment 2 Scott Seago 2012-03-29 10:15:13 EDT
Hmm. I noticed this a couple days ago, but it wasn't obvious initially how to resolve it. The problem is that when we designed the UI we decided that, for providers (and _only_ providers), the default view was to be the 'edit' page. As a result, you can only get  to the provider details if you have permission to edit the provider.

Possible solutions:
1) fix the UI such that Providers has a proper view page that links to 'edit' as appropriate (like we do everywhere else)
2) keep the UI as-is, but change permissions to allow 'view only' users access to the 'edit' page (with plenty of comments to indicate that we know it's deliberate) but hide the 'save' button from these users

I prefer 1) longer-term, but 2) would be a quicker fix
Comment 3 Rehana 2012-05-02 08:03:16 EDT
updating the scenario observed for 'object level permissions' also

1. create a user with "global image admin" role
2. given "provider user" role('object level permissions') observed that when tried to access the provider it displayed "'You have insufficient privileges to perform the selected action"

Added this to cover the 'object level permissions' also
Comment 4 Hugh Brock 2012-05-08 12:42:01 EDT
We'll do fix #2 (comment 2) for z-stream, fix properly in 1.1.0
Comment 5 Scott Seago 2012-05-25 13:37:49 EDT
Patch posted at:


    For provider accounts, the 'edit' action doubles as the 'show' page.
    This meant we were requiring modify privileges on the provider to even
    see the provider pages. This patch relaxes the checking to reqiure
    only view permissions, and in the views we hide the edit/modify actions
    from users that don't have the higher privileges, and the form elements
    are made read-only.
Comment 6 Scott Seago 2012-05-30 00:46:05 EDT
Pushed to master with: c8e2f50fcc10c4183d798fa1625d525a8c4b89d2
Comment 8 pushpesh sharma 2012-09-21 07:54:21 EDT
1. A user with "Global Provider User" role is able to view provider page but not able to see various provider account.(New/edit both are hidden).(expectation matched).
2. A user with object level(say here object is ec2-us-east) "Provider User" role is able to view only that provider.Again this user is not able to see various provider account.(New/edit both are hidden).(expectation matched).

Verified On:-

[root@dhcp201-113 ~]# rpm -qa|grep aeolus
Comment 10 errata-xmlrpc 2012-12-04 10:01:56 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.