Bug 809088 - Global Provider User not able to use any provider
Global Provider User not able to use any provider
Status: CLOSED NOTABUG
Product: CloudForms Cloud Engine
Classification: Red Hat
Component: aeolus-conductor (Show other bugs)
1.0.0
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Angus Thomas
wes hayutin
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-04-02 09:10 EDT by Shveta
Modified: 2012-08-29 10:56 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-05-07 13:28:15 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Roles (215.68 KB, image/png)
2012-04-02 09:10 EDT, Shveta
no flags Details
cluster_1 (213.18 KB, image/png)
2012-04-03 00:22 EDT, Shveta
no flags Details
cluster (213.79 KB, image/png)
2012-04-03 00:23 EDT, Shveta
no flags Details

  None (edit)
Description Shveta 2012-04-02 09:10:33 EDT
Created attachment 574499 [details]
Roles

Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Created a user shveta and assigned role : Global Provider User as shown in screenshot one (Roles)
2. Logged in as shveta , Cloud resource Provider -- "Insufficient Privileges to perform this action" Is displayed , screenshot 2 (Cloud_resource_provider)
3. As mentioned here https://www.aeolusproject.org/redmine/projects/aeolus/wiki/Roles_list 


Global Provider User

    View Provider
        Can view any provider
    Use Provider
        Can perform certain actions using any provider (currently map any provider or its back-end realms to a front-end Realm)


It is not working as mentioned.
  
Actual results:


Expected results:


Additional info:

rpm -qa|grep aeolus
aeolus-conductor-doc-0.8.7-1.el6.noarch
aeolus-conductor-0.8.7-1.el6.noarch
rubygem-aeolus-cli-0.3.1-1.el6.noarch
rubygem-aeolus-image-0.3.0-12.el6.noarch
aeolus-conductor-daemons-0.8.7-1.el6.noarch
aeolus-configure-2.5.2-1.el6.noarch
aeolus-all-0.8.7-1.el6.noarch
Comment 1 Scott Seago 2012-04-02 11:49:38 EDT
What did you try to do with this user? I think right now the only place that the 'use' permission on providers is checked is for adding Realm/cluster mappings. If you can do that, this role is working properly. There is currently an issue (already in BZ) that provider user can't access the provider details page. The reason is that, for now, the provider details page is the edit page, which currently requires Modify permissions.

Also, I noticed that when you added the 'provider user' -- you did it by removing the 'Global Profile User' permissions. Note that the roles doc already cautions that if you remove 'Global Profile User' your user will no longer be able to launch Applications, since access to the profiles is required.
Comment 2 Shveta 2012-04-03 00:22:36 EDT
Created attachment 574729 [details]
cluster_1

ok .. i tried using providers in clusters but as shown in attached screenshot , i can't create new cluster with this role neither can i edit an existing cluster
Comment 3 Shveta 2012-04-03 00:23:06 EDT
Created attachment 574730 [details]
cluster
Comment 4 Scott Seago 2012-04-03 10:22:55 EDT
Global Provider User doesn't grant access to create realm -- it just includes the proper permissions on the providers. Create/edit cluster permissions are currently only included in "Global Realm Administrator" or the overall Administrator role.

The issue here is you need permissions on both ends of the association -- permission to edit realms, and permission to access providers. We haven't included global provider access in the Realm Admin role since it's possible that there may be users who need to create realms but don't have permission to access all providers. Since there's a valid use case for separating the permissions, we've made them separate roles. Some 'Realm Admins' may also have global provider user, but others may have only permission to map selected providers.
Comment 5 Scott Seago 2012-04-03 10:24:00 EDT
In the future we'll provide a "role management" UI that will allow administrators to add/remove privileges from the defined roles, which would allow these two to be combined in situations where it makes sense.
Comment 6 wes hayutin 2012-04-17 17:11:55 EDT
Scott are we saying this is an RFE? or future bug
Comment 7 Scott Seago 2012-04-17 21:35:58 EDT
Wes: Neither -- I'm saying  that this is not a bug -- in order to map providers to realms you need the ability to Create/Modify realms _and_ the ability to use the provider you're mapping. The last comment about a future 'role management' UI is just pointing out that at some point in the future, an administrator could combine both roles in one, but for now they're separate since it's not clear that in all cases they should be combined (some customers may want to have a finer-grained control over what providers the Realm admins hace access to). 

However, I would not construe this bug as "fixed by a role management UI" -- I think it's simply NOTABUG. Things are working as we designed them to work here. Whether (and when) we add a role management UI will be driven by the post-1.0 feature development process, and it really doesn't relate to the subject of this bug directly.
Comment 8 Hugh Brock 2012-05-07 13:28:15 EDT
Closing per Scott

Note You need to log in before you can comment on or make changes to this bug.