Red Hat Bugzilla – Bug 809088
Global Provider User not able to use any provider
Last modified: 2012-08-29 10:56:39 EDT
Created attachment 574499 [details]
Description of problem:
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Created a user shveta and assigned role : Global Provider User as shown in screenshot one (Roles)
2. Logged in as shveta , Cloud resource Provider -- "Insufficient Privileges to perform this action" Is displayed , screenshot 2 (Cloud_resource_provider)
3. As mentioned here https://www.aeolusproject.org/redmine/projects/aeolus/wiki/Roles_list
Global Provider User
Can view any provider
Can perform certain actions using any provider (currently map any provider or its back-end realms to a front-end Realm)
It is not working as mentioned.
rpm -qa|grep aeolus
What did you try to do with this user? I think right now the only place that the 'use' permission on providers is checked is for adding Realm/cluster mappings. If you can do that, this role is working properly. There is currently an issue (already in BZ) that provider user can't access the provider details page. The reason is that, for now, the provider details page is the edit page, which currently requires Modify permissions.
Also, I noticed that when you added the 'provider user' -- you did it by removing the 'Global Profile User' permissions. Note that the roles doc already cautions that if you remove 'Global Profile User' your user will no longer be able to launch Applications, since access to the profiles is required.
Created attachment 574729 [details]
ok .. i tried using providers in clusters but as shown in attached screenshot , i can't create new cluster with this role neither can i edit an existing cluster
Created attachment 574730 [details]
Global Provider User doesn't grant access to create realm -- it just includes the proper permissions on the providers. Create/edit cluster permissions are currently only included in "Global Realm Administrator" or the overall Administrator role.
The issue here is you need permissions on both ends of the association -- permission to edit realms, and permission to access providers. We haven't included global provider access in the Realm Admin role since it's possible that there may be users who need to create realms but don't have permission to access all providers. Since there's a valid use case for separating the permissions, we've made them separate roles. Some 'Realm Admins' may also have global provider user, but others may have only permission to map selected providers.
In the future we'll provide a "role management" UI that will allow administrators to add/remove privileges from the defined roles, which would allow these two to be combined in situations where it makes sense.
Scott are we saying this is an RFE? or future bug
Wes: Neither -- I'm saying that this is not a bug -- in order to map providers to realms you need the ability to Create/Modify realms _and_ the ability to use the provider you're mapping. The last comment about a future 'role management' UI is just pointing out that at some point in the future, an administrator could combine both roles in one, but for now they're separate since it's not clear that in all cases they should be combined (some customers may want to have a finer-grained control over what providers the Realm admins hace access to).
However, I would not construe this bug as "fixed by a role management UI" -- I think it's simply NOTABUG. Things are working as we designed them to work here. Whether (and when) we add a role management UI will be driven by the post-1.0 feature development process, and it really doesn't relate to the subject of this bug directly.
Closing per Scott