Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 815757

Summary: User without proper permissions can identify invalid resources in ResourceManager.getXX
Product: [JBoss] JBoss Operations Network Reporter: Viet Nguyen <vnguyen>
Component: CLIAssignee: RHQ Project Maintainer <rhq-maint>
Status: CLOSED WONTFIX QA Contact: Mike Foley <mfoley>
Severity: medium Docs Contact:
Priority: unspecified    
Version: JON 3.1.0CC: hrupp, jsanda, jshaughn
Target Milestone: ---   
Target Release: JON 3.2.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 802504 Environment:
Last Closed: 2013-10-17 16:10:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
test case none

Description Viet Nguyen 2012-04-24 13:03:16 UTC 
How reproducible:
always

Steps to Reproduce:
1. Create a user without any roles.  
2. Log in
2. call ResourceManager.getResource(0)

  
Actual results:
ResourceNotFoundException: A Resource with id 0 does not exist in inventory


Expected results:
PermissionException 

Additional info:
Comment 1 Viet Nguyen 2012-04-24 13:11:05 UTC 
Created attachment 579849 [details]
test case
Comment 2 Mike Foley 2012-04-30 16:02:17 UTC 
triaged 4/30/2012 by loleary, ccrouch, mfoley
Comment 3 Jay Shaughnessy 2013-10-14 21:16:25 UTC 

Suggest this be closed, it's working as expected.  It is not a permission exception to try and view a resource.  Everyone has view privilege.  If you can't actually see it then it is basically a ResourceNotFound, whether it exists or not.
Comment 4 Heiko W. Rupp 2013-10-16 08:30:50 UTC 
While I tend to close this, I can see Viet's point.
This is with a user that only has access rights to a group of 2 resources:

test@localhost:7080$ ResourceManager.getResource(0)
org.rhq.enterprise.server.resource.ResourceNotFoundException: [Warning] A Resource with id 0 does not exist in inventory.
ResourceManager.getResource(0)
^

test@localhost:7080$ ResourceManager.getResource(10001)
org.rhq.enterprise.server.authz.PermissionException: [Warning] User [Subject[id=10001,name=test]] does not have permission to view resource [10001]
ResourceManager.getResource(10001)
^

Here resource with id 0 does not exist, while the user can't access the one with 10001.
In scenarios like username/password, the rule is e.g. not to expose information on login failure if the username is valid or not, so that than attacker can't use that information to narrow the attack path.

In above example, we might internally catch the PermissionException and return a ResourceNotFound one. 

But then that will probably break existing scripts.
Comment 5 Jay Shaughnessy 2013-10-17 16:10:21 UTC 
I see the semantic difference as well.  Although given that this is not a customer issue and changing the behavior could be interpreted as an API breakage, I'm closing as Won't Fix.