Red Hat Bugzilla – Bug 819389
Roles and permissions : User is able to stop the application for which the "Application Owner" Role is revoked.
Last modified: 2012-05-07 11:10:13 EDT
Created attachment 582532 [details]
Description of problem:
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Created a user "shveta" with role image administrator .
2. Launched few Instances as shveta :
One of them was
3. As shveta , I revoked role of "Application Owner " of this Instance as shown in screenshot revoke_role
4. Then ,In Filter view i couldn't see this application Under Applications.
But i am able to see the instance listed under Instance tab .
Also i (user shveta) was able to stop that instance.
Expected results: user should not be able to do any action on that application once the role is revoked.
rpm -qa|grep aeolus
Created attachment 582533 [details]
Instance is listed under Instance tab even after revoking the role
Shveta, I don;t believe this is a bug since your user is a global image administrator. When you launch a new instance, object level roles are added but since you have the global role, you can still do anything you want to that instance.
#4 does sound slightly concerning however, was hoping you could do some more testing on this and either reopen or close this one and open a more specific report.
Yeah this came up in another bug report somewhere too. The issue is we don't currently expose the permissions UI in the instance details. When you launch something you now own the deployment _and_ the component instances. When someone that didn't launch an instance is granted access to the deployment, revoking works as expected since the user doesn't have any per-instance permissions. When you're trying to revoke permissions from the user who launched, you hit this issue since the user also owns the individual instances.
The solution should be to enable the permissions UI on the instance details page.
<sseago> shveta, yeah the issue is we don't expose the permissions UI on the instance details right now
<sseago> shveta, it's a simple thing to enable though (obviously not in 1.0...)
shveta> sseago, so after revoking the role its not listed under apps but under instances
<shveta> sseago, is that fine?
<sseago> well you revoked the user's access to the deployable, but the user is still an owner of the individual instances
<sseago> so that's what I would expect to see
<sseago> the problem is we don't have a way to explicitly revoke instance permissions in the UI (yet)
<sseago> well you could call the inability to revoke instance owner access a bug
<sseago> but yeah the solution is to add that UI element
Closing based on above comments..