Bug 819389 - Roles and permissions : User is able to stop the application for which the "Application Owner" Role is revoked.
Roles and permissions : User is able to stop the application for which the "A...
Product: CloudForms Cloud Engine
Classification: Red Hat
Component: aeolus-conductor (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Angus Thomas
Depends On:
  Show dependency treegraph
Reported: 2012-05-07 02:06 EDT by Shveta
Modified: 2012-05-07 11:10 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-05-07 11:10:13 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
revoke_role (211.74 KB, image/png)
2012-05-07 02:06 EDT, Shveta
no flags Details
User_Instance_tab (206.33 KB, image/png)
2012-05-07 02:08 EDT, Shveta
no flags Details

  None (edit)
Description Shveta 2012-05-07 02:06:40 EDT
Created attachment 582532 [details]

Description of problem:

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Created a user "shveta" with role image administrator .
2. Launched few Instances as shveta : 
   One of them was
                a. rhel-x86-64-5-8-cf-rhs/rhel-x86-64-5-8-cf-tools
3. As shveta , I revoked role of "Application Owner " of this Instance as shown in screenshot revoke_role

4. Then ,In Filter view i couldn't see this application Under Applications.
   But i am able to see the instance listed under Instance tab .

Also i (user shveta) was able to stop that instance.

Actual results:

Expected results: user should not be able to do any action on that application once the role is revoked.

Additional info:

rpm -qa|grep aeolus
Comment 1 Shveta 2012-05-07 02:08:28 EDT
Created attachment 582533 [details]

Instance is listed under Instance tab even after revoking the role
Comment 2 Dave Johnson 2012-05-07 10:01:05 EDT
Shveta, I don;t believe this is a bug since your user is a global image administrator.  When you launch a new instance, object level roles are added but since you have the global role, you can still do anything you want to that instance.

#4 does sound slightly concerning however, was hoping you could do some more testing on this and either reopen or close this one and open a more specific report.
Comment 3 Scott Seago 2012-05-07 11:07:53 EDT
Yeah this came up in another bug report somewhere too. The issue is we don't currently expose the permissions UI in the instance details. When you launch something you now own the deployment _and_ the component instances. When someone that didn't launch an instance is granted access to the deployment, revoking works as expected since the user doesn't have any per-instance permissions. When you're trying to revoke permissions from the user who launched, you hit this issue since the user also owns the individual instances.

The solution should be to enable the permissions UI on the instance details page.
Comment 4 Shveta 2012-05-07 11:09:09 EDT
<sseago> shveta, yeah the issue is we don't expose the permissions UI on the instance details right now
<sseago> shveta, it's a simple thing to enable though (obviously not in 1.0...)
shveta> sseago, so after revoking the role its not listed under apps but under instances
<shveta> sseago, is that fine?
<sseago> well you revoked the user's access to the deployable, but the user is still an owner of the individual instances
<sseago> so that's what I would expect to see
<sseago> the problem is we don't have a way to explicitly revoke instance permissions in the UI (yet)
<sseago> well you could call the inability to revoke instance owner access a bug
<sseago> but yeah the solution is to add that UI element

Closing based on above comments..

Note You need to log in before you can comment on or make changes to this bug.