Bug 819944 - "global provider user" is unable to view the provider accounts
"global provider user" is unable to view the provider accounts
Status: CLOSED ERRATA
Product: CloudForms Cloud Engine
Classification: Red Hat
Component: aeolus-conductor (Show other bugs)
1.0.0
Unspecified Unspecified
unspecified Severity high
: 1.0.1
: ---
Assigned To: Scott Seago
Dave Johnson
: Triaged, ZStream
Depends On: 808031
Blocks:
  Show dependency treegraph
 
Reported: 2012-05-08 12:44 EDT by Dave Johnson
Modified: 2012-07-10 03:22 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
The “Cloud Resource Provider” page requires edit permissions, which denies users with access to view the page. This update provides these users to a read-only version of the page.
Story Points: ---
Clone Of: 808031
Environment:
Last Closed: 2012-07-10 03:22:41 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
providers (225.50 KB, image/png)
2012-06-06 08:03 EDT, Aziza Karol
no flags Details

  None (edit)
Description Dave Johnson 2012-05-08 12:44:46 EDT
Doing a quick fix (Scott's option #2 below) in 1.0.z, cloning this to get a proper view page



+++ This bug was initially created as a clone of Bug #808031 +++

Created attachment 573648 [details]
rails log

Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.Create new user with "global provider user" role (along with the default roles)
2.click on "cloud resource provider"

  
Actual results:
it displayed 'You have insufficient privileges to perform the selected action '(PFA:ss1.png)

Expected results:
As per the doc "global provider user" is allowed "View Provider" and "User Provider"(URL;https://www.aeolusproject.org/redmine/projects/aeolus/wiki/Roles_list)

Additional info:

rpm -qa | grep aeolus
aeolus-conductor-0.8.3-1.el6.noarch
aeolus-conductor-daemons-0.8.3-1.el6.noarch
rubygem-aeolus-image-0.3.0-12.el6.noarch
aeolus-configure-2.5.2-1.el6.noarch
aeolus-all-0.8.3-1.el6.noarch
rubygem-aeolus-cli-0.3.1-1.el6.noarch
aeolus-conductor-doc-0.8.3-1.el6.noarch


attached rails.log

--- Additional comment from redakkan@redhat.com on 2012-03-29 07:58:22 EDT ---

Created attachment 573649 [details]
ss1

--- Additional comment from sseago@redhat.com on 2012-03-29 10:15:13 EDT ---

Hmm. I noticed this a couple days ago, but it wasn't obvious initially how to resolve it. The problem is that when we designed the UI we decided that, for providers (and _only_ providers), the default view was to be the 'edit' page. As a result, you can only get  to the provider details if you have permission to edit the provider.

Possible solutions:
1) fix the UI such that Providers has a proper view page that links to 'edit' as appropriate (like we do everywhere else)
2) keep the UI as-is, but change permissions to allow 'view only' users access to the 'edit' page (with plenty of comments to indicate that we know it's deliberate) but hide the 'save' button from these users

I prefer 1) longer-term, but 2) would be a quicker fix

--- Additional comment from redakkan@redhat.com on 2012-05-02 08:03:16 EDT ---

updating the scenario observed for 'object level permissions' also

1. create a user with "global image admin" role
2. given "provider user" role('object level permissions') observed that when tried to access the provider it displayed "'You have insufficient privileges to perform the selected action"

Added this to cover the 'object level permissions' also

--- Additional comment from hbrock@redhat.com on 2012-05-08 12:42:01 EDT ---

We'll do fix #2 (comment 2) for z-stream, fix properly in 1.1.0
Comment 1 Tzu-Mainn Chen 2012-05-30 11:29:49 EDT
1.0.1 patch:

commit 1ed9b771eed5f3deab9602005558227a133d46ca
bug 808031: allow Global Provider user to view Provider Accounts
    
    https://bugzilla.redhat.com/show_bug.cgi?id=808031
    
    For provider accounts, the 'edit' action doubles as the 'show' page.
    This meant we were requiring modify privileges on the provider to even
    see the provider pages. This patch relaxes the checking to reqiure
    only view permissions, and in the views we hide the edit/modify actions
    from users that don't have the higher privileges, and the form elements
    are made read-only.
Comment 3 Dan Macpherson 2012-06-05 22:30:05 EDT
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
The “Cloud Resource Provider” page requires edit permissions, which denies users with access to view the page. This update provides these users to a read-only version of the page.
Comment 4 Aziza Karol 2012-06-06 08:02:17 EDT
global provider user is able to view the providers. see attached screenshot.
The user has only view permissions and the edit/modify actions has been hidden 
from users that don't have the higher privileges, and the form elements
are made read-only.

global image admin user is able to  view providers when object level permissions are assigned.

verified on:
rpm -qa | grep aeolus
rubygem-aeolus-image-0.3.0-12.el6.noarch
aeolus-all-0.8.27-1.el6_3.noarch
aeolus-conductor-doc-0.8.27-1.el6_3.noarch
aeolus-conductor-daemons-0.8.27-1.el6_3.noarch
aeolus-conductor-0.8.27-1.el6_3.noarch
aeolus-configure-2.5.7-1.el6_3.noarch
rubygem-aeolus-cli-0.3.3-1.el6_3.noarch
Comment 5 Aziza Karol 2012-06-06 08:03:10 EDT
Created attachment 589857 [details]
providers
Comment 7 errata-xmlrpc 2012-07-10 03:22:41 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-1063.html

Note You need to log in before you can comment on or make changes to this bug.