Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 819944

Summary: "global provider user" is unable to view the provider accounts
Product: [Retired] CloudForms Cloud Engine Reporter: Dave Johnson <dajohnso>
Component: aeolus-conductorAssignee: Scott Seago <sseago>
Status: CLOSED ERRATA QA Contact: Dave Johnson <dajohnso>
Severity: high Docs Contact:
Priority: unspecified    
Version: 1.0.0CC: akarol, cpelland, dajohnso, deltacloud-maint, dmacpher, hbrock, redakkan, ssachdev, sseago, tzumainn
Target Milestone: 1.0.1Keywords: Triaged, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
The “Cloud Resource Provider” page requires edit permissions, which denies users with access to view the page. This update provides these users to a read-only version of the page.
 Story Points: ---
Clone Of: 808031 Environment:
Last Closed: 2012-07-10 07:22:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 808031    
Bug Blocks:    
Attachments:
Description Flags
providers none

Description Dave Johnson 2012-05-08 16:44:46 UTC 
Doing a quick fix (Scott's option #2 below) in 1.0.z, cloning this to get a proper view page



+++ This bug was initially created as a clone of Bug #808031 +++

Created attachment 573648 [details]
rails log

Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.Create new user with "global provider user" role (along with the default roles)
2.click on "cloud resource provider"

  
Actual results:
it displayed 'You have insufficient privileges to perform the selected action '(PFA:ss1.png)

Expected results:
As per the doc "global provider user" is allowed "View Provider" and "User Provider"(URL;https://www.aeolusproject.org/redmine/projects/aeolus/wiki/Roles_list)

Additional info:

rpm -qa | grep aeolus
aeolus-conductor-0.8.3-1.el6.noarch
aeolus-conductor-daemons-0.8.3-1.el6.noarch
rubygem-aeolus-image-0.3.0-12.el6.noarch
aeolus-configure-2.5.2-1.el6.noarch
aeolus-all-0.8.3-1.el6.noarch
rubygem-aeolus-cli-0.3.1-1.el6.noarch
aeolus-conductor-doc-0.8.3-1.el6.noarch


attached rails.log

--- Additional comment from redakkan on 2012-03-29 07:58:22 EDT ---

Created attachment 573649 [details]
ss1

--- Additional comment from sseago on 2012-03-29 10:15:13 EDT ---

Hmm. I noticed this a couple days ago, but it wasn't obvious initially how to resolve it. The problem is that when we designed the UI we decided that, for providers (and _only_ providers), the default view was to be the 'edit' page. As a result, you can only get  to the provider details if you have permission to edit the provider.

Possible solutions:
1) fix the UI such that Providers has a proper view page that links to 'edit' as appropriate (like we do everywhere else)
2) keep the UI as-is, but change permissions to allow 'view only' users access to the 'edit' page (with plenty of comments to indicate that we know it's deliberate) but hide the 'save' button from these users

I prefer 1) longer-term, but 2) would be a quicker fix

--- Additional comment from redakkan on 2012-05-02 08:03:16 EDT ---

updating the scenario observed for 'object level permissions' also

1. create a user with "global image admin" role
2. given "provider user" role('object level permissions') observed that when tried to access the provider it displayed "'You have insufficient privileges to perform the selected action"

Added this to cover the 'object level permissions' also

--- Additional comment from hbrock on 2012-05-08 12:42:01 EDT ---

We'll do fix #2 (comment 2) for z-stream, fix properly in 1.1.0
Comment 1 Tzu-Mainn Chen 2012-05-30 15:29:49 UTC 
1.0.1 patch:

commit 1ed9b771eed5f3deab9602005558227a133d46ca
bug 808031: allow Global Provider user to view Provider Accounts
    
    https://bugzilla.redhat.com/show_bug.cgi?id=808031
    
    For provider accounts, the 'edit' action doubles as the 'show' page.
    This meant we were requiring modify privileges on the provider to even
    see the provider pages. This patch relaxes the checking to reqiure
    only view permissions, and in the views we hide the edit/modify actions
    from users that don't have the higher privileges, and the form elements
    are made read-only.
Comment 3 Dan Macpherson 2012-06-06 02:30:05 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
The “Cloud Resource Provider” page requires edit permissions, which denies users with access to view the page. This update provides these users to a read-only version of the page.
Comment 4 Aziza Karol 2012-06-06 12:02:17 UTC 
global provider user is able to view the providers. see attached screenshot.
The user has only view permissions and the edit/modify actions has been hidden 
from users that don't have the higher privileges, and the form elements
are made read-only.

global image admin user is able to  view providers when object level permissions are assigned.

verified on:
rpm -qa | grep aeolus
rubygem-aeolus-image-0.3.0-12.el6.noarch
aeolus-all-0.8.27-1.el6_3.noarch
aeolus-conductor-doc-0.8.27-1.el6_3.noarch
aeolus-conductor-daemons-0.8.27-1.el6_3.noarch
aeolus-conductor-0.8.27-1.el6_3.noarch
aeolus-configure-2.5.7-1.el6_3.noarch
rubygem-aeolus-cli-0.3.3-1.el6_3.noarch
Comment 5 Aziza Karol 2012-06-06 12:03:10 UTC 
Created attachment 589857 [details]
providers
Comment 7 errata-xmlrpc 2012-07-10 07:22:41 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-1063.html