Bug 832505 - Removing a user from the super-users role does not revoke the permissions granted by that role
Removing a user from the super-users role does not revoke the permissions gra...
Status: CLOSED CURRENTRELEASE
Product: Pulp
Classification: Community
Component: user-experience (Show other bugs)
Master
Unspecified Unspecified
high Severity high
: ---
: 2.5.0
Assigned To: Chris Duryee
Preethi Thomas
: Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-06-15 10:57 EDT by Jason Connor
Modified: 2014-11-24 16:33 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-11-24 16:33:50 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jason Connor 2012-06-15 10:57:58 EDT
How reproducible:
Always

Steps to Reproduce:
1. Create a new user
2. Add new user to super-users role
3. Remove admin from super-users role
4. Notice that admin still has all permissions for '/'
  
Actual results:
admin retains permissions granted by super-users role

Expected results:
permissions granted by super users-role revoked
Comment 1 Randy Barlow 2014-01-02 17:00:37 EST
Does anybody know if this is still an issue in 2.3.1?
Comment 3 Chris Duryee 2014-10-28 10:03:18 EDT
This appears to work on 2.5.0-0.11.beta. I suspect it works on 2.4 as well.

How I tested:

* pulp-admin login -u admin
* pulp-admin auth user create --login foo --password foo (create a user with no permissions)
* pulp-admin auth role user add --role-id super-users --login foo (grant permissions)
* pulp-admin auth permission list --resource / (verify that 'admin' and 'foo' both have full permissions on /)
* pulp-admin auth role user remove --role-id super-users --login admin (remove admin from superuser role)
* pulp-admin auth permission list --resource / (error! this is correct since we just removed admin user's perms)
* pulp-admin login -u foo (login as 'foo')
* pulp-admin auth permission list --resource / (verify that only 'foo' has permissions on / resource)

Moving to ON_QA.
Comment 4 Preethi Thomas 2014-11-04 13:42:30 EST
verified

[root@cloud-qe-19 ~]# rpm -qa pulp-server
pulp-server-2.5.0-0.16.rc.el7.noarch
[root@cloud-qe-19 ~]# 


[root@cloud-qe-19 ~]# pulp-admin login -u admin
Enter password: 
Successfully logged in. Session certificate will expire at Nov 11 18:32:35 2014
GMT.

[root@cloud-qe-19 ~]# pulp-admin auth user create --login foo --password foo
User [foo] successfully created

[root@cloud-qe-19 ~]#  pulp-admin auth permission list --resource /
+----------------------------------------------------------------------+
                           Permissions for /
+----------------------------------------------------------------------+

Admin:  CREATE, READ, UPDATE, DELETE, EXECUTE


[root@cloud-qe-19 ~]# pulp-admin auth role user add --role-id super-users --login foo 
User [foo] successfully added to role [super-users]

[root@cloud-qe-19 ~]#  pulp-admin auth permission list --resource /+----------------------------------------------------------------------+
                           Permissions for /
+----------------------------------------------------------------------+

Admin:  CREATE, READ, UPDATE, DELETE, EXECUTE
Foo:    CREATE, READ, UPDATE, DELETE, EXECUTE


[root@cloud-qe-19 ~]# pulp-admin auth role user remove --role-id super-users --login admin
User [admin] successfully removed from role [super-users]

[root@cloud-qe-19 ~]# 
[root@cloud-qe-19 ~]# 
[root@cloud-qe-19 ~]#  pulp-admin auth permission list --resource /+----------------------------------------------------------------------+
                           Permissions for /
+----------------------------------------------------------------------+

The specified user does not have permission to execute the given command

[root@cloud-qe-19 ~]#  pulp-admin login -u foo
Enter password: 
Successfully logged in. Session certificate will expire at Nov 11 18:35:07 2014
GMT.

[root@cloud-qe-19 ~]#  pulp-admin auth permission list --resource /
+----------------------------------------------------------------------+
                           Permissions for /
+----------------------------------------------------------------------+

Foo:  CREATE, READ, UPDATE, DELETE, EXECUTE


[root@cloud-qe-19 ~]#

Note You need to log in before you can comment on or make changes to this bug.