How reproducible: Always Steps to Reproduce: 1. Create a new user 2. Add new user to super-users role 3. Remove admin from super-users role 4. Notice that admin still has all permissions for '/' Actual results: admin retains permissions granted by super-users role Expected results: permissions granted by super users-role revoked
Does anybody know if this is still an issue in 2.3.1?
This appears to work on 2.5.0-0.11.beta. I suspect it works on 2.4 as well. How I tested: * pulp-admin login -u admin * pulp-admin auth user create --login foo --password foo (create a user with no permissions) * pulp-admin auth role user add --role-id super-users --login foo (grant permissions) * pulp-admin auth permission list --resource / (verify that 'admin' and 'foo' both have full permissions on /) * pulp-admin auth role user remove --role-id super-users --login admin (remove admin from superuser role) * pulp-admin auth permission list --resource / (error! this is correct since we just removed admin user's perms) * pulp-admin login -u foo (login as 'foo') * pulp-admin auth permission list --resource / (verify that only 'foo' has permissions on / resource) Moving to ON_QA.
verified [root@cloud-qe-19 ~]# rpm -qa pulp-server pulp-server-2.5.0-0.16.rc.el7.noarch [root@cloud-qe-19 ~]# [root@cloud-qe-19 ~]# pulp-admin login -u admin Enter password: Successfully logged in. Session certificate will expire at Nov 11 18:32:35 2014 GMT. [root@cloud-qe-19 ~]# pulp-admin auth user create --login foo --password foo User [foo] successfully created [root@cloud-qe-19 ~]# pulp-admin auth permission list --resource / +----------------------------------------------------------------------+ Permissions for / +----------------------------------------------------------------------+ Admin: CREATE, READ, UPDATE, DELETE, EXECUTE [root@cloud-qe-19 ~]# pulp-admin auth role user add --role-id super-users --login foo User [foo] successfully added to role [super-users] [root@cloud-qe-19 ~]# pulp-admin auth permission list --resource /+----------------------------------------------------------------------+ Permissions for / +----------------------------------------------------------------------+ Admin: CREATE, READ, UPDATE, DELETE, EXECUTE Foo: CREATE, READ, UPDATE, DELETE, EXECUTE [root@cloud-qe-19 ~]# pulp-admin auth role user remove --role-id super-users --login admin User [admin] successfully removed from role [super-users] [root@cloud-qe-19 ~]# [root@cloud-qe-19 ~]# [root@cloud-qe-19 ~]# pulp-admin auth permission list --resource /+----------------------------------------------------------------------+ Permissions for / +----------------------------------------------------------------------+ The specified user does not have permission to execute the given command [root@cloud-qe-19 ~]# pulp-admin login -u foo Enter password: Successfully logged in. Session certificate will expire at Nov 11 18:35:07 2014 GMT. [root@cloud-qe-19 ~]# pulp-admin auth permission list --resource / +----------------------------------------------------------------------+ Permissions for / +----------------------------------------------------------------------+ Foo: CREATE, READ, UPDATE, DELETE, EXECUTE [root@cloud-qe-19 ~]#