Red Hat Bugzilla – Bug 839569
[RHVM-ENGINE] Engine should not return all host details for non-admin users
Last modified: 2016-02-10 14:16:17 EST
Description of problem:
Engine should not return all host details for non-admin users
only 'display ip details' with the ip/port should be returned in host object,
also VdcQueryType.GetVdsCertificateSubjectByVdsId query should be permitted
for non-admin users or alternatively BE should expose host_subject via
not sure if the correct approach is to keep GetVdsCertificateSubjectByVdsId as a user query, or wrap it with a user query of GetVdsCertificateSubjectByVmId
at the end, users should not be able to GET /hosts resources at all,
but VM resource should expose display_addr/port/host_subject for console
*** Bug 839227 has been marked as a duplicate of this bug. ***
Posted a patch for that:
Information on the contents of this patch (also answering Yaniv's question):
1. Block users from getting Host information via REST API (both host
resource, and relevant host data in the VM resource).
2. Add GetManagementInterfaceAddressByVmIdQuery, removing
GetManagementInterfaceAddressByVdsIdQuery (as it isn't used anywhere).
3. Add GetVdsCertificateSubjectByVmIdQuery which uses the existing
GetVdsCertificateSubjectByVdsIdQuery (as this query is also used in other scenarios).
4. Update VncConsoleModel and SpiceConsoleModel to work with the new
So, need to test that when using User level API:
1. The user can't access /api/hosts (error 403, forbidden)
2. The user can't access a specific host (/api/host/<some guid>).
3. When getting all VMs (/api/vms), or a specific one (/api/vms/<some guid>) the user doesn't see any host information.
4. When getting all VMs (/api/vms), or a specific one (/api/vms/<some guid>) the user neither sees any placement policy information, nor can change it! i.e, only administrators are allowed to change the placement policy.