Bug 839569 - [RHVM-ENGINE] Engine should not return all host details for non-admin users
[RHVM-ENGINE] Engine should not return all host details for non-admin users
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine (Show other bugs)
3.1.0
Unspecified Unspecified
urgent Severity high
: ---
: ---
Assigned To: Oved Ourfali
Ondra Machacek
infra
:
: 839227 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-07-12 06:34 EDT by Michael Pasternak
Modified: 2016-02-10 14:16 EST (History)
12 users (show)

See Also:
Fixed In Version: si12
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: Infra
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Michael Pasternak 2012-07-12 06:34:09 EDT
Description of problem:

Engine should not return all host details for non-admin users

Expected results:

only 'display ip details' with the ip/port should be returned in host object,
also VdcQueryType.GetVdsCertificateSubjectByVdsId query should be permitted
for non-admin users or alternatively BE should expose host_subject via 
host property.
Comment 1 Itamar Heim 2012-07-12 17:48:51 EDT
not sure if the correct approach is to keep GetVdsCertificateSubjectByVdsId as a user query, or wrap it with a user query of GetVdsCertificateSubjectByVmId
Comment 3 Michael Pasternak 2012-07-15 04:36:21 EDT
at the end, users should not be able to GET /hosts resources at all,
but VM resource should expose display_addr/port/host_subject for console
Comment 4 Michael Pasternak 2012-07-15 09:44:52 EDT
*** Bug 839227 has been marked as a duplicate of this bug. ***
Comment 5 Oved Ourfali 2012-07-24 08:17:55 EDT
Posted a patch for that:
http://gerrit.ovirt.org/#/c/6542

Information on the contents of this patch (also answering Yaniv's question):
1. Block users from getting Host information via REST API (both host
resource, and relevant host data in the VM resource).
2. Add GetManagementInterfaceAddressByVmIdQuery, removing
GetManagementInterfaceAddressByVdsIdQuery (as it isn't used anywhere).
3. Add GetVdsCertificateSubjectByVmIdQuery which uses the existing
GetVdsCertificateSubjectByVdsIdQuery (as this query is also used in other scenarios).
4. Update VncConsoleModel and SpiceConsoleModel to work with the new
queries.

So, need to test that when using User level API:
1. The user can't access /api/hosts (error 403, forbidden)
2. The user can't access a specific host (/api/host/<some guid>).
3. When getting all VMs (/api/vms), or a specific one (/api/vms/<some guid>) the user doesn't see any host information.
4. When getting all VMs (/api/vms), or a specific one (/api/vms/<some guid>) the user neither sees any placement policy information, nor can change it! i.e, only administrators are allowed to change the placement policy.
Comment 6 Oved Ourfali 2012-07-25 06:41:05 EDT
Commit: 1ca8d9e215bbf94138dac4ff1aa6055321fb438d

http://gerrit.ovirt.org/gitweb?p=ovirt-engine.git;a=commit;h=1ca8d9e215bbf94138dac4ff1aa6055321fb438d

Note You need to log in before you can comment on or make changes to this bug.