Bug 923100 - User who can't manipulate users, can add user if he has manipulate_permission action group.
Summary: User who can't manipulate users, can add user if he has manipulate_permission...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine
Version: 3.2.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 3.3.0
Assignee: Ravi Nori
QA Contact: Ondra Machacek
URL:
Whiteboard: infra
Depends On:
Blocks: 1019461
TreeView+ depends on / blocked
 
Reported: 2013-03-19 08:19 UTC by Ondra Machacek
Modified: 2016-02-10 19:29 UTC (History)
9 users (show)

Fixed In Version: is15
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:
oVirt Team: Infra
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
oVirt gerrit 17593 None None None Never

Description Ondra Machacek 2013-03-19 08:19:16 UTC
Description of problem:
When user has manipulate_permission action group, and don't have manipulate_users action group, then he can add permission to user, who is not added in the system, thus he can add user to the system.

Version-Release number of selected component (if applicable):
sf10

How reproducible:
always

Steps to Reproduce:
1. Add ClusterAdmin permissions to user1 on cluster.
2. Login as user1.
3. Add UserVmManager permissions to cluster to user who is not added to the system yet.
  
Actual results:
Action succeed.

Expected results:
Action fail, because ClusterAdmin don't have manipulate_users action group.
If ClusterAdmin try to add user via Users tab => add user, then the action fail.

Additional info:
2013-03-19 09:15:28,291 INFO  [org.ovirt.engine.core.bll.AddPermissionCommand] (pool-3-thread-39) [37540286] Running command: AddPermissionCommand internal: false. Entities affected :  ID: fea51314-f9bf-45a0-9c5b-3bb2085b1876 Type: VdsGroups
2013-03-19 09:15:30,037 INFO  [org.ovirt.engine.core.bll.LoginUserCommand] (ajp-/127.0.0.1:8702-8) Running command: LoginUserCommand internal: false.
2013-03-19 09:15:30,045 WARN  [org.ovirt.engine.core.bll.GetConfigurationValueQuery] (ajp-/127.0.0.1:8702-8) calling GetConfigurationValueQuery (ApplicationMode) with null version, using default general for version
2013-03-19 09:15:30,045 WARN  [org.ovirt.engine.core.bll.GetConfigurationValueQuery] (ajp-/127.0.0.1:8702-8) calling GetConfigurationValueQuery (VdcVersion) with null version, using default general for version
2013-03-19 09:15:30,645 INFO  [org.ovirt.engine.core.bll.LogoutUserCommand] (ajp-/127.0.0.1:8702-1) [107c92f4] Running command: LogoutUserCommand internal: false.
2013-03-19 09:15:37,483 INFO  [org.ovirt.engine.core.bll.LoginAdminUserCommand] (ajp-/127.0.0.1:8702-15) Running command: LoginAdminUserCommand internal: false.
2013-03-19 09:15:38,270 INFO  [org.ovirt.engine.core.bll.LoginUserCommand] (ajp-/127.0.0.1:8702-7) Running command: LoginUserCommand internal: false.
2013-03-19 09:15:38,281 WARN  [org.ovirt.engine.core.bll.GetConfigurationValueQuery] (ajp-/127.0.0.1:8702-7) calling GetConfigurationValueQuery (ApplicationMode) with null version, using default general for version
2013-03-19 09:15:38,281 WARN  [org.ovirt.engine.core.bll.GetConfigurationValueQuery] (ajp-/127.0.0.1:8702-7) calling GetConfigurationValueQuery (VdcVersion) with null version, using default general for version
2013-03-19 09:15:43,119 WARN  [org.ovirt.engine.core.bll.GetConfigurationValueQuery] (ajp-/127.0.0.1:8702-18) calling GetConfigurationValueQuery (WebAdminUpperRightButtonURL) with null version, using default general for version
2013-03-19 09:16:01,531 INFO  [org.ovirt.engine.core.bll.AddPermissionCommand] (pool-3-thread-39) [3b82c592] Running command: AddPermissionCommand internal: false. Entities affected :  ID: fea51314-f9bf-45a0-9c5b-3bb2085b1876 Type: VdsGroups

Comment 1 Yair Zaslavsky 2013-03-24 16:49:09 UTC
AddPermissionCommand parameters include two fields -
vdcUser and adGroup - one of them is filled with the user or group to be added a permission for (+ to be added to db in case the user/group is not in DB).
We should add a check during getPermissionsSubject to check if the user/group is not a DB - and if not in db, we should check for a permission to manipulate users (similar to the check in AddUserCommand).

Comment 3 Itamar Heim 2014-01-21 22:24:34 UTC
Closing - RHEV 3.3 Released

Comment 4 Itamar Heim 2014-01-21 22:25:24 UTC
Closing - RHEV 3.3 Released

Comment 5 Itamar Heim 2014-01-21 22:28:56 UTC
Closing - RHEV 3.3 Released


Note You need to log in before you can comment on or make changes to this bug.