[2.5, RBAC] Pod compose view allows selecting any visible resource pool

Bug #1811658 reported by Björn Tillenius on 2019-01-14
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MAAS
High
Unassigned

Bug Description

This is with MAAS 2.5.1-7489-g2f25a2cc0-0ubuntu1~18.04.1 and RBAC enabled.

I have a MAAS deployment with a virsh Pod registered. I have a user which has
Admin on the resource pool the pod belongs to, and the User role on another pool.

If I go and compose a new machine in the pod, I can select the resource pool
where the user only has the User role.

This shouldn't be possible, since it's effectively moving a machine from one
pool to the other, and Users don't have permission to do so.

tags: added: rbac
Changed in maas:
status: New → Triaged
importance: Undecided → High
milestone: none → 2.5.1
Changed in maas:
milestone: 2.5.1 → 2.5.2
Changed in maas:
milestone: 2.5.2 → 2.5.3
Changed in maas:
milestone: 2.5.3 → 2.6.0beta2
Changed in maas:
milestone: 2.6.0beta2 → 2.6.0rc1
Changed in maas:
milestone: 2.6.0rc1 → 2.6.0rc2
Changed in maas:
milestone: 2.6.0rc2 → 2.7.0alpha1
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers