The backstory is that I am working on taking our implementation to this
point and trying to ensure proper scoping of objects in the Katello
controllers (see [1] and [2]) for some reference. While everything has so
far gone smoothly I have ran into an issue that I needs addressing across
the projects. Here's the scenario:
- Create a new user: testuser
- Grant that user a new permission that allows "view" and "create" on
subnets. - As the admin, create a new Domain "example.org" with ID 1
- Via the API, authenticating as 'testuser' create a new subnet with that
domain linkage, e.g:
POST: /api/v2/subnets
{
"subnet": {
"name": "TestNet",
"domain_ids": [1],
"network": "255.255.192.0 <callto:255.255.192.0>",
"mask": "255.255.255.0 <callto:255.255.255.0>"
}
}
Returned:
{
"id": 1,
"name": "TestNet",
"network_address": "255.255.192.0 <callto:255.255.192.0>/24",
"network": "255.255.192.0 <callto:255.255.192.0>",
"cidr": 24,
"mask": "255.255.255.0 <callto:255.255.255.0>",
"priority": null,
"vlanid": null,
"gateway": null,
"dns_primary": null,
"dns_secondary": null,
"from": null,
"to": null,
"created_at": "2014-07-21T15:13:00Z",
"updated_at": "2014-07-21T15:13:00Z",
"dhcp": null,
"tftp": null,
"dns": null,
"locations": [],
"organizations": [],
"domains": [
{
"id": 1,
"name": "example.org"
}
]
}
Issue 1:
As a user who is only allowed to "view" and "create" subnets, I have been
able to attach the subnet to a domain that have do not have access to.
Issue 2:
On the Katello side we attempt to verify all nested objects as accessible
by a user before allowing them to attach that object. Typically, this means
that if I am editing a Product, for example, and want to attach a GPG Key
that I must have access to that GPG Key. Our assumption is that a user must
have "view" on the GPG Key and edit/create on the Product. Currently, the
nested object API methods would automatically try to calculate and assume
that I have 'update' on both objects due to that being the current action
permission see -
https://github.com/theforeman/foreman/blob/develop/app/controllers/api/base_controller.rb#L237.
Question here is - what is the proper behavior and what do we want to
enforce?
The above are the two big issues I have run into whereby we are
inconsistent with our behavior expectations and there appears to be a
potentially large gap on the Foreman (and Katello side to a degree) around
the API (and UI) and what a user can and cannot do based on their
permission set. I wanted to reach out and see if I was missing anything, or
what your thoughts were on these issues. If you feel I need to open this
up, I am more than happy to send this out to a wider audience or put
together a meeting to discuss so that we can converge on consistency.
Thanks,
Eric
[1] https://github.com/theforeman/foreman/pull/1596
[2] https://github.com/Katello/katello/pull/4454