RBAC rules are applied incorrectly against AZ objects
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| MAAS |
Triaged
|
Medium
|
Unassigned | ||
| 3.3 |
Triaged
|
Medium
|
Unassigned | ||
Bug Description
=== Environment
MAAS+Candid+RBAC
candid v1.8.1 799 latest/stable canonical* -
canonical-rbac 1.0.2-400-g.6e658ad 224 - canonical* -
maas 3.1.0-10901-
maas-cli 0.6.5 13 latest/stable canonical* -
Candid's config file:
identity-providers:
- type: static
name: static
users:
administrator:
name: Administrator
email: <email address hidden>
password: admin
groups:
- group1
- group2
user:
name: user
email: <email address hidden>
password: user
groups:
- group2
=== Problem description
User, authenticated with "user" credentials still could add a new AZ, despite the lack of permission (either "Auditor" or nothing assigned in "All DNS, AZ, Settings, Images" scope). However, this user can only add a new entry, but not modify or delete an existing one.
| Vladimir Grevtsev (vlgrevtsev) wrote | #1 |
| Alberto Donato (ack) wrote | #2 |
| Changed in maas: | |
| status: | New → Incomplete |
| Vladimir Grevtsev (vlgrevtsev) wrote | #3 |
| Changed in maas: | |
| status: | Incomplete → New |
| Alberto Donato (ack) wrote | #4 |
| Changed in maas: | |
| status: | New → Triaged |
| milestone: | none → next |
| importance: | Undecided → High |
| Changed in maas: | |
| importance: | High → Medium |
| milestone: | next → 3.3.0 |
| Changed in maas: | |
| milestone: | 3.3.0 → 3.4.0 |
| Changed in maas: | |
| milestone: | 3.4.0 → 3.4.x |
RBAC assignments attached.