MAAS

`Mark Broken` and `Mark Fixed` permissions are too restrictive and inconsistent

Bug #1997000 reported by Igor Brovtsin
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
MAAS
Triaged
Medium
Igor Brovtsin
MAAS 3.4.x

Bug Description

While working on LP:#1889026 and LP:#1994899, I found `Mark Broken` and `Mark Fixed` permissions unnecessary restrictive and inconsistent:

- `Mark Broken` is actionable only for machines owned by some user. This means that freshly-commissioned machines in `Ready` state cannot be marked as broken.

- `Mark Broken` is only available to the user that has ownership over the machine. While it seems logical, it also means that the action is not available to the MAAS administrator if the machine is owned by a simple user (as noted in https://bugs.launchpad.net/maas/+bug/1811234). This limitation also ignores RBAC rules permitting marking machines broken.

- `Mark Fixed` requires `NodePermission.admin` while `Mark Broken` requires `NodePermission.edit`. Users locking machines that belong to them will not be able to mark machine as fixed on their own, requiring administrator to intervene.

While all three issues have pretty straightforward fixes to them (and there is an MP for the first two already), applying them might cause non-obvious security implications. Further analysis is required.

See original description
Igor Brovtsin (igor-brovtsin)
Changed in maas:
importance: Undecided → Medium
assignee: nobody → Igor Brovtsin (igor-brovtsin)
Igor Brovtsin (igor-brovtsin)
description: updated
Igor Brovtsin (igor-brovtsin)
Changed in maas:
milestone: none → 3.4.0
status: New → Triaged
Alberto Donato (ack)
Changed in maas:
milestone: 3.4.0 → 3.4.x
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.