-
Bug
-
Resolution: Done
-
Normal
-
2.3
-
None
-
None
-
False
-
-
False
-
ANSTRAT-423 - Direct LDAP connection from Private Hub in App without another VM being required
Description
A user belongs to a group and this group is under the Owners tab in Execution Environments with roles Push to existing containers and Delete container repository (object permissions)
But this user can't delete an image. If the role is assigned to the group (global) then the user can.
Steps to Reproduce
1- Create new user and new group
2- Add user to group
3- Create a role with these permissions:
"container.delete_containerrepository",
"container.namespace_push_containerdistribution"
4- Create a local image container. To do this, I use command line like this:
podman login --username admin --password admin https://localhost:5001 --tls-verify=false podman pull docker.io/library/alpine --tls-verify=false podman image tag alpine localhost:5001/ee_name:latest podman push localhost:5001/ee_name:latest --tls-verify=false
5- Go to Owners tab and assign group and role from previous step.
6- Login with user from step 1 and try to delete the image.
Check screenshots
Actual Behavior
In Api tests: 403
UI: No Delete option in kebab menu.
Expected Behavior
Deletion successful
IQE test
@pytest.mark.standalone_only
def test_role_delete_image_from_ee_object_role(app, galaxy_client, skip_if_rbac_not_available):
"""
Verifies that when a user
"""
gc = galaxy_client("ansible_insights", ignore_cache=True)
ee_name = create_local_image_container(app, gc)
user, group = add_new_user_to_new_group(gc)
permissions_user = ["container.delete_containerrepository",
"container.namespace_push_containerdistribution"]
role_user = f"galaxy.rbac_test_role_{uuid4()}"
gc.create_role(role_user, "any_description", permissions_user)
add_owner_to_ee(gc, ee_name, group["name"], [role_user])
gc_user = galaxy_client(user)
gc_user.push_image(ee_name + ":latest")
info = get_container(gc_user, ee_name)
delete_image_container(gc_user, ee_name, info["data"][0]["digest"])
