From Fedora Project Wiki

(Created page with "{{QA/Test_Case |description=This test case tests whether thermostat command channel interactions fail if the agent user is missing the thermostat-cmdc-verify role. |setup= # B...")
 
No edit summary
 
(5 intermediate revisions by the same user not shown)
Line 1: Line 1:
{{QA/Test_Case
{{QA/Test_Case
|description=This test case tests whether thermostat command channel interactions fail if the agent user is missing the thermostat-cmdc-verify role.
|description=This test case tests whether thermostat filters results returned based on the username the JVM is running as.
|setup=
|setup=
# Boot into the machine/VM you wish to test.
# Boot into the machine/VM you wish to test.
Line 6: Line 6:
# Perform all actions as described in the [[QA:Testcase_thermostat_web_basic|basic web service test case]].
# Perform all actions as described in the [[QA:Testcase_thermostat_web_basic|basic web service test case]].
|actions=
|actions=
# Open /etc/thermostat/thermostat-roles.properties and remove the role "thermostat-cmdc-verify" role from the "thermostat-agent" recursive role definition (right side of '=').
# Start the thermostat agent, connecting to webstorage: {{command|thermostat agent -d http://127.0.0.1:8080/thermostat/storage}}
# Start the thermostat agent, connecting to webstorage: {{command|thermostat agent -d http://127.0.0.1:8080/thermostat/storage}}
# Start a Java process as user other than the user you use in step 6-7.
# Start the thermostat shell: {{command|thermostat shell}}
# Start the thermostat shell: {{command|thermostat shell}}
# Connect to the thermostat web service at the shell prompt:  {{command| Thermostat > connect -d http://127.0.0.1:8080/thermostat/storage}}
# Connect to the thermostat web service at the shell prompt:  {{command| Thermostat > connect -d http://127.0.0.1:8080/thermostat/storage}}
# Figure out the host ID of a running agent (a,k.a. agent ID). Note that this list-vms command will use web storage rather than mongodb directly. {{command| Thermostat > list-vms}}
# List all VMs: {{command| Thermostat > list-vms}}
# On the thermostat shell, attempt to ping the host ID: {{command| <nowiki>Thermostat > ping ||hostID||</nowiki>}}
# From this list pick one VM_ID, say it's <code>7474af55-6869-4606-8815-df0674d56e2b</code>
|results=
# Next show the VM information via the vm-info command: {{command|vm-info 7474af55-6869-4606-8815-df0674d56e2b}}. Record the "User ID" information. Say this info is "1000(jon-doe)"
# At step 6, the ping should come back with:
# Now in /etc/thermostat/thermostat-roles.properties change the following line of the recursive role "thermostat-client" (this needs to be done as root), save the file and run list-vms again:
<pre>
<pre>
Queuing ping request. Destination: /127.0.0.1:12000
# This granted a user which is member of "thermostat-client" to read all VMs running as any username on the target host.
Unknown result from ping command
#thermostat-vms-grant-read-username-ALL
# This grants a user which is member of "thermostat-client" to read all VMs running as user "jon-doe"
thermostat-vms-grant-read-username-jon-doe
</pre>
</pre>
# It is a known issue that the error message shown to the user is "Unknown result from ping command". This will be fixed upstream very soon. The new error message will detail the real reason "authentication/authorization issue".
|results=
# At step 7, list-vms should only show VMs which are running as "jon-doe". You can verify this by running vm-info on every VM_ID in the output of list-vms.
# More information as to how thermostat*grant-read* roles work can be found on the [http://icedtea.classpath.org/wiki/?title=Thermostat/SecurityConsiderations#Thermostat_Access_Control security considerations thermostat wiki page].
}}
}}

Latest revision as of 16:37, 2 December 2013

Description

This test case tests whether thermostat filters results returned based on the username the JVM is running as.

Setup

  1. Boot into the machine/VM you wish to test.
  2. If thermostat-webapp is not yet installed, install it.
  3. Perform all actions as described in the basic web service test case.

How to test

  1. Start the thermostat agent, connecting to webstorage: thermostat agent -d http://127.0.0.1:8080/thermostat/storage
  2. Start a Java process as user other than the user you use in step 6-7.
  3. Start the thermostat shell: thermostat shell
  4. Connect to the thermostat web service at the shell prompt: Thermostat > connect -d http://127.0.0.1:8080/thermostat/storage
  5. List all VMs: Thermostat > list-vms
  6. From this list pick one VM_ID, say it's 7474af55-6869-4606-8815-df0674d56e2b
  7. Next show the VM information via the vm-info command: vm-info 7474af55-6869-4606-8815-df0674d56e2b. Record the "User ID" information. Say this info is "1000(jon-doe)"
  8. Now in /etc/thermostat/thermostat-roles.properties change the following line of the recursive role "thermostat-client" (this needs to be done as root), save the file and run list-vms again:
# This granted a user which is member of "thermostat-client" to read all VMs running as any username on the target host.
#thermostat-vms-grant-read-username-ALL
# This grants a user which is member of "thermostat-client" to read all VMs running as user "jon-doe"
thermostat-vms-grant-read-username-jon-doe

Expected Results

  1. At step 7, list-vms should only show VMs which are running as "jon-doe". You can verify this by running vm-info on every VM_ID in the output of list-vms.
  2. More information as to how thermostat*grant-read* roles work can be found on the security considerations thermostat wiki page.