From Fedora Project Wiki
Description
This test case tests whether thermostat filters results returned based on the username the JVM is running as.
Setup
- Boot into the machine/VM you wish to test.
- If thermostat-webapp is not yet installed, install it.
- Perform all actions as described in the basic web service test case.
How to test
- Start the thermostat agent, connecting to webstorage:
thermostat agent -d http://127.0.0.1:8080/thermostat/storage
- Start a Java process as user other than the user you use in step 6-7.
- Start the thermostat shell:
thermostat shell
- Connect to the thermostat web service at the shell prompt:
Thermostat > connect -d http://127.0.0.1:8080/thermostat/storage
- List all VMs:
Thermostat > list-vms
- From this list pick one VM_ID, say it's
7474af55-6869-4606-8815-df0674d56e2b
- Next show the VM information via the vm-info command:
vm-info 7474af55-6869-4606-8815-df0674d56e2b
. Record the "User ID" information. Say this info is "1000(jon-doe)" - Now in /etc/thermostat/thermostat-roles.properties change the following line of the recursive role "thermostat-client" (this needs to be done as root), save the file and run list-vms again:
# This granted a user which is member of "thermostat-client" to read all VMs running as any username on the target host. #thermostat-vms-grant-read-username-ALL # This grants a user which is member of "thermostat-client" to read all VMs running as user "jon-doe" thermostat-vms-grant-read-username-jon-doe
Expected Results
- At step 7, list-vms should only show VMs which are running as "jon-doe". You can verify this by running vm-info on every VM_ID in the output of list-vms.
- More information as to how thermostat*grant-read* roles work can be found on the security considerations thermostat wiki page.