From Fedora Project Wiki

Description

This test case tests whether thermostat filters results returned based on the username the JVM is running as.

Setup

  1. Boot into the machine/VM you wish to test.
  2. If thermostat-webapp is not yet installed, install it.
  3. Perform all actions as described in the basic web service test case.

How to test

  1. Start the thermostat agent, connecting to webstorage: thermostat agent -d http://127.0.0.1:8080/thermostat/storage
  2. Start a Java process as user other than the user you use in step 6-7.
  3. Start the thermostat shell: thermostat shell
  4. Connect to the thermostat web service at the shell prompt: Thermostat > connect -d http://127.0.0.1:8080/thermostat/storage
  5. List all VMs: Thermostat > list-vms
  6. From this list pick one VM_ID, say it's 7474af55-6869-4606-8815-df0674d56e2b
  7. Next show the VM information via the vm-info command: vm-info 7474af55-6869-4606-8815-df0674d56e2b. Record the "User ID" information. Say this info is "1000(jon-doe)"
  8. Now in /etc/thermostat/thermostat-roles.properties change the following line of the recursive role "thermostat-client" (this needs to be done as root), save the file and run list-vms again:
# This granted a user which is member of "thermostat-client" to read all VMs running as any username on the target host.
#thermostat-vms-grant-read-username-ALL
# This grants a user which is member of "thermostat-client" to read all VMs running as user "jon-doe"
thermostat-vms-grant-read-username-jon-doe

Expected Results

  1. At step 7, list-vms should only show VMs which are running as "jon-doe". You can verify this by running vm-info on every VM_ID in the output of list-vms.
  2. More information as to how thermostat*grant-read* roles work can be found on the security considerations thermostat wiki page.