Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 1121617

Summary: permissions logging
Product: Red Hat Enterprise Virtualization Manager Reporter: Michal Skrivanek <michal.skrivanek>
Component: ovirt-engine-webadmin-portalAssignee: Piotr Kliczewski <pkliczew>
Status: CLOSED CURRENTRELEASE QA Contact: Ondra Machacek <omachace>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 3.5.0CC: bazulay, ecohen, gklein, iheim, oourfali, pkliczew, rbalakri, Rhev-m-bugs, sherold, yeylon
Target Milestone: ---   
Target Release: 3.5.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: infra
Fixed In Version: ovirt-3.5.0_rc1.1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-02-17 17:09:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1142923, 1156165    

Description Michal Skrivanek 2014-07-21 11:49:54 UTC
We need a way how to understand what permissions on
what entities are missing/required for a certain operation. 
Currently the outcome is that everyone is either a PowerUser (for even the most basic usage) or Admin (for anything as small as uploading iso to iso domain). I
think we need a generic logging of which entities and which permissions has
the code gone through when something fails. (I think just logging it in
engine.log is ok)

This should help admins to understand and troubleshoot what permissions they should assign for each operation

Comment 1 Michal Skrivanek 2014-07-29 14:41:35 UTC
It would be great if we can build the list of entities and permissions we checked on the way and log it when it eventually fails. It needs to be an info level log, not debug as admin would want to troubleshoot why is someone not able to do something.

Comment 2 Ondra Machacek 2014-09-03 12:21:45 UTC
There is now information in log what perm is needed on what object.

2014-09-03 14:20:00,267 INFO  [org.ovirt.engine.core.bll.AddVdsGroupCommand] (ajp--127.0.0.1-8702-4) [5d1a0b44] No permission found for user c5055498-372d-40a4-a233-4a144ac32461 or one of the groups he is member of, when running action AddVdsGroup, Required permissions are: Action type: ADMIN Action group: CREATE_CLUSTER Object type: Data Center  Object ID: 00000002-0002-0002-0002-0000000001da.
2014-09-03 14:20:00,270 WARN  [org.ovirt.engine.core.bll.AddVdsGroupCommand] (ajp--127.0.0.1-8702-4) [5d1a0b44] CanDoAction of action AddVdsGroup failed. Reasons:USER_NOT_AUTHORIZED_TO_PERFORM_ACTION

Comment 3 Eyal Edri 2015-02-17 17:09:40 UTC
rhev 3.5.0 was released. closing.