Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1018552 - REST-API: role should not be added to user without having a resource in context
Summary: REST-API: role should not be added to user without having a resource in context
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine-restapi
Version: 3.4.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 3.4.0
Assignee: Juan Hernández
QA Contact: Ondra Machacek
URL:
Whiteboard: infra
Depends On: 1064829
Blocks: rhev3.4beta 1142926
TreeView+ depends on / blocked
 
Reported: 2013-10-13 08:35 UTC by Michael Pasternak
Modified: 2016-02-10 19:05 UTC (History)
9 users (show)

Fixed In Version: av2
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-06-12 14:03:35 UTC
oVirt Team: Infra
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
oVirt gerrit 20357 None None None Never
oVirt gerrit 20358 None None None Never

Description Michael Pasternak 2013-10-13 08:35:31 UTC
Description of problem:

today role can be added to user via /roles sub-collection [1],
this design have two issues:

1. it's not restful implementation cause behind the scenes when
added new role to user, permissions automatically applied on the
entire system (user+role=system-permissions) - i.e unrelated /system resource
is involved

2. later on, is truly hard to figure out where from the system permissions
are came, as it not intuitive.

[1] /api/users/xxx/roles


resolution:
==========

1. deprecate role assignment to user (without resource) by:

POST /api/users/xxx/roles

<role id=xxx/>

this collection will be r/o for listing user's roles only.

2. add new root-collection /api/permissions (for displaying system-permissions)

3. allow adding system permissions only via #2

POST /api/permissions

<permission>
  <role id=xxx/>
  <user id=yyy/>
</permission>

Comment 1 Michael Pasternak 2013-10-15 13:10:28 UTC
(In reply to Michael Pasternak from comment #0)
> Description of problem:
> 
> today role can be added to user via /roles sub-collection [1],
> this design have two issues:
> 
> 1. it's not restful implementation cause behind the scenes when
> added new role to user, permissions automatically applied on the
> entire system (user+role=system-permissions) - i.e unrelated /system resource
> is involved
> 
> 2. later on, is truly hard to figure out where from the system permissions
> are came, as it not intuitive.
> 
> [1] /api/users/xxx/roles
> 
> 
> resolution:
> ==========
> 
> 1. deprecate role assignment to user (without resource) by:
> 
> POST /api/users/xxx/roles
> 
> <role id=xxx/>

actually when thinking about this, it's a bug rather than feature,
so we should disallow it.

> 
> this collection will be r/o for listing user's roles only.
> 
> 2. add new root-collection /api/permissions (for displaying
> system-permissions)
> 
> 3. allow adding system permissions only via #2
> 
> POST /api/permissions
> 
> <permission>
>   <role id=xxx/>
>   <user id=yyy/>
> </permission>

Comment 2 Juan Hernández 2013-10-21 11:12:15 UTC
I have submitted two changes for this bug. The first one adds the /api/permissions resource to handle (list, add, remove) system permissions and the second one makes the /api/users/{user:id}/roles resource read only:

  http://gerrit.ovirt.org/20357
  http://gerrit.ovirt.org/20358

Comment 5 Sandro Bonazzola 2014-01-14 08:42:40 UTC
ovirt 3.4.0 alpha has been released

Comment 6 Ondra Machacek 2014-02-17 15:55:52 UTC
1) OK. When running write on this collection error is returned.
   "The specified HTTP method is not allowed for the requested resource."
   GET method is working correctly.

2) url /ovirt-engine/api/permissions/ returns system permissions

3) Failed.

I added user via users-> add user.

Then running:

curl -k -X POST -H "Accept: application/xml" -H "Content-Type: application/xml" \
    -u $ADMIN -d "<permission> <role 
id=\"00000000-0000-0000-0000-000000000001\"/>  <user id=\"b4afc555-cce2-47efb769-c24714c5af2e\"/> </permission>"\
    $URL/permissions

Getting this error:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<fault>
    <reason>Operation Failed</reason>
    <detail>[Internal Engine Error]</detail>
</fault>


engine.log:

2014-02-17 16:52:58,124 INFO  [org.ovirt.engine.core.bll.LoginUserCommand] (ajp-/127.0.0.1:8702-9) Running command: LoginUserCommand internal: false.
2014-02-17 16:52:58,150 INFO  [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-9) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User admin logged in.
2014-02-17 16:52:58,163 INFO  [org.ovirt.engine.core.bll.AddPermissionCommand] (ajp-/127.0.0.1:8702-9) [39d29be6] Running command: AddPermissionCommand internal: false. Entities affected :  ID: aaa00000-0000-0000-0000-123456789aaa Type: System
2014-02-17 16:52:58,164 ERROR [org.ovirt.engine.core.bll.AddPermissionCommand] (ajp-/127.0.0.1:8702-9) [39d29be6] Command org.ovirt.engine.core.bll.AddPermissionCommand throw exception: java.lang.NullPointerException
	at org.ovirt.engine.core.dao.DbUserDAODbFacadeImpl.getByExternalId(DbUserDAODbFacadeImpl.java:85) [dal.jar:]
	at org.ovirt.engine.core.bll.AddPermissionCommand.executeCommand(AddPermissionCommand.java:94) [bll.jar:]
	at org.ovirt.engine.core.bll.CommandBase.executeWithoutTransaction(CommandBase.java:1123) [bll.jar:]
	at org.ovirt.engine.core.bll.CommandBase.executeActionInTransactionScope(CommandBase.java:1208) [bll.jar:]
	at org.ovirt.engine.core.bll.CommandBase.runInTransaction(CommandBase.java:1884) [bll.jar:]
	at org.ovirt.engine.core.utils.transaction.TransactionSupport.executeInNewTransaction(TransactionSupport.java:210) [utils.jar:]
	at org.ovirt.engine.core.utils.transaction.TransactionSupport.executeInRequired(TransactionSupport.java:149) [utils.jar:]
	at org.ovirt.engine.core.utils.transaction.TransactionSupport.executeInScope(TransactionSupport.java:118) [utils.jar:]
	at org.ovirt.engine.core.bll.CommandBase.execute(CommandBase.java:1228) [bll.jar:]
	at org.ovirt.engine.core.bll.CommandBase.executeAction(CommandBase.java:351) [bll.jar:]
	at org.ovirt.engine.core.bll.Backend.runAction(Backend.java:413) [bll.jar:]
	at org.ovirt.engine.core.bll.Backend.runActionImpl(Backend.java:392) [bll.jar:]
	at org.ovirt.engine.core.bll.Backend.runAction(Backend.java:350) [bll.jar:]
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_09-icedtea]
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_09-icedtea]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_09-icedtea]
	at java.lang.reflect.Method.invoke(Method.java:601) [rt.jar:1.7.0_09-icedtea]
	at org.jboss.as.ee.component.ManagedReferenceMethodInterceptorFactory$ManagedReferenceMethodInterceptor.processInvocation(ManagedReferenceMethodInterceptorFactory.java:72) [jboss-as-ee.jar:7.3.0.Final-redhat-14]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.invocation.WeavedInterceptor.processInvocation(WeavedInterceptor.java:53) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:58) [jboss-as-ee.jar:7.3.0.Final-redhat-14]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.invocation.InterceptorContext$Invocation.proceed(InterceptorContext.java:374) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.ovirt.engine.core.bll.interceptors.ThreadLocalSessionCleanerInterceptor.injectWebContextToThreadLocal(ThreadLocalSessionCleanerInterceptor.java:13) [bll.jar:]
	at sun.reflect.GeneratedMethodAccessor7.invoke(Unknown Source) [:1.7.0_09-icedtea]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_09-icedtea]
	at java.lang.reflect.Method.invoke(Method.java:601) [rt.jar:1.7.0_09-icedtea]
	at org.jboss.as.ee.component.ManagedReferenceLifecycleMethodInterceptorFactory$ManagedReferenceLifecycleMethodInterceptor.processInvocation(ManagedReferenceLifecycleMethodInterceptorFactory.java:123) [jboss-as-ee.jar:7.3.0.Final-redhat-14]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.invocation.WeavedInterceptor.processInvocation(WeavedInterceptor.java:53) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:58) [jboss-as-ee.jar:7.3.0.Final-redhat-14]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.as.ejb3.component.invocationmetrics.ExecutionTimeInterceptor.processInvocation(ExecutionTimeInterceptor.java:43) [jboss-as-ejb3.jar:7.3.0.Final-redhat-14]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.invocation.InitialInterceptor.processInvocation(InitialInterceptor.java:21) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.as.ee.component.interceptors.ComponentDispatcherInterceptor.processInvocation(ComponentDispatcherInterceptor.java:53) [jboss-as-ee.jar:7.3.0.Final-redhat-14]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.as.ejb3.component.singleton.SingletonComponentInstanceAssociationInterceptor.processInvocation(SingletonComponentInstanceAssociationInterceptor.java:52) [jboss-as-ejb3.jar:7.3.0.Final-redhat-14]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInNoTx(CMTTxInterceptor.java:259) [jboss-as-ejb3.jar:7.3.0.Final-redhat-14]
	at org.jboss.as.ejb3.tx.CMTTxInterceptor.supports(CMTTxInterceptor.java:398) [jboss-as-ejb3.jar:7.3.0.Final-redhat-14]
	at org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:242) [jboss-as-ejb3.jar:7.3.0.Final-redhat-14]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41) [jboss-as-ejb3.jar:7.3.0.Final-redhat-14]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64) [jboss-as-ejb3.jar:7.3.0.Final-redhat-14]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59) [jboss-as-ejb3.jar:7.3.0.Final-redhat-14]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) [jboss-as-ee.jar:7.3.0.Final-redhat-14]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.as.ee.component.TCCLInterceptor.processInvocation(TCCLInterceptor.java:45) [jboss-as-ee.jar:7.3.0.Final-redhat-14]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:165) [jboss-as-ee.jar:7.3.0.Final-redhat-14]
	at org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:182) [jboss-as-ee.jar:7.3.0.Final-redhat-14]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:72) [jboss-as-ee.jar:7.3.0.Final-redhat-14]
	at org.ovirt.engine.core.common.interfaces.BackendLocal$$$view10.runAction(Unknown Source) [common.jar:]
	at org.ovirt.engine.api.restapi.resource.BackendResource.doAction(BackendResource.java:254)
	at org.ovirt.engine.api.restapi.resource.AbstractBackendCollectionResource.doCreateEntity(AbstractBackendCollectionResource.java:246)
	at org.ovirt.engine.api.restapi.resource.AbstractBackendCollectionResource.performCreate(AbstractBackendCollectionResource.java:119)
	at org.ovirt.engine.api.restapi.resource.AbstractBackendCollectionResource.performCreate(AbstractBackendCollectionResource.java:109)
	at org.ovirt.engine.api.restapi.resource.AbstractBackendCollectionResource.performCreate(AbstractBackendCollectionResource.java:128)
	at org.ovirt.engine.api.restapi.resource.BackendAssignedPermissionsResource.add(BackendAssignedPermissionsResource.java:104)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_09-icedtea]
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_09-icedtea]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_09-icedtea]
	at java.lang.reflect.Method.invoke(Method.java:601) [rt.jar:1.7.0_09-icedtea]
	at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167) [resteasy-jaxrs.jar:2.3.7.Final-redhat-2]
	at org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269) [resteasy-jaxrs.jar:2.3.7.Final-redhat-2]
	at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227) [resteasy-jaxrs.jar:2.3.7.Final-redhat-2]
	at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:216) [resteasy-jaxrs.jar:2.3.7.Final-redhat-2]
	at org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:542) [resteasy-jaxrs.jar:2.3.7.Final-redhat-2]
	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:524) [resteasy-jaxrs.jar:2.3.7.Final-redhat-2]
	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:126) [resteasy-jaxrs.jar:2.3.7.Final-redhat-2]
	at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208) [resteasy-jaxrs.jar:2.3.7.Final-redhat-2]
	at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55) [resteasy-jaxrs.jar:2.3.7.Final-redhat-2]
	at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50) [resteasy-jaxrs.jar:2.3.7.Final-redhat-2]
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec.jar:1.0.2.Final-redhat-1]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
	at org.ovirt.engine.core.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:80) [common.jar:]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:499)
	at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97)
	at org.jboss.web.rewrite.RewriteValve.invoke(RewriteValve.java:466)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:336)
	at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:488)
	at org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:420)
	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:920)
	at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_09-icedtea]

2014-02-17 16:52:58,173 ERROR [org.ovirt.engine.core.bll.AddPermissionCommand] (ajp-/127.0.0.1:8702-9) [39d29be6] Transaction rolled-back for command: org.ovirt.engine.core.bll.AddPermissionCommand.
2014-02-17 16:52:58,191 INFO  [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-9) [39d29be6] Correlation ID: 39d29be6, Call Stack: null, Custom Event ID: -1, Message: User admin failed to grant permission for Role SuperUser on System System to User/Group portaluser2.
2014-02-17 16:52:58,191 ERROR [org.ovirt.engine.api.restapi.resource.AbstractBackendResource] (ajp-/127.0.0.1:8702-9) Operation Failed: [Internal Engine Error]
2014-02-17 16:52:58,198 INFO  [org.ovirt.engine.core.bll.LogoutUserCommand] (ajp-/127.0.0.1:8702-9) [34b19ea7] Running command: LogoutUserCommand internal: false.
2014-02-17 16:52:58,216 INFO  [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-9) [34b19ea7] Correlation ID: 34b19ea7, Call Stack: null, Custom Event ID: -1, Message: User admin logged out.
2014-02-17 16:52:58,231 INFO  [org.ovirt.engine.core.bll.LoginUserCommand] (ajp-/127.0.0.1:8702-2) Running command: LoginUserCommand internal: false.

Comment 7 Juan Hernández 2014-02-17 16:01:48 UTC
Adding permissions is currently failing in general, not only here, see bug 1064829. Once that is fixed you should be able to verify this.

Comment 8 Sandro Bonazzola 2014-02-19 13:41:49 UTC
This bug should be fixed in ovirt-3.4.0-beta3 but it has already a fixed-in-version set and is in state modified instead of ON_QA.
Assignee please fix the bug status and consider adding a reference to ovirt 3.4.0 release notes page if relevant.

Comment 9 Juan Hernández 2014-02-19 14:19:30 UTC
This bug was actually fixed in ovirt-3.4.0-alpha1, as described in fixed-in-version. It can't be tested because bug 1064829 prevents it, and that isn't fixed yet. So it can't be moved to ON_QA, as it would fail again. We can only move to ON_QA when we do a release containing the fix for bug 1064829.

Comment 10 Itamar Heim 2014-06-12 14:03:35 UTC
Closing as part of 3.4.0


Note You need to log in before you can comment on or make changes to this bug.