Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1102801 - Query execution failed due to insufficient permissions while run GET VM info using user portal credentials
Summary: Query execution failed due to insufficient permissions while run GET VM info ...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine-restapi
Version: 3.4.0
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
: 3.5.0
Assignee: Juan Hernández
QA Contact: Pavel Novotny
URL:
Whiteboard: virt
Depends On:
Blocks: rhev3.5beta 1156165
TreeView+ depends on / blocked
 
Reported: 2014-05-29 14:56 UTC by Yuri Obshansky
Modified: 2015-02-17 08:28 UTC (History)
10 users (show)

Fixed In Version: ovirt-3.5.0-beta1.1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-02-17 08:28:46 UTC
oVirt Team: ---
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
oVirt gerrit 29941 master MERGED core: Make GetVmsInit query accessible to users Never
oVirt gerrit 30011 ovirt-engine-3.5 MERGED core: Make GetVmsInit query accessible to users Never

Description Yuri Obshansky 2014-05-29 14:56:14 UTC
Description of problem:
Query execution failed due to insufficient permissions occurs in RHEVM engine.log while perform REST API GET VM info
In spite that response is OK

Version-Release number of selected component (if applicable):
RHEVM: 3.4.0-0.16.rc.el6ev

How reproducible:
100%

Steps to Reproduce:
1. Run REST API Request
GET https://****/api/vms
Request Headers:
Connection: keep-alive
Session-TTL: 360
Accept-Language: en-US,en;q=0.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20131023 Firefox/17.0
Referer: ****/UserPortal/org.ovirt.engine.ui.userportal.UserPortal/UserPortal.html?locale=en_US
Accept-Encoding: gzip, deflate
Prefer: persistent-auth
Authorization: Basic *****
Filter: true
2.
3.

Actual results:
Error occurs in RHEVM engine.log ->
2014-05-29 09:28:08,230 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-79) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User scale-1 logged in.
2014-05-29 09:28:08,281 ERROR [org.ovirt.engine.core.bll.GetVmsInitQuery] (ajp-/127.0.0.1:8702-79) Query execution failed due to insufficient permissions.


Expected results:
No error

Additional info:

Comment 1 Juan Hernández 2014-06-03 13:38:11 UTC
I think that we need to make the GetVmsInit query accessible to users, something like this:

diff --git a/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/queries/VdcQueryType.java b/backend/manager/modu
index 0480b74..26532a9 100644
--- a/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/queries/VdcQueryType.java
+++ b/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/queries/VdcQueryType.java
@@ -26,7 +26,7 @@ public enum VdcQueryType implements Serializable {
     GetVmsByVnicProfileId,
     GetTemplatesByVnicProfileId,
     GetVirtioScsiControllers(VdcQueryAuthType.User),
-    GetVmsInit,
+    GetVmsInit(VdcQueryAuthType.User),
     GetVmNextRunConfiguration(VdcQueryAuthType.User),
     GetVmUpdatesOnNextRunExists(VdcQueryAuthType.User),

Shahar, can you confirm?

Comment 2 Shahar Havivi 2014-06-05 06:56:19 UTC
(In reply to Juan Hernández from comment #1)
> Shahar, can you confirm?
Ack

Comment 3 Juan Hernández 2014-07-11 11:36:06 UTC
Note that the attached patch allows access to the query, but that query is only used if the "Filter: true" header is used, so in addition to the fix the caller needs to add that header to the request.

Comment 4 Juan Hernández 2014-07-14 08:51:41 UTC
The fix for this issue has been merged into the upstream 3.5 branch, so it will be available downstream with the next rebase.

Comment 5 Pavel Novotny 2014-08-12 11:54:47 UTC
Verified upstream in ovirt-engine-3.5.0-0.0.master.20140804172041.git23b558e.el6.noarch (rc1).

GET request (see comment 0) as a regular user works. No errors about insufficient permissions to execute query in occured engine log.

curl -A "Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20131023 Firefox/17.0" \
-e "https://instance1.ovirt.org/ovirt-engine/userportal/" \
-H "Connection: keep-alive" \
-H "Session-TTL: 360" \
-H "Accept-Language: en-US,en;q=0.5" \
-H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" \
-H "Prefer: persistent-auth" \
-H "Authorization: Basic ***" \ # a user@domain.org
-H "Filter: true" \
https://instance1.ovirt.org/ovirt-engine/api/vms/

Response:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<vms>
    <vm href="/ovirt-engine/api/vms/5d4f3c8a-7514-400d-a0f7-5c6c51178ba8" id="5d4f3c8a-7514-400d-a0f7-5c6c51178ba8">
...
...
</vms>

Comment 6 Omer Frenkel 2015-02-17 08:28:46 UTC
RHEV-M 3.5.0 has been released


Note You need to log in before you can comment on or make changes to this bug.