Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1104233 - VM Pools do not properly inherit admin roles in the admin portal
Summary: VM Pools do not properly inherit admin roles in the admin portal
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine-webadmin-portal
Version: 3.3.0
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
: 3.5.0
Assignee: Shahar Havivi
QA Contact: Pavel Novotny
URL:
Whiteboard: virt
Depends On:
Blocks: rhev3.5beta 1156165
TreeView+ depends on / blocked
 
Reported: 2014-06-03 14:50 UTC by Jake Hunsaker
Modified: 2018-12-05 18:48 UTC (History)
10 users (show)

Fixed In Version: ovirt-engine-3.5.0_beta
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-02-11 18:03:27 UTC
oVirt Team: ---
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0158 normal SHIPPED_LIVE Important: Red Hat Enterprise Virtualization Manager 3.5.0 2015-02-11 22:38:50 UTC
oVirt gerrit 28766 master MERGED db: Template admin don't get permission to add permissions Never

Description Jake Hunsaker 2014-06-03 14:50:37 UTC
Description of problem:

For VM pools, if a user in the admin portal (aside from admin@internal) does not have the 'TemplateAdmin' and 'VmPoolAdmin' roles assigned explicitly on that pool, the user is given permission denied errors when trying to add other permissions to the pool.

If the user has admin roles such as the above, or SuperUser/ClusterAdmin/etc.. roles assigned to a cluster or data center, those roles *appear* to be inherited to the pool (they display properly in the permissions tab) however they do not actually give the user the permissions they imply - the same "Permission denied" error is generated



Version-Release number of selected component (if applicable):

Tested on rhevm-3.3.2-0.50

How reproducible:
Always

Steps to Reproduce:
1. Assign the 'TemplateAdmin' and 'VmPoolAdmin' roles to a user on a cluster or data center
2. Using that user (not admin@internal) try to add permissions to a VM pool (for example adding the UserRole to another user)
3.

Actual results:

User is given a permission denied error until the TemplateAdmin and VmPoolAdmin roles are assigned explicitly on the pool the user is attempting to modify

Expected results:

Pool should properly inherit the roles from the higher-level cluster/data center 

Additional info:

It also appears that setting SuperUser on a cluster or data center results in the same errors until the role (or the TemplateAdmin and VmPoolAdmin roles) is assigned explicitly on the pool to be modified. This is also incorrect behavior.

Comment 1 Jake Hunsaker 2014-06-03 14:53:36 UTC
I should probably clarify on the points of the cluster/data center permissions. The VM Pool *is* inside the cluster/data center for which the user has SuperUser/TemplateAdmin/VmPoolAdmin roles assigned.

Comment 2 Pavel Novotny 2014-08-12 13:03:55 UTC
Verified upstream in ovirt-engine-3.5.0-0.0.master.20140804172041.git23b558e.el6.noarch (rc1).

Verification steps:
1. As a super-user, add roles 'TemplateAdmin' and 'VmPoolAdmin' on a data center or cluster (containing a VM pool) to user user1@ipa.domain.org
2. Log into Webadmin as user1@ipa.domain.org
3. Assign on the VM pool role 'UserRole' to user user2@ipa.domain.org

Result: success, role UserRole on the VM pool is successfully assigned by user1@ to user2@

Comment 4 errata-xmlrpc 2015-02-11 18:03:27 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0158.html


Note You need to log in before you can comment on or make changes to this bug.