Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1121617 - permissions logging
Summary: permissions logging
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine-webadmin-portal
Version: 3.5.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 3.5.0
Assignee: Piotr Kliczewski
QA Contact: Ondra Machacek
Whiteboard: infra
Depends On:
Blocks: rhev3.5beta 1156165
TreeView+ depends on / blocked
Reported: 2014-07-21 11:49 UTC by Michal Skrivanek
Modified: 2016-02-10 19:18 UTC (History)
10 users (show)

Fixed In Version: ovirt-3.5.0_rc1.1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2015-02-17 17:09:40 UTC
oVirt Team: Infra
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
oVirt gerrit 30757 master MERGED core: Enhanced permissions logging Never
oVirt gerrit 31175 ovirt-engine-3.5 MERGED core: Enhanced permissions logging Never

Description Michal Skrivanek 2014-07-21 11:49:54 UTC
We need a way how to understand what permissions on
what entities are missing/required for a certain operation. 
Currently the outcome is that everyone is either a PowerUser (for even the most basic usage) or Admin (for anything as small as uploading iso to iso domain). I
think we need a generic logging of which entities and which permissions has
the code gone through when something fails. (I think just logging it in
engine.log is ok)

This should help admins to understand and troubleshoot what permissions they should assign for each operation

Comment 1 Michal Skrivanek 2014-07-29 14:41:35 UTC
It would be great if we can build the list of entities and permissions we checked on the way and log it when it eventually fails. It needs to be an info level log, not debug as admin would want to troubleshoot why is someone not able to do something.

Comment 2 Ondra Machacek 2014-09-03 12:21:45 UTC
There is now information in log what perm is needed on what object.

2014-09-03 14:20:00,267 INFO  [org.ovirt.engine.core.bll.AddVdsGroupCommand] (ajp-- [5d1a0b44] No permission found for user c5055498-372d-40a4-a233-4a144ac32461 or one of the groups he is member of, when running action AddVdsGroup, Required permissions are: Action type: ADMIN Action group: CREATE_CLUSTER Object type: Data Center  Object ID: 00000002-0002-0002-0002-0000000001da.
2014-09-03 14:20:00,270 WARN  [org.ovirt.engine.core.bll.AddVdsGroupCommand] (ajp-- [5d1a0b44] CanDoAction of action AddVdsGroup failed. Reasons:USER_NOT_AUTHORIZED_TO_PERFORM_ACTION

Comment 3 Eyal Edri 2015-02-17 17:09:40 UTC
rhev 3.5.0 was released. closing.

Note You need to log in before you can comment on or make changes to this bug.