Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1511697 - [RFE] Unable to set permission on all but Hosted-Engine VM and Storage Domain
Summary: [RFE] Unable to set permission on all but Hosted-Engine VM and Storage Domain
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine
Version: 4.1.6
Hardware: Unspecified
OS: Unspecified
Target Milestone: ovirt-4.3.1
: 4.3.0
Assignee: Eli Mesika
QA Contact: Petr Matyáš
Depends On:
Blocks: CEECIR_RHV43_proposed
TreeView+ depends on / blocked
Reported: 2017-11-09 22:05 UTC by Andrea Perotti
Modified: 2020-04-27 00:35 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: Release Note
Doc Text:
Previously, an administrator with the `ClusterAdmin` role was able to modify the self-hosted engine virtual machine, which could cause damage. In the current release, only a `SuperUser` can modify a self-hosted engine and its storage domain.
Clone Of:
Last Closed:
oVirt Team: Infra
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
oVirt gerrit 97689 master MERGED core: Allow operations on HE VM/SD only to SU 2019-02-21 10:51:42 UTC

Description Andrea Perotti 2017-11-09 22:05:51 UTC
Description of problem:
When setting up permission for a group of users that should manage/offer support on VMs running on RHV but must NOT be admin of the whole infra, is not possible to define some permission that apply to all VMs and Storage Domains, except the Hosted-Engine one.

A typical 1st level support team should perform just following operations:
•	Login to Administration portal
•	Creating, editing and removing vNICs for all VMs (SHE excluded)
•	Full “BASIC OPERATION” (start, poweroff, suspend, reboot etc etc) for all VMs (SHE excluded)
•	Editing properties (hot plug/unplug vCPU, RAM etc etc) for all VMs (SHE excluded)
•	Creating, adding, attaching, detaching, removing, deleting and editing properties (size, alias, description etc etc) vDISKS for all VMs (SHE excluded, so master_hosted_engine storage domain)

So they should absolutely not be able to manage SHE VM and its master_hosted engine storage domain. (only Superuser msut be able).

This is not currently possible, because if the permission are given at system level, they do apply to ALL objects, including SHE and its SD.

That granularity level can be reached by setting VM per VM the permission, but this from an operations PoV is not a viable option.

The request here is to make SHE a special object with dedicated permission or to 
exclude by default when declaring at system level the permissions to exclude SHE and its SD.

Version-Release number of selected component (if applicable):
RHV 4.1.x

Comment 1 Yaniv Kaul 2017-11-09 22:14:39 UTC
We have not yet released 4.1.9.
Which version is it?

Comment 12 Martin Perina 2017-12-08 13:41:31 UTC
We are still evaluating possible technical solutions to this issue. When done we will target the bug to relevant release.

Comment 13 Olimp Bockowski 2018-09-13 08:12:22 UTC
Hello Martin, 
nearly 1 year later, what is the plan?

Comment 15 Martin Perina 2019-02-05 13:00:02 UTC
Removing devel_ack+, we are still discussing how this could be achieved

Comment 18 Petr Matyáš 2019-02-25 11:42:12 UTC
Verified on ovirt-engine-

Note You need to log in before you can comment on or make changes to this bug.