Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1684942 - VM Portal shows all VMs to all users, "Everyone" role cannot be removed from Admin Portal
Summary: VM Portal shows all VMs to all users, "Everyone" role cannot be removed from ...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-web-ui
Version: 4.2.0
Hardware: x86_64
OS: Linux
unspecified
urgent
Target Milestone: ---
: ---
Assignee: Greg Sheremeta
QA Contact: Lukas Svaty
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-03-03 23:24 UTC by Robert McSwain
Modified: 2019-03-04 14:32 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-03-04 14:32:55 UTC
oVirt Team: Infra
Target Upstream Version:


Attachments (Terms of Use)

Description Robert McSwain 2019-03-03 23:24:47 UTC
Description of problem:
Using Active Directory for authentication, all users can see all other users' VMs in the User Portal. This is making it difficult for the end users to determine which VM should be theirs. 

When looking at the VM's Permissions page (https://FQDN/ovirt-engine/webadmin/#vms-permissions;name=VM-NAME) the Remove option is greyed out for the "Everyone" user, which is presumably what is allowing all users to see all VMs. 

Version-Release number of selected component (if applicable):
rhvm-4.2.8.3-0.1.el7ev.noarch

How reproducible:
100% 

Steps to Reproduce:
1. Visit https://FQDN/ovirt-engine/webadmin/#vms-permissions;name=VM-NAME
2. Attempt to remove the "Everyone" user
3. See the "Remove" button on the right is greyed out

Actual results:
All users can see all VMs on the VM Portal, regardless of permissions assigned.

Expected results:
VMs should not inherit "Everyone" user upon creation and users should only see the VMs assigned to them.

Comment 1 Robert McSwain 2019-03-03 23:28:37 UTC
Error: "Error while executing action: It's not allowed to remove system permissions assigned to built-in Everyone group"

Customer notes:

"in this case if our users can saw all the VM when they login to user portal how the user know which VM is yours. we need that the user only can see his own VM

that the users can saw all the VM is impacting our prodution environment , the user not have idea which VM choose so the user dial to the help desk in order to ask to help desk which VM need to choose,  we have 620 users.  you can imagine the calls that Help desk  is trying to solve, i think you would be agree  that kind of situtation  is not normal, so i really appreciate your help us with the issue"

Comment 5 Greg Sheremeta 2019-03-04 00:11:30 UTC
Everyone is being inherited from (System). System should not have Everyone on it.

Comment 6 Greg Sheremeta 2019-03-04 00:14:15 UTC
See also https://bugzilla.redhat.com/show_bug.cgi?id=1656794

Comment 8 Robert McSwain 2019-03-04 14:29:23 UTC
This was resolved using the following plan. 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
From the database, we observed that you were having multiple roles with Everyone tag shown as below:-

engine=> select id,role_name,role_id from permissions_view where owner_name='Everyone';
                  id                  |     role_name     |               role_id                
--------------------------------------+-------------------+--------------------------------------
 2f4810bd-2b2a-416b-878e-1ee69e3757d6 | UserRole          | 00000000-0000-0000-0001-000000000001
 577079fa-3d9c-423b-9ec3-171d51ddd38c | TagManager        | def00011-0000-0000-0000-def000000013
 58ca605c-010d-0307-0224-0000000001a9 | UserProfileEditor | def00021-0000-0000-0000-def000000015  >>> Default one which is required. 
 ace55fe8-b35b-42cd-ba89-6b9825360d5d | VMBasic           | 42994541-1728-464f-a248-bee8c2b7dca0
(4 rows)

Below is the list of roles which we removed from the database:-

2f4810bd-2b2a-416b-878e-1ee69e3757d6
577079fa-3d9c-423b-9ec3-171d51ddd38c
ace55fe8-b35b-42cd-ba89-6b9825360d5d


engine=> select * from roles where id in ('00000000-0000-0000-0001-000000000001','def00011-0000-0000-0000-def000000013','42994541-1728-464f-a248-bee8c2b7dca0');
                  id                  |    name    |    description     | is_readonly | role_type | allows_viewing_children | app_mode 
--------------------------------------+------------+--------------------+-------------+-----------+-------------------------+----------
 00000000-0000-0000-0001-000000000001 | UserRole   | Standard User Role | t           |         2 | t                       |        1
 def00011-0000-0000-0000-def000000013 | TagManager | Tag Manager        | t           |         1 | f                       |      255
 42994541-1728-464f-a248-bee8c2b7dca0 | VMBasic    | uso minimo         | f           |         2 | t                       |      255
(3 rows)


The everyone role must have added earlier, but now we have removed the functionality of adding and removing the everyone user role from admin portal so it was failing from UI.

We did database changes and then we removed the unwanted roles by taking reference of our test setup and comparing it with your database.

After removing the above roles we checked by login using test user into VM portal and we saw only 1 VM on which we gave permissions to the test user.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Comment 9 Greg Sheremeta 2019-03-04 14:32:55 UTC
thanks.


Note You need to log in before you can comment on or make changes to this bug.