We need a way how to understand what permissions on what entities are missing/required for a certain operation. Currently the outcome is that everyone is either a PowerUser (for even the most basic usage) or Admin (for anything as small as uploading iso to iso domain). I think we need a generic logging of which entities and which permissions has the code gone through when something fails. (I think just logging it in engine.log is ok) This should help admins to understand and troubleshoot what permissions they should assign for each operation
It would be great if we can build the list of entities and permissions we checked on the way and log it when it eventually fails. It needs to be an info level log, not debug as admin would want to troubleshoot why is someone not able to do something.
There is now information in log what perm is needed on what object. 2014-09-03 14:20:00,267 INFO [org.ovirt.engine.core.bll.AddVdsGroupCommand] (ajp--127.0.0.1-8702-4) [5d1a0b44] No permission found for user c5055498-372d-40a4-a233-4a144ac32461 or one of the groups he is member of, when running action AddVdsGroup, Required permissions are: Action type: ADMIN Action group: CREATE_CLUSTER Object type: Data Center Object ID: 00000002-0002-0002-0002-0000000001da. 2014-09-03 14:20:00,270 WARN [org.ovirt.engine.core.bll.AddVdsGroupCommand] (ajp--127.0.0.1-8702-4) [5d1a0b44] CanDoAction of action AddVdsGroup failed. Reasons:USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
rhev 3.5.0 was released. closing.