1121617 – permissions logging

Bug 1121617 - permissions logging

Summary: permissions logging

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Virtualization Manager
Classification:	Red Hat
Component:	ovirt-engine-webadmin-portal
Sub Component:
Version:	3.5.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	3.5.0
Assignee:	Piotr Kliczewski
QA Contact:	Ondra Machacek
Docs Contact:
URL:
Whiteboard:	infra
Depends On:
Blocks:	rhev3.5beta 1156165
TreeView+	depends on / blocked

Reported:	2014-07-21 11:49 UTC by Michal Skrivanek
Modified:	2016-02-10 19:18 UTC (History)
CC List:	10 users (show)
Fixed In Version:	ovirt-3.5.0_rc1.1
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-02-17 17:09:40 UTC
oVirt Team:	Infra
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
oVirt gerrit	30757	0	master	MERGED	core: Enhanced permissions logging	Never
oVirt gerrit	31175	0	ovirt-engine-3.5	MERGED	core: Enhanced permissions logging	Never

Description Michal Skrivanek 2014-07-21 11:49:54 UTC

We need a way how to understand what permissions on
what entities are missing/required for a certain operation. 
Currently the outcome is that everyone is either a PowerUser (for even the most basic usage) or Admin (for anything as small as uploading iso to iso domain). I
think we need a generic logging of which entities and which permissions has
the code gone through when something fails. (I think just logging it in
engine.log is ok)

This should help admins to understand and troubleshoot what permissions they should assign for each operation

Comment 1 Michal Skrivanek 2014-07-29 14:41:35 UTC

It would be great if we can build the list of entities and permissions we checked on the way and log it when it eventually fails. It needs to be an info level log, not debug as admin would want to troubleshoot why is someone not able to do something.

Comment 2 Ondra Machacek 2014-09-03 12:21:45 UTC

There is now information in log what perm is needed on what object.

2014-09-03 14:20:00,267 INFO  [org.ovirt.engine.core.bll.AddVdsGroupCommand] (ajp--127.0.0.1-8702-4) [5d1a0b44] No permission found for user c5055498-372d-40a4-a233-4a144ac32461 or one of the groups he is member of, when running action AddVdsGroup, Required permissions are: Action type: ADMIN Action group: CREATE_CLUSTER Object type: Data Center  Object ID: 00000002-0002-0002-0002-0000000001da.
2014-09-03 14:20:00,270 WARN  [org.ovirt.engine.core.bll.AddVdsGroupCommand] (ajp--127.0.0.1-8702-4) [5d1a0b44] CanDoAction of action AddVdsGroup failed. Reasons:USER_NOT_AUTHORIZED_TO_PERFORM_ACTION

Comment 3 Eyal Edri 2015-02-17 17:09:40 UTC

rhev 3.5.0 was released. closing.

Note You need to log in before you can comment on or make changes to this bug.