Bug 1032131

Summary: Users unable to authenticate to user portal unless explicitly added
Product: Red Hat Enterprise Virtualization Manager Reporter: Allie DeVolder <adevolder>
Component: ovirt-engine-webadmin-portalAssignee: Nobody <nobody>
Status: CLOSED NOTABUG QA Contact: Pavel Stehlik <pstehlik>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 3.2.0CC: acathrow, ecohen, iheim, Rhev-m-bugs, yeylon
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-11-20 07:15:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Allie DeVolder 2013-11-19 15:32:04 UTC 
Description of problem:
After upgrading from 3.0.x to 3.2.4, there seems to be a behavioral change regarding new users. In the past, any valid user in the auth domain could log into the portal and the user would automatically get added to the users list in RHEVM. And with the pool permissions set so that the "everyone" user had access to the pool, then anyone could take a VM from the pool.

After upgrading to 3.2.4 nobody can log in unless I explicitly add the user AND also explicitly add the user to the pool (even though the everyone user already has permissions to the pool)..

Version-Release number of selected component (if applicable):
rhevm-3.2.4-0.44.el6ev.noarch

How reproducible:
Very

Steps to Reproduce:
1. Create pool with "everyone" user access
2. Log in from valid user in auth domain
3. Attempt to get VM from pool

Actual results:
This error (when debug logging is enabled)
2013-11-15 15:38:55,139 DEBUG [org.ovirt.engine.core.bll.LoginUserCommand] (ajp-/127.0.0.1:8702-11) [6650df7b] No permission found for user when running action LoginUser, on object Bottom for action group LOGIN with id bbb00000-0000-0000-0000-123456789bbb.
2013-11-15 15:38:55,139 WARN [org.ovirt.engine.core.bll.LoginUserCommand] (ajp-/127.0.0.1:8702-11) [6650df7b] CanDoAction of action LoginUser failed. Reasons:USER_NOT_AUTHORIZED_TO_PERFORM_ACTION

Expected results:
Access to VM
Comment 1 Itamar Heim 2013-11-20 07:15:18 UTC 
the special built-in everyone group is ignored for login permission. 
you can use any other domain group for the pool permission (domain users, etc.) which will work.

see Bug 986448 for more details