Bug 1058290

Summary: "too many" permissions needed for creating a VM pool
Product: [Retired] oVirt Reporter: Michal Skrivanek <michal.skrivanek>
Component: ovirt-engine-webadminAssignee: Martin Betak <mbetak>
Status: CLOSED CURRENTRELEASE QA Contact: bugs <bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 3.4CC: acathrow, ecohen, gklein, iheim, mgoldboi, oourfali, sherold, yeylon
Target Milestone: ---   
Target Release: 3.4.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: virt
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-05-08 13:38:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michal Skrivanek 2014-01-27 12:55:41 UTC 
seems I need to have VMPoolAdmin on a cluster to be able to create a pool. That is fine.
But the requirement to have the same on a template seems wrong. IMHO I should be able to use any template I have access to (e.g. PowerUser should be enough). Currently even TemplateOwner doesn't work.

I'd suggest to drop extra checks on template.
Comment 1 Oved Ourfali 2014-01-28 06:44:48 UTC 
When adding regular VM today, we check the user has CREATE_VM action group both on the cluster, and on the Template. I guess the reason for doing this validation on the template is to prevent administrators from creating a VM from any template, as they can see all templates.

Not sure this check is really needed... 
Now, the same check is done when adding a VM pool, but with the CREATE_VM_POOL action group.

I suggest that we either remove this permission requirement from both commands, or test for CREATE_VM on the template in the VM Pool use-case, rather than testing for CREATE_VM_POOL on it. That way, having a VmPoolAdmin on the cluster should be enough for creating a VM pool on it (need to be tested, of course, but it looks like it should work).

Thoughts?
Comment 2 Omer Frenkel 2014-01-28 10:40:19 UTC 
i agree with requiring CREATE_VM for template also when creating pool,
this is what i had in mind as well
Comment 3 Itamar Heim 2014-02-02 08:17:19 UTC 
Setting target release to current version for consideration and review. please
do not push non-RFE bugs to an undefined target release to make sure bugs are
reviewed for relevancy, fix, closure, etc.
Comment 4 Sandro Bonazzola 2014-03-04 09:31:15 UTC 
This is an automated message.
Re-targeting all non-blocker bugs still open on 3.4.0 to 3.4.1.
Comment 5 Martin Betak 2014-04-30 09:42:24 UTC 
merged u/s as e88336ef6b70a34e517d6d1886e4fc2484fbcc0b
Comment 6 Sandro Bonazzola 2014-05-08 13:38:42 UTC 
This is an automated message

oVirt 3.4.1 has been released:
 * should fix your issue
 * should be available at your local mirror within two days.

If problems still persist, please make note of it in this bug report.