Bug 1104233

Summary: VM Pools do not properly inherit admin roles in the admin portal
Product: Red Hat Enterprise Virtualization Manager Reporter: Jake Hunsaker <jhunsaker>
Component: ovirt-engine-webadmin-portalAssignee: Shahar Havivi <shavivi>
Status: CLOSED ERRATA QA Contact: Pavel Novotny <pnovotny>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.3.0CC: ecohen, iheim, mavital, michal.skrivanek, pstehlik, rbalakri, Rhev-m-bugs, sherold, yeylon
Target Milestone: ---   
Target Release: 3.5.0   
Hardware: x86_64   
OS: Linux   
Whiteboard: virt
Fixed In Version: ovirt-engine-3.5.0_beta Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-02-11 18:03:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1142923, 1156165    

Description Jake Hunsaker 2014-06-03 14:50:37 UTC 
Description of problem:

For VM pools, if a user in the admin portal (aside from admin@internal) does not have the 'TemplateAdmin' and 'VmPoolAdmin' roles assigned explicitly on that pool, the user is given permission denied errors when trying to add other permissions to the pool.

If the user has admin roles such as the above, or SuperUser/ClusterAdmin/etc.. roles assigned to a cluster or data center, those roles *appear* to be inherited to the pool (they display properly in the permissions tab) however they do not actually give the user the permissions they imply - the same "Permission denied" error is generated



Version-Release number of selected component (if applicable):

Tested on rhevm-3.3.2-0.50

How reproducible:
Always

Steps to Reproduce:
1. Assign the 'TemplateAdmin' and 'VmPoolAdmin' roles to a user on a cluster or data center
2. Using that user (not admin@internal) try to add permissions to a VM pool (for example adding the UserRole to another user)
3.

Actual results:

User is given a permission denied error until the TemplateAdmin and VmPoolAdmin roles are assigned explicitly on the pool the user is attempting to modify

Expected results:

Pool should properly inherit the roles from the higher-level cluster/data center 

Additional info:

It also appears that setting SuperUser on a cluster or data center results in the same errors until the role (or the TemplateAdmin and VmPoolAdmin roles) is assigned explicitly on the pool to be modified. This is also incorrect behavior.
Comment 1 Jake Hunsaker 2014-06-03 14:53:36 UTC 
I should probably clarify on the points of the cluster/data center permissions. The VM Pool *is* inside the cluster/data center for which the user has SuperUser/TemplateAdmin/VmPoolAdmin roles assigned.
Comment 2 Pavel Novotny 2014-08-12 13:03:55 UTC 
Verified upstream in ovirt-engine-3.5.0-0.0.master.20140804172041.git23b558e.el6.noarch (rc1).

Verification steps:
1. As a super-user, add roles 'TemplateAdmin' and 'VmPoolAdmin' on a data center or cluster (containing a VM pool) to user user1.org
2. Log into Webadmin as user1.org
3. Assign on the VM pool role 'UserRole' to user user2.org

Result: success, role UserRole on the VM pool is successfully assigned by user1@ to user2@
Comment 4 errata-xmlrpc 2015-02-11 18:03:27 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0158.html