Bug 1108153

Summary:

[RFE] Export Domain - Create a new role for users who can export/import VMs

Product:

Red Hat Enterprise Virtualization Manager

Reporter:

Robert McSwain <rmcswain>

Component:

ovirt-engine

Assignee:

Ala Hino <ahino>

Status:

CLOSED ERRATA

QA Contact:

Ondra Machacek <omachace>

Severity:

medium

Docs Contact:

Priority:

high

Version:

3.3.0

CC:

ahino, amureini, asegundo, ederevea, gklein, howey.vernon, iheim, juwu, lsurette, michal.skrivanek, omachace, pablo.iranzo, rbalakri, rgolan, Rhev-m-bugs, rmcswain, sherold, tdosek, tnisan, usurse, yeylon, ykaul

Target Milestone:

ovirt-3.6.0-rc

Keywords:

FutureFeature

Target Release:

3.6.0

Flags:

sherold: Triaged+

Hardware:

All

OS:

All

Whiteboard:

Fixed In Version:

3.6.0-4 alpha3

Doc Type:

Enhancement

Doc Text:

A new user role 'VmImporterExporter' is now available. The role allows users to export and import virtual machines in the Administration Portal. The 'DataCenterAdmin' permission is no longer required for performing such actions.

Story Points:

---

Clone Of:

Environment:

Last Closed:

2016-03-09 20:46:57 UTC

Type:

Bug

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

Virt

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Bug Depends On:

1255405

Bug Blocks:

1213937, 1236984

Attachments:

Description	Flags
error import vm	none

Description Robert McSwain 2014-06-11 13:18:06 UTC

1. Proposed title of this feature request  
       New role for users who can export/import vms
      
    3. What is the nature and description of the request?
	We need users to be able to export VM using the User Portal without the permission "DataCenterAdmin"
      
    4. Why does the customer need this? (List the business requirements here)  
	We have final users and operators that need export/import vms from distinct datacenters.
      
    5. How would the customer like to achieve this? (List the functional requirements here)  
	We need a new role that permits this option
      
    6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.  
	Yes
      
    7. Is there already an existing RFE upstream or in Red Hat Bugzilla?  
	No
      
    8. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL5, RHEL6)?  
	No
      
    10. List any affected packages or components.  
      
    11. Would the customer be able to assist in testing this functionality if implemented?  
	Yes

Comment 12 Michal Skrivanek 2015-06-05 08:12:20 UTC

Ala, what was the reason for abandoning your patches?

Comment 13 Ala Hino 2015-06-05 08:15:45 UTC

(In reply to Michal Skrivanek from comment #12)
> Ala, what was the reason for abandoning your patches?

I started working on this RFE as part of the hackathon but then realized that it's not a one week RFE so, at least for now, I am not going to work on it.

The patches may still be relevant for those who will work on this one.

Comment 14 Michal Skrivanek 2015-06-05 08:52:36 UTC

why make it complicated? comment #11 as well as previous comments suggest that simply adding permissions is enough.
That's what you did, IIUC, so why not merge it?

Comment 15 Ala Hino 2015-06-05 09:19:21 UTC

(In reply to Michal Skrivanek from comment #14)
> why make it complicated? comment #11 as well as previous comments suggest
> that simply adding permissions is enough.
> That's what you did, IIUC, so why not merge it?

In this case, merging the changes is the easy part.

Comment 20 Allon Mureinik 2015-06-21 14:08:29 UTC

Michal - patch https://gerrit.ovirt.org/#/c/41055/ (referenced in the external bugs, merged earlier today) adds a new ADMIN role, VmImproterExporter that allows an admin user to export/import a VM its granted on.

If this covers the functional requirement, please move the BZ to MODIFIED.
If not, up to you on how to continue with it.

Comment 23 Max Kovgan 2015-06-28 14:13:43 UTC

ovirt-3.6.0-3 release

Comment 24 Ondra Machacek 2015-07-09 11:03:15 UTC

Role 'VmImproterExporter' is missing 'login' permission.

Comment 25 Ondra Machacek 2015-07-30 16:22:39 UTC

Created attachment 1057737 [details]
error import vm

User has VmImporterExport on system. Export worked fine. Import don't:

2015-07-30 18:20:16,199 INFO  [org.ovirt.engine.core.vdsbroker.irsbroker.GetVmsInfoVDSCommand] (default task-3) [] START, GetVmsInfoVDSCommand( GetVmsInfoVDSCommandParameters:{runAsync='true', storagePoolId='41816623-ced4-4661-84c4-d1a2fca396a8', ignoreFailoverLimit='false', storageDomainId='becdc5d5-b622-4fed-9eb2-d04da484cfeb', vmIdList='null'}), log id: 6a9ce136
2015-07-30 18:20:16,246 INFO  [org.ovirt.engine.core.vdsbroker.irsbroker.GetVmsInfoVDSCommand] (default task-3) [] FINISH, GetVmsInfoVDSCommand, log id: 6a9ce136
2015-07-30 18:20:22,064 INFO  [org.ovirt.engine.core.bll.ImportVmCommand] (default task-17) [7297c3e6] Lock Acquired to object 'EngineLock:{exclusiveLocks='[vm=<VM_NAME, ACTION_TYPE_FAILED_NAME_ALREADY_USED>, 9c89b6b9-3760-47a9-96a4-5262366de2ed=<VM, ACTION_TYPE_FAILED_VM_IS_BEING_IMPORTED$VmName vm>]', sharedLocks='[de18affc-cbff-42bd-9ced-b7e53f8be288=<REMOTE_VM, ACTION_TYPE_FAILED_VM_IS_BEING_IMPORTED$VmName vm>]'}'
2015-07-30 18:20:22,078 INFO  [org.ovirt.engine.core.vdsbroker.irsbroker.GetVmsInfoVDSCommand] (default task-17) [7297c3e6] START, GetVmsInfoVDSCommand( GetVmsInfoVDSCommandParameters:{runAsync='true', storagePoolId='41816623-ced4-4661-84c4-d1a2fca396a8', ignoreFailoverLimit='false', storageDomainId='becdc5d5-b622-4fed-9eb2-d04da484cfeb', vmIdList='null'}), log id: 68245fba
2015-07-30 18:20:22,115 INFO  [org.ovirt.engine.core.vdsbroker.irsbroker.GetVmsInfoVDSCommand] (default task-17) [7297c3e6] FINISH, GetVmsInfoVDSCommand, log id: 68245fba
2015-07-30 18:20:22,396 INFO  [org.ovirt.engine.core.vdsbroker.irsbroker.DoesImageExistVDSCommand] (default task-17) [7297c3e6] START, DoesImageExistVDSCommand( GetImageInfoVDSCommandParameters:{runAsync='true', storagePoolId='41816623-ced4-4661-84c4-d1a2fca396a8', ignoreFailoverLimit='false', storageDomainId='becdc5d5-b622-4fed-9eb2-d04da484cfeb', imageGroupId='2af451eb-6a65-4902-9016-eea91753db08', imageId='e47c2c29-3b30-436e-85f0-e9c3ed1857a4'}), log id: 66056f1
2015-07-30 18:20:22,441 INFO  [org.ovirt.engine.core.vdsbroker.irsbroker.DoesImageExistVDSCommand] (default task-17) [7297c3e6] FINISH, DoesImageExistVDSCommand, return: true, log id: 66056f1
2015-07-30 18:20:22,485 WARN  [org.ovirt.engine.core.bll.ImportVmCommand] (default task-17) [] CanDoAction of action 'ImportVm' failed for user user1@PROFILE. Reasons: VAR__ACTION__IMPORT,VAR__TYPE__VM,USER_NOT_AUTHORIZED_TO_ATTACH_DISK_PROFILE
2015-07-30 18:20:22,486 INFO  [org.ovirt.engine.core.bll.ImportVmCommand] (default task-17) [] Lock freed to object 'EngineLock:{exclusiveLocks='[vm=<VM_NAME, ACTION_TYPE_FAILED_NAME_ALREADY_USED>, 9c89b6b9-3760-47a9-96a4-5262366de2ed=<VM, ACTION_TYPE_FAILED_VM_IS_BEING_IMPORTED$VmName vm>]', sharedLocks='[de18affc-cbff-42bd-9ced-b7e53f8be288=<REMOTE_VM, ACTION_TYPE_FAILED_VM_IS_BEING_IMPORTED$VmName vm>]'}'

Comment 26 Allon Mureinik 2015-08-02 09:43:27 UTC

It seems to be failing on a permission to attach a disk profile. I have to admit I'm unclear on what disk profiles have to do with importing.

Roy - can someone from your team take a look please?

Comment 27 Roy Golan 2015-08-02 10:40:30 UTC

(In reply to Ondra Machacek from comment #25)

One must have permissions to use a disk profile. There should be always one profile which is allowed to everyone thought (also called 'default profile')

The import is no different from Add/Update VM in that sense - A cando action will prevent you from using a profile you don't have permission to. 

The business case behind this is to prevent users from opt-in to QoS which will take resources you don't want to give them.



I'd except the UI filter out profiles which you don't have permissions to. Can you confirm that?

Comment 28 Ondra Machacek 2015-08-10 15:31:31 UTC

Sorry for late reply.
I didn't created any new DiskProfiles, nor delete any, just using default setup.
I can see the default profile, which is named same as the storage domain is.
In the import domain dialog there is no option to choose the disk_profile.

Comment 29 Yaniv Lavi 2015-08-20 13:26:23 UTC

Please open a bug on this feature and block the feature, but don't fail it.

Comment 30 Yaniv Lavi 2015-08-20 13:27:55 UTC

It needs to be tracked separately.

Comment 31 Tal Nisan 2016-01-04 16:00:43 UTC

Ala, please add doc text

Comment 33 Ondra Machacek 2016-01-26 11:52:33 UTC

Doc Text:
A new user role 'VmImporterExporter' is now available. The role allows users to export and import virtual machines using the User Portal. The 'DataCenterAdmin' permission is no longer required for performing such actions.

Julie it is not possible in UserPortal only webadmin.

Comment 35 errata-xmlrpc 2016-03-09 20:46:57 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-0376.html