Bug 1108153
Summary: | [RFE] Export Domain - Create a new role for users who can export/import VMs | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Virtualization Manager | Reporter: | Robert McSwain <rmcswain> | ||||
Component: | ovirt-engine | Assignee: | Ala Hino <ahino> | ||||
Status: | CLOSED ERRATA | QA Contact: | Ondra Machacek <omachace> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | high | ||||||
Version: | 3.3.0 | CC: | ahino, amureini, asegundo, ederevea, gklein, howey.vernon, iheim, juwu, lsurette, michal.skrivanek, omachace, pablo.iranzo, rbalakri, rgolan, Rhev-m-bugs, rmcswain, sherold, tdosek, tnisan, usurse, yeylon, ykaul | ||||
Target Milestone: | ovirt-3.6.0-rc | Keywords: | FutureFeature | ||||
Target Release: | 3.6.0 | Flags: | sherold:
Triaged+
|
||||
Hardware: | All | ||||||
OS: | All | ||||||
Whiteboard: | |||||||
Fixed In Version: | 3.6.0-4 alpha3 | Doc Type: | Enhancement | ||||
Doc Text: |
A new user role 'VmImporterExporter' is now available. The role allows users to export and import virtual machines in the Administration Portal. The 'DataCenterAdmin' permission is no longer required for performing such actions.
|
Story Points: | --- | ||||
Clone Of: | Environment: | ||||||
Last Closed: | 2016-03-09 20:46:57 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | Virt | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 1255405 | ||||||
Bug Blocks: | 1213937, 1236984 | ||||||
Attachments: |
|
Description
Robert McSwain
2014-06-11 13:18:06 UTC
Ala, what was the reason for abandoning your patches? (In reply to Michal Skrivanek from comment #12) > Ala, what was the reason for abandoning your patches? I started working on this RFE as part of the hackathon but then realized that it's not a one week RFE so, at least for now, I am not going to work on it. The patches may still be relevant for those who will work on this one. why make it complicated? comment #11 as well as previous comments suggest that simply adding permissions is enough. That's what you did, IIUC, so why not merge it? (In reply to Michal Skrivanek from comment #14) > why make it complicated? comment #11 as well as previous comments suggest > that simply adding permissions is enough. > That's what you did, IIUC, so why not merge it? In this case, merging the changes is the easy part. Michal - patch https://gerrit.ovirt.org/#/c/41055/ (referenced in the external bugs, merged earlier today) adds a new ADMIN role, VmImproterExporter that allows an admin user to export/import a VM its granted on. If this covers the functional requirement, please move the BZ to MODIFIED. If not, up to you on how to continue with it. ovirt-3.6.0-3 release Role 'VmImproterExporter' is missing 'login' permission. Created attachment 1057737 [details]
error import vm
User has VmImporterExport on system. Export worked fine. Import don't:
2015-07-30 18:20:16,199 INFO [org.ovirt.engine.core.vdsbroker.irsbroker.GetVmsInfoVDSCommand] (default task-3) [] START, GetVmsInfoVDSCommand( GetVmsInfoVDSCommandParameters:{runAsync='true', storagePoolId='41816623-ced4-4661-84c4-d1a2fca396a8', ignoreFailoverLimit='false', storageDomainId='becdc5d5-b622-4fed-9eb2-d04da484cfeb', vmIdList='null'}), log id: 6a9ce136
2015-07-30 18:20:16,246 INFO [org.ovirt.engine.core.vdsbroker.irsbroker.GetVmsInfoVDSCommand] (default task-3) [] FINISH, GetVmsInfoVDSCommand, log id: 6a9ce136
2015-07-30 18:20:22,064 INFO [org.ovirt.engine.core.bll.ImportVmCommand] (default task-17) [7297c3e6] Lock Acquired to object 'EngineLock:{exclusiveLocks='[vm=<VM_NAME, ACTION_TYPE_FAILED_NAME_ALREADY_USED>, 9c89b6b9-3760-47a9-96a4-5262366de2ed=<VM, ACTION_TYPE_FAILED_VM_IS_BEING_IMPORTED$VmName vm>]', sharedLocks='[de18affc-cbff-42bd-9ced-b7e53f8be288=<REMOTE_VM, ACTION_TYPE_FAILED_VM_IS_BEING_IMPORTED$VmName vm>]'}'
2015-07-30 18:20:22,078 INFO [org.ovirt.engine.core.vdsbroker.irsbroker.GetVmsInfoVDSCommand] (default task-17) [7297c3e6] START, GetVmsInfoVDSCommand( GetVmsInfoVDSCommandParameters:{runAsync='true', storagePoolId='41816623-ced4-4661-84c4-d1a2fca396a8', ignoreFailoverLimit='false', storageDomainId='becdc5d5-b622-4fed-9eb2-d04da484cfeb', vmIdList='null'}), log id: 68245fba
2015-07-30 18:20:22,115 INFO [org.ovirt.engine.core.vdsbroker.irsbroker.GetVmsInfoVDSCommand] (default task-17) [7297c3e6] FINISH, GetVmsInfoVDSCommand, log id: 68245fba
2015-07-30 18:20:22,396 INFO [org.ovirt.engine.core.vdsbroker.irsbroker.DoesImageExistVDSCommand] (default task-17) [7297c3e6] START, DoesImageExistVDSCommand( GetImageInfoVDSCommandParameters:{runAsync='true', storagePoolId='41816623-ced4-4661-84c4-d1a2fca396a8', ignoreFailoverLimit='false', storageDomainId='becdc5d5-b622-4fed-9eb2-d04da484cfeb', imageGroupId='2af451eb-6a65-4902-9016-eea91753db08', imageId='e47c2c29-3b30-436e-85f0-e9c3ed1857a4'}), log id: 66056f1
2015-07-30 18:20:22,441 INFO [org.ovirt.engine.core.vdsbroker.irsbroker.DoesImageExistVDSCommand] (default task-17) [7297c3e6] FINISH, DoesImageExistVDSCommand, return: true, log id: 66056f1
2015-07-30 18:20:22,485 WARN [org.ovirt.engine.core.bll.ImportVmCommand] (default task-17) [] CanDoAction of action 'ImportVm' failed for user user1@PROFILE. Reasons: VAR__ACTION__IMPORT,VAR__TYPE__VM,USER_NOT_AUTHORIZED_TO_ATTACH_DISK_PROFILE
2015-07-30 18:20:22,486 INFO [org.ovirt.engine.core.bll.ImportVmCommand] (default task-17) [] Lock freed to object 'EngineLock:{exclusiveLocks='[vm=<VM_NAME, ACTION_TYPE_FAILED_NAME_ALREADY_USED>, 9c89b6b9-3760-47a9-96a4-5262366de2ed=<VM, ACTION_TYPE_FAILED_VM_IS_BEING_IMPORTED$VmName vm>]', sharedLocks='[de18affc-cbff-42bd-9ced-b7e53f8be288=<REMOTE_VM, ACTION_TYPE_FAILED_VM_IS_BEING_IMPORTED$VmName vm>]'}'
It seems to be failing on a permission to attach a disk profile. I have to admit I'm unclear on what disk profiles have to do with importing. Roy - can someone from your team take a look please? (In reply to Ondra Machacek from comment #25) One must have permissions to use a disk profile. There should be always one profile which is allowed to everyone thought (also called 'default profile') The import is no different from Add/Update VM in that sense - A cando action will prevent you from using a profile you don't have permission to. The business case behind this is to prevent users from opt-in to QoS which will take resources you don't want to give them. I'd except the UI filter out profiles which you don't have permissions to. Can you confirm that? Sorry for late reply. I didn't created any new DiskProfiles, nor delete any, just using default setup. I can see the default profile, which is named same as the storage domain is. In the import domain dialog there is no option to choose the disk_profile. Please open a bug on this feature and block the feature, but don't fail it. It needs to be tracked separately. Ala, please add doc text Doc Text: A new user role 'VmImporterExporter' is now available. The role allows users to export and import virtual machines using the User Portal. The 'DataCenterAdmin' permission is no longer required for performing such actions. Julie it is not possible in UserPortal only webadmin. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2016-0376.html |