Bug 1111095

Summary: [RFE] finer grained user permissions/roles on snapshots and live storage migration
Product: Red Hat Enterprise Virtualization Manager Reporter: Paul Dwyer <pdwyer>
Component: RFEsAssignee: Maor <mlipchuk>
Status: CLOSED ERRATA QA Contact: Ori Gofen <ogofen>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.3.0CC: aburden, acanan, amureini, audgiri, gklein, iheim, jentrena, lpeer, mlipchuk, pablo.iranzo, pdwyer, rbalakri, scohen, wmealing, yeylon, ylavi
Target Milestone: ovirt-3.6.0-rcKeywords: FutureFeature, ZStream
Target Release: 3.6.0Flags: sherold: Triaged+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Previously, the DISK_STORAGE_MANIPULATION permission allowed users to perform live storage migration as standard. Now, a new permission, DISK_LIVE_STORAGE_MIGRATION, has been introduced to allow finer control over which users can perform live storage migration. Upgrading to a version that includes this fix (3.6.0 or 3.5.1) will grant the new permission to all roles that included the DISK_STORAGE_MANIPULATION permission (DataCenterAdmin, StorageAdmin, ClusterAdmin, and relevant custom roles) to maintain functionality.
 Story Points: ---
Clone Of:
: 1194272 (view as bug list) Environment:
Last Closed: 2016-03-09 20:47:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Storage RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1188081, 1194272    

Description Paul Dwyer 2014-06-19 08:49:25 UTC
Comment 10 Maor 2015-01-19 18:23:50 UTC 
The permission of snapshots can be configured through the custom roles:
 VM -> Provisioning Operations -> Edit Snapshots

I've added a new, predefined Role, called VM run time manager, which includes the permissions of UserVmManager only without the vm snapshot manipulation.
Comment 11 Maor 2015-01-27 15:22:53 UTC 
The permission that should be used for live storage snapshot is DISK_LIVE_STORAGE_MIGRATION.
This permission should be added to the permission DISK_STORAGE_MANIPULATION for the complete operation to work properly.
Comment 16 Ori Gofen 2015-05-27 11:52:39 UTC 
Maor, can you please list all The new roles and their explicit permissions.
right now I know only about the DISK_LIVE_STORAGE_MIGRATION permission, is there any other new ones?
Comment 17 Maor 2015-05-28 07:21:39 UTC 
(In reply to Ori Gofen from comment #16)
> Maor, can you please list all The new roles and their explicit permissions.
> right now I know only about the DISK_LIVE_STORAGE_MIGRATION permission, is
> there any other new ones?

no
Comment 18 Ori Gofen 2015-06-14 11:40:23 UTC 
The new DISK_LIVE_STORAGE_MIGRATION permission enable RHEVM admin to prevent this action from a certain user.
I am verifying this one according to doc text.

please be advised: per comment #17 there are no new Snapshot operation permissions that had been added with this RFE
Comment 19 Allon Mureinik 2015-11-16 09:23:41 UTC 
Thanks for the doctext, Andrew!
However, I think there's some confusion here. DISK_STORAGE_MANIPULATION and DISK_LIVE_STORAGE_MIGRATION are different permissions.

Prior to this fix, DISK_STORAGE_MANIPULATION also allowed users to perform live storage migration. With this fix, a new permission, DISK_LIVE_STORAGE_MIGRATION was introduced to allow performing live storage migration, and DISK_STORAGE_MANIPULATION no longer allows to perform this operation. When upgrading to a version that includes this fix (3.6.0, or the z-stream clone on 3.5.1), this new permission is granted to all the roles that had the old DISK_STORAGE_MANIPULATION (Data Center Admin, Storage Admin, Cluster Admin, or any custom role the user may have created), so that the functionality of the system isn't impacted. This allows the admin to later create roles (or edit his pre-existing custom roles) to give some user the capability of doing some administrive operations excluding live storage migration.
Comment 20 Andrew Burden 2015-11-16 23:09:33 UTC 
Hi Allon,

Thank you for the excellent feedback!
Doctext updated as per your suggestion.
Comment 22 errata-xmlrpc 2016-03-09 20:47:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-0376.html