Bug 1126242

Summary: Inherited permissions on Pools doesn't reflect in Userportal
Product: [oVirt] ovirt-engine Reporter: Ahmed Ossama <ahmed>
Component: Frontend.WebAdminAssignee: Michal Skrivanek <michal.skrivanek>
Status: CLOSED NOTABUG QA Contact: Pavel Stehlik <pstehlik>
Severity: low Docs Contact:
Priority: low    
Version: ---CC: bugs, gklein, michal.skrivanek, rbalakri, Rhev-m-bugs, sherold, srevivo, tjelinek, ykaul
Target Milestone: ovirt-4.0.0-rcFlags: ylavi: ovirt-4.0.0?
rule-engine: planning_ack?
rule-engine: devel_ack?
rule-engine: testing_ack?
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-30 12:40:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Virt RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ahmed Ossama 2014-08-03 23:24:56 UTC 
Description of problem:
On a newly installed rhev-m, I added a new domain, and granted access to two users, first as a SuperUser and the second as a PowerUserRole.

Then I created a new pool, I noticed that both users have inherited permissions on this pool. Also admin@internal (SuperUser and PowerUserRole) had inherited permissions on it as well.

Version-Release number of selected component (if applicable): 3.4

How reproducible:


Steps to Reproduce:
1. Add a domain
2. Create Pool
3. Add a domain user with PowerUserRole
4. The permissions show as inherited in the Pool details
5. The user doesn't see the pool in the Userportal unless he is explicitly granted that permissions on this pool

Actual results:
Upon logging in to the userportal with any of the four users (I tested them all), I don't see the pool anywhere.

Expected results:
If the user role doesn't have permissions on Pools, the it shouldn't show that he have inherited permissions on this pool.

Additional info:
Granting the permission to each user explicitly to the pool fix it. But it's misleading to see that a user (the PowerUserRole in this case) does have inherited permissions to the pool while in fact he doesn't in the user portal.

I am trying to widely test this misleading inherited permission on different objects and will report anything wired.
Comment 1 Itamar Heim 2014-08-08 20:50:17 UTC 
michal - is this a bug? iirc, power user role is to create objects (then get permissions on them), not to see existing objects?
(and admin role doesn't is not relevant to user portal which only shows objects based on user role permissions)?
Comment 2 Michal Skrivanek 2014-08-29 08:47:17 UTC 
as per documentation you're right
But IMHO it's really not obvious enough. The term "PowerUserRole" is quite misleading in this respect
not sure what to do with it, though:/
Comment 3 Omer Frenkel 2014-10-07 12:26:49 UTC 
bug 1147960 has the same issue with powerUserRole not seeing templates
Comment 4 Michal Skrivanek 2015-06-05 13:19:46 UTC 
still want to consider this "soon"
Comment 6 Red Hat Bugzilla Rules Engine 2015-11-30 20:45:42 UTC 
Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release.
Comment 7 Sandro Bonazzola 2016-05-02 09:50:42 UTC 
Moving from 4.0 alpha to 4.0 beta since 4.0 alpha has been already released and bug is not ON_QA.
Comment 8 Yaniv Lavi 2016-05-23 13:14:29 UTC 
oVirt 4.0 beta has been released, moving to RC milestone.
Comment 9 Tomas Jelinek 2016-05-30 12:40:10 UTC 
The description of the "PowerUserRole" says:
"User Role, allowed to create VMs, Templates and Disks"

The role behaves as documented (e.g. it gives you permissions to create, not to read existing VMs), and the description seems clear to me.

I think this could be closed as "not a bug" - feel free to reopen if something should be done here.