Bug 1139533

Summary: Invalid action group identifiers in the roles_groups table trigger NPE
Product: [Retired] oVirt Reporter: Ondra Machacek <omachace>
Component: ovirt-engine-coreAssignee: Ravi Nori <rnori>
Status: CLOSED CURRENTRELEASE QA Contact: Jiri Belka <jbelka>
Severity: high Docs Contact:
Priority: urgent    
Version: 3.5CC: bugs, ecohen, gklein, iheim, juan.hernandez, oourfali, pkubica, rbalakri, rnori, yeylon
Target Milestone: ---Keywords: Regression
Target Release: 3.5.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: infra
Fixed In Version: ovirt-3.5.0_rc2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-17 12:34:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1073943, 1122419    

Description Ondra Machacek 2014-09-09 07:17:09 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
rhevm-restapi-3.5.0-0.10.master.el6ev.noarch

How reproducible:
always

Steps to Reproduce:curl -v -k -X GET -H "Accept: application/xml" -H "Content-Type: application/xml" -H "Filter: false" -u "admin@internal:123456" https://localhost:443/api/roles/00000000-0000-0000-0000-000000000001/permits
* About to connect() to localhost port 443 (#0)
*   Trying ::1... connected
* Connected to localhost (::1) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* warning: ignoring value of ssl.verifyhost
* skipping SSL peer certificate verification
* SSL connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
* 	subject: CN=om-rh35.rhev.lab.eng.brq.redhat.com,O=rhev.lab.eng.brq.redhat.com,C=US
* 	start date: Sep 08 07:07:56 2014 GMT
* 	expire date: Aug 14 07:07:56 2019 GMT
* 	common name: om-rh35.rhev.lab.eng.brq.redhat.com
* 	issuer: CN=om-rh35.rhev.lab.eng.brq.redhat.com.82550,O=rhev.lab.eng.brq.redhat.com,C=US
* Server auth using Basic with user 'admin@internal'
> GET /api/roles/00000000-0000-0000-0000-000000000001/permits HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.14.3.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: localhost
> Accept: application/xml
> Content-Type: application/xml
> Filter: false
> 
< HTTP/1.1 500 Internal Server Error
< Date: Tue, 09 Sep 2014 07:15:13 GMT
< Content-Type: application/xml
< Content-Length: 103
< Vary: Accept-Encoding
< Connection: close
< 
* Closing connection #0
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><fault><reason>Operation Failed</reason></fault>

Expected results:
list of superuser permits


2014-09-09 09:16:47,463 INFO  [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (ajp-/127.0.0.1:8702-6) Running command: LoginUserCommand internal: false.
2014-09-09 09:16:47,472 INFO  [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-6) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User admin logged in.
2014-09-09 09:16:47,510 ERROR [org.ovirt.engine.api.restapi.resource.validation.MappingExceptionMapper] (ajp-/127.0.0.1:8702-6) org.ovirt.engine.api.restapi.utils.MappingException: java.lang.reflect.InvocationTargetException
2014-09-09 09:16:47,517 INFO  [org.ovirt.engine.core.bll.aaa.LogoutBySessionCommand] (ajp-/127.0.0.1:8702-6) [3ae2e2b4] Running command: LogoutBySessionCommand internal: false.
2014-09-09 09:16:47,520 INFO  [org.ovirt.engine.core.bll.aaa.LogoutUserCommand] (ajp-/127.0.0.1:8702-6) [31785114] Running command: LogoutUserCommand internal: false.
2014-09-09 09:16:47,528 INFO  [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-6) [31785114] Correlation ID: 31785114, Call Stack: null, Custom Event ID: -1, Message: User admin logged out.
Comment 1 Ondra Machacek 2014-09-09 07:20:25 UTC 
Same for 'ClusterAdmin' and 'DataCenterAdmin.
Comment 2 Juan Hernández 2014-09-09 09:01:22 UTC 
This happens because the database table "roles_groups" contains two rows with values for the "action_group_id" column that don't exist in the backend "ActionGroup" enum. As a result when these rows are loaded the action group is null, and accessing it triggers a NPE.

The wrong values are 130 and 131. These have been introduced in the following patch in order to fix bug 989546:

  http://gerrit.ovirt.org/25685
Comment 3 Oved Ourfali 2014-09-14 08:06:21 UTC 
*** Bug 1140636 has been marked as a duplicate of this bug. ***
Comment 4 Jiri Belka 2014-09-17 08:52:14 UTC 
ok, ovirt-engine-backend-3.5.0-0.0.master.20140911085455.gite1c5ffd.el6.noarch

# curl -s -k -X GET -H "Accept: application/xml" -H "Content-Type: application/xml" -H "Filter: false" -u "admin@internal:123456" https://localhost:443/api/roles/00000000-0000-0000-0000-000000000001/permits | grep '<name>' | nl | tail
    68          <name>access_image_storage</name>
    69          <name>tag_management</name>
    70          <name>bookmark_management</name>
    71          <name>event_notification_management</name>
    72          <name>manipulate_affinity_groups</name>
    73          <name>add_users_and_groups_from_directory</name>
    74          <name>audit_log_management</name>
    75          <name>configure_storage_disk_profile</name>
    76          <name>create_storage_disk_profile</name>
    77          <name>delete_storage_disk_profile</name>l
Comment 5 Sandro Bonazzola 2014-10-17 12:34:36 UTC 
oVirt 3.5 has been released and should include the fix for this issue.