Bug 1264385

Summary: [vmconsole] vmconsole permissions violates engine permission scheme
Product: [oVirt] ovirt-engine Reporter: Alon Bar-Lev <alonbl>
Component: VMConsoleAssignee: Ravi Nori <rnori>
Status: CLOSED CURRENTRELEASE QA Contact: Nikolai Sednev <nsednev>
Severity: high Docs Contact:
Priority: unspecified    
Version: ---CC: alonbl, bazulay, bugs, ecohen, fromani, gklein, iheim, lsurette, michal.skrivanek, oourfali, rbalakri, rnori, yeylon
Target Milestone: ovirt-3.6.1Keywords: Triaged
Target Release: 3.6.1Flags: ylavi: ovirt-3.6.z?
ylavi: planning_ack?
rule-engine: devel_ack+
rule-engine: testing_ack+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: infra
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: There was no special role which could list vm consoles Consequence: Could lead to security violation where an unintended user could list the vm consoles Fix: Introduce an action group which is assigned to specific roles like SUPER_USER, VM_OPERATOR and INSTANCE_OPERATOR Result: Only user with the roles SUPER_USER / VM_OPERATOR or INSTANCE_OPERATOR can list the vm consoles
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-16 12:17:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1223671, 1279339    

Description Alon Bar-Lev 2015-09-18 10:39:31 UTC 
The current implementation of vmconsole violate product permission model, object permissions inheritance, Everyone assignment and group assignment.

Implementation should be modified to the following sequence:

1. Resolve internal user id into (authz-name, authz-id (external id), namespace).

2. Search authz principal by id and namespace, with resolve group and resolve group recursively flags.

3. Construct engine session and assign context if implementation requires that in order to lookup objects.

4. Find all VM objects that are running and match this context with specific role ConsoleAccess (or anything we decide). Everyone/User/Group matches based on system roles/data center/cluster/VM hierarchy as usual.

Expected Result:
1. Assign Everyone with ConsoleAccess role in System Roles -> all users can access all consoles.
2. Assign user1 with ConsoleAccess role in System Roles -> user1 can access all consoles.
3. Assign group1 with ConsoleAccess role in System Roles -> user1 which is member of group1 can access all consoles.
[repeat above with Datacenter]
[repeat above with Cluster]
[repeat above with VM]
Comment 1 Michal Skrivanek 2015-09-18 11:42:55 UTC 
4. item (virt specific) is tracked in bug 1264391
Comment 2 Alon Bar-Lev 2015-09-18 13:47:40 UTC 
sorry, bug#1264391 is irrelevant for this one, the permission check will use whatever role that is assigned to vmconsole.
Comment 3 Red Hat Bugzilla Rules Engine 2015-10-20 14:00:47 UTC 
Fixed bug tickets must have version flags set prior to fixing them. Please set the correct version flags and move the bugs back to the previous status after this is corrected.
Comment 4 Red Hat Bugzilla Rules Engine 2015-10-20 14:00:47 UTC 
Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release.
Comment 5 Yaniv Lavi 2015-10-29 12:34:28 UTC 
In oVirt testing is done on single release by default. Therefore I'm removing the 4.0 flag. If you think this bug must be tested in 4.0 as well, please re-add the flag. Please note we might not have testing resources to handle the 4.0 clone.
Comment 6 Oved Ourfali 2015-10-29 12:36:22 UTC 
Moving back to modified, as the rule changed it for some reason....
Comment 7 Nikolai Sednev 2015-11-25 06:11:42 UTC 
Please provide reproduction steps for this bug forverification.
Comment 8 Ravi Nori 2015-11-30 13:53:32 UTC 
1. Create a user with SUPER_USER / VM_OPERATOR or INSTANCE_OPERATOR permissions on the DC or Cluster.

2. Create a VM in the DC and start the VM

3. List the vm consoles  accessible by the user by running
   ovirt-vmconsole-list.py consoles --entityid @USER_INTERNAL_ID@

where USER_INTERNAL_ID is the id of the user in the users table in database.

You should see the running VM listed
Comment 9 Nikolai Sednev 2015-12-07 16:12:41 UTC 
Works for me on these components:
rhevm-3.6.1.1-0.1.el6.noarch
ovirt-host-deploy-java-1.4.1-1.el6ev.noarch
ovirt-vmconsole-1.0.0-1.el6ev.noarch
ovirt-host-deploy-1.4.1-1.el6ev.noarch
ovirt-vmconsole-proxy-1.0.0-1.el6ev.noarch
ovirt-engine-extension-aaa-jdbc-1.0.4-1.el6ev.noarch

# ovirt-aaa-jdbc-tool user add black \
> --attribute=firstName=Black \
> --attribute=lastName=Blackovich \
> --attribute=email=black
adding user black...
user added successfully

# ovirt-aaa-jdbc-tool user show black
-- User black(2fbb2bae-e9b1-450e-ac45-c53e74b388f8) --
Namespace: *
Name: black
ID: 2fbb2bae-e9b1-450e-ac45-c53e74b388f8
Display Name: 
Email: black
First Name: Black
Last Name: Blackovich
Department: 
Title: 
Description: 
Account Disabled: false
Account Unlocked At: 1970-01-01 00:00:00Z
Account Valid From: 2015-12-07 15:40:50Z
Account Valid To: 2215-12-07 15:40:50Z
Account Without Password: false
Last successful Login At: 1970-01-01 00:00:00Z
Last unsuccessful Login At: 1970-01-01 00:00:00Z
Password Valid To: 1970-01-01 00:00:00Z

# ovirt-aaa-jdbc-tool user password-reset black
Password:
updating user black...
user updated successfully



# cat /etc/ovirt-engine/engine.conf.d/10-setup-database.conf
ENGINE_DB_HOST="localhost"
ENGINE_DB_PORT="5432"
ENGINE_DB_USER="engine"
ENGINE_DB_PASSWORD="8HVeFa9uGGn4CGg7LlOJqe"
ENGINE_DB_DATABASE="engine"
ENGINE_DB_SECURED="False"
ENGINE_DB_SECURED_VALIDATION="False"
ENGINE_DB_DRIVER="org.postgresql.Driver"
ENGINE_DB_URL="jdbc:postgresql://localhost:5432/engine?sslfactory=org.postgresql.ssl.NonValidatingFactory"

# su - postgres 
-bash-4.1$  psql -d engine
psql (8.4.20)
engine-# select * from users;
ERROR:  syntax error at or near "select"
LINE 2: select * from users;
        ^
engine=# select * from users;
               user_id                | name  |  surname   |     domain     | username | department |       email        | note | last_admin_check
_status |             external_id              |         _create_date          |         _update_date          | namespace 
--------------------------------------+-------+------------+----------------+----------+------------+--------------------+------+-----------------
--------+--------------------------------------+-------------------------------+-------------------------------+-----------
 00000018-0018-0018-0018-000000000279 | admin |            | internal-authz | admin    |            |                    |      | t               
        | 8cd95752-63a8-4738-a87d-89fc2617c5af | 2015-11-29 18:33:20.609721+02 | 2015-12-07 16:45:53.442793+02 | *
 973131f6-ba7e-4a37-974f-bf7139ee626a | Black | Blackovich | internal-authz | black    |            | black |      | t               
        | 2fbb2bae-e9b1-450e-ac45-c53e74b388f8 | 2015-12-07 17:42:17.968475+02 | 2015-12-07 17:44:37.365973+02 | *
(2 rows)

engine=# \q
-bash-4.1$ exit


# /usr/libexec/ovirt-vmconsole-proxy-helper/ovirt-vmconsole-list.py consoles --entityid 00000018-0018-0018-0018-000000000279
{"content": "console_list", "consoles": [{"vmname": "vm1", "vmid": "2feb7c67-0875-4407-a64e-bd3d7a2120bd", "host": "alma04.qa.lab.tlv.redhat.com", "console": "2feb7c67-0875-4407-a64e-bd3d7a2120bd.sock", "vm": "vm1"}], "version": 1}
[root@nsednev-he-1 ~]# /usr/libexec/ovirt-vmconsole-proxy-helper/ovirt-vmconsole-list.py consoles --entityid 973131f6-ba7e-4a37-974f-bf7139ee626a
{"content": "console_list", "consoles": [{"vmname": "vm1", "vmid": "2feb7c67-0875-4407-a64e-bd3d7a2120bd", "host": "alma04.qa.lab.tlv.redhat.com", "console": "2feb7c67-0875-4407-a64e-bd3d7a2120bd.sock", "vm": "vm1"}], "version": 1}
Comment 10 Sandro Bonazzola 2015-12-16 12:17:58 UTC 
According to verification status and target milestone this issue should be fixed in oVirt 3.6.1. Closing current release.