Bug 1307048

Summary: "Available consoles" query fails for insufficient permissions
Product: [oVirt] ovirt-engine Reporter: Francesco Romani <fromani>
Component: Backend.CoreAssignee: Francesco Romani <fromani>
Status: CLOSED NOTABUG QA Contact: meital avital <mavital>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 3.6.2.6CC: bugs, gscott, mavital, michal.skrivanek, tjelinek
Target Milestone: ovirt-3.6.5Flags: tjelinek: ovirt-3.6.z?
rule-engine: planning_ack?
michal.skrivanek: devel_ack+
mavital: testing_ack+
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: Virt
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-03-14 08:26:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Virt RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Francesco Romani 2016-02-12 14:55:57 UTC 
Description of problem:
As part of the serial console login flow, the ovirt-vmconsole-proxy service asks Engine for the list of the available console for a given user.
This happens only after the user is succesfully authenticathed, so there is no risk of information leak.

With ovirt-engine 3.6.2, the permission handling of the serial-console related queries was reworked, and the query started to fail for non-admin users, with errors like

2016-02-08 14:28:42,533 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery] (ajp--127.0.0.1-8702-17) Query execution failed due to insufficient permissions.
2016-02-08 14:28:42,605 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery] (ajp--127.0.0.1-8702-17) Query execution failed due to insufficient permissions.
2016-02-08 14:28:47,551 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery] (ajp--127.0.0.1-8702-3) Query execution failed due to insufficient permissions.
2016-02-08 14:28:47,561 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery] (ajp--127.0.0.1-8702-3) Query execution failed due to insufficient permissions.
2016-02-08 14:28:52,511 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery] (ajp--127.0.0.1-8702-18) Query execution failed due to insufficient permissions.
2016-02-08 14:28:52,524 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery] (ajp--127.0.0.1-8702-18) Query execution failed due to insufficient permissions.
2016-02-08 14:28:57,597 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery] (ajp--127.0.0.1-8702-12) Query execution failed due to insufficient permissions.
2016-02-08 14:28:57,608 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery] (ajp--127.0.0.1-8702-12) Query execution failed due to insufficient permissions.
2016-02-08 14:29:02,510 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery] (ajp--127.0.0.1-8702-17) Query execution failed due to insufficient permissions.
2016-02-08 14:29:02,520 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery] (ajp--127.0.0.1-8702-17) Query execution failed due to insufficient permissions.
2016-02-08 14:29:07,539 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery] (ajp--127.0.0.1-8702-16) Query execution failed due to insufficient permissions.
2016-02-08 14:29:07,576 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery] (ajp--127.0.0.1-8702-16) Query execution failed due to insufficient permissions.
2016-02-08 14:29:12,538 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery] (ajp--127.0.0.1-8702-11) Query execution failed due to insufficient permissions.
2016-02-08 14:29:12,548 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery] (ajp--127.0.0.1-8702-11) Query execution failed due to insufficient permissions.


Version-Release number of selected component (if applicable):
3.6.2


How reproducible:
100% (claimed, yet to be verified)

Steps to Reproduce:
1. configure serial console proxy
2. configure ssh keys for non-admin user
3. try to log in with non-admin users

Actual results:
Query fails, thus no available VM returned

Expected results:
Query should succeed

NOTE: since reproduction is still not complete, we don't know about possible workarounds.

Additional info:
Comment 1 Francesco Romani 2016-03-09 14:29:22 UTC 
Built and configured Engine 3.6.5, added aaa-jdbc package, created "John Doe" unprivileged (aka not-admin) user, added these roles

UserRole (on test VM)
UserVmManager  (on test VM)

Those were present by default:
VnicProfileUser
UserTemplateBasedVm
UserProfileEditor
CpuProfileOperator


Can't reproduce, I see no errors in the logs.

I guess we can still have http://gerrit.ovirt.org/53341 in master because makes the code more correct, but perhaps not worth backport.
Comment 2 Francesco Romani 2016-03-09 14:34:14 UTC 
Asked on ovirt-users for more details, this issue seems not trivial to reproduce.
Comment 3 Tomas Jelinek 2016-03-14 08:26:14 UTC 
I think the original "2016-02-08 14:28:42,533 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery]" was not related to opening the console. The attached patch (53341) is not correct - it would break the opening of the console for non-admin users which don't have rights on the host itself.

Since looking at the code and doing lots of experiments the problem does not reproduce, closing this bug as not a bug since it seems there is no bug in this flow.

In case someone will actually hit this issue, please feel free to reopen.