Bug 1310541

Summary: SuperUser permit returns 'operation failed'
Product: [oVirt] ovirt-engine Reporter: Nelly Credi <ncredi>
Component: Backend.CoreAssignee: Martin Sivák <msivak>
Status: CLOSED CURRENTRELEASE QA Contact: Nelly Credi <ncredi>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 3.6.3.2CC: bugs, gklein, juan.hernandez, mgoldboi, msivak
Target Milestone: ovirt-3.6.3Keywords: Automation, Regression
Target Release: 3.6.3.3Flags: rule-engine: ovirt-3.6.z+
rule-engine: blocker+
mgoldboi: planning_ack+
dfediuck: devel_ack+
rule-engine: testing_ack+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-03-11 07:24:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: SLA RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nelly Credi 2016-02-22 08:07:58 UTC 
Description of problem:

SuperUser - when accessing the permit href we get operation failed 


Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1./api/roles/
2.returns: <roles>
<role href="/api/roles/00000000-0000-0000-0000-000000000001" id="00000000-0000-0000-0000-000000000001">
<name>SuperUser</name>
<description>Roles management administrator</description>
<link href="/api/roles/00000000-0000-0000-0000-000000000001/permits" rel="permits"/>
<mutable>false</mutable>
<administrative>true</administrative>
</role> ...... other roles....
3./api/roles/00000000-0000-0000-0000-000000000001/permits

Actual results:
<fault>
<reason>Operation Failed</reason>
</fault>

Expected results:
The operation should succeed 

Additional info:
Comment 1 Juan Hernández 2016-02-22 10:39:06 UTC 
This regression was introduced by the fix for bug 1255405. The patch to fix that bug introduced a new action group id with numeric value 1668:

  Add Attach Disk/Cpu profile permissions to all Import/Export capable roles
  https://gerrit.ovirt.org/52692

But there is no value in the "ActionGroup" enum corresponding to that value. As a result the "ActionGroupDaoImpl.getAllForRole" method returns an list containing one element whose value is "null". When the API tries to map this list it generates a NPE.

The workaround to the problem is to remove the offending rows from the database:

  delete from roles_groups where action_group_id=1668

However this would re-introduce bug 1255405.

I think that the right solution is to add the missing value to the "ActionGroup" enum, and also to the peer in the API, the "PermitType" enum.

It would also be nice send a clear error message to the log from the "ActionGroup.forValue" method, and maybe throw a run time exception instead of just returning "null".
Comment 2 Red Hat Bugzilla Rules Engine 2016-02-22 10:39:54 UTC 
This bug report has Keywords: Regression or TestBlocker.
Since no regressions or test blockers are allowed between releases, it is also being identified as a blocker for this release. Please resolve ASAP.
Comment 3 Martin Sivák 2016-02-23 13:58:36 UTC 
Waiting for the correct branch.