Bug 1320343

Summary: VirtIO serial console is not working with SuperUser role.
Product: Red Hat Enterprise Virtualization Manager Reporter: Ameya Charekar <achareka>
Component: ovirt-vmconsoleAssignee: Tomas Jelinek <tjelinek>
Status: CLOSED CURRENTRELEASE QA Contact: Jiri Belka <jbelka>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.6.3CC: bazulay, fromani, jbelka, michal.skrivanek, oourfali, Rhev-m-bugs, tjelinek
Target Milestone: ovirt-4.0.0-rc   
Target Release: 4.0.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 4.0.0-12 Doc Type: Bug Fix
Doc Text:
Cause: The SuperUser role assigned to the user on a VM did not let the user to be able to use the VirtIO serial console. Consequence: If the user wanted to use the VirtIO serial console one of the UserVmManager or UserInstanceManager had to be assigned to the user. Fix: Made sure also the SuperUser will be considered Result: Now also the SuperUser is allowed to use the VirtIO serial console
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-08-30 07:48:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Virt RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1313904    
Bug Blocks:    

Description Ameya Charekar 2016-03-22 22:44:25 UTC 
Description of problem:
VirtIO serial console is not working with superuser role (tried with admin@internal).

Version-Release number of selected component (if applicable):

on rhevm:
ovirt-vmconsole-1.0.0-1.el6ev.noarch
ovirt-vmconsole-proxy-1.0.0-1.el6ev.noarch

on hypervisor:
ovirt-vmconsole-1.0.0-1.el7ev.noarch
ovirt-vmconsole-host-1.0.0-1.el7ev.noarch

How reproducible:
Always

Steps to Reproduce:
1. Enable VirtIO serial console.
2. Copy public key of the client machine.
3. ssh -t -p 2222 ovirt-vmconsole@MANAGER_IP.

Actual results:
ERROR: No available running VMs
Connection to MANAGER_IP closed.

Expected results:
We should get serial console with SuperUser role. As per documentation, to access the serial console of a virtual machine, the user must have the UserVmManager, SuperUser, or UserInstanceManager permission on that virtual machine.

Additional info:
Adding role UserVmManager resolves the issue.
Comment 1 Francesco Romani 2016-03-24 11:27:15 UTC 
We suspect an underlying role/permission management issue.
Could be related to https://bugzilla.redhat.com/show_bug.cgi?id=1313904
We will continue the investigation to pinpoint the root cause.
Comment 2 Yaniv Lavi 2016-05-09 11:04:49 UTC 
oVirt 4.0 Alpha has been released, moving to oVirt 4.0 Beta target.
Comment 5 Michal Skrivanek 2016-05-19 10:49:20 UTC 
Best would be to solve the "VM visibility problem" in console servlet, just so it behaves the same as the rest of the system
Comment 8 Jiri Belka 2016-08-11 09:25:10 UTC 
ok, ovirt-engine-4.0.2.4-0.1.el7ev.noarch

works for admin@internal and an AD user with both UserVmManager and UserInstanceManager roles (it needs UserProfileEditor role so the user could modify his profile, ie. to upload this public ssh key).
Comment 9 Jiri Belka 2016-08-11 09:28:18 UTC 
DocText is odd, there appears twice 'UserInstanceManager'.
Comment 10 Tomas Jelinek 2016-08-11 10:39:07 UTC 
right, the doc text was wrong - fixed. 

But the verification was not correct, both UserVmManager and UserInstanceManager roles worked also before. The issue was that also the SuperUser did not work, so also this role needs to be checked.
Comment 11 Jiri Belka 2016-08-11 11:12:50 UTC 
SuperUser works fine - admin@internal - but tested also with an AD user with this role too ;)