Bug 1325785

Summary: permissions on Database Object don't allow "add direct LUN" to virtual machine.
Product: Red Hat Enterprise Virtualization Manager Reporter: Olimp Bockowski <obockows>
Component: ovirt-engineAssignee: Daniel Erez <derez>
Status: CLOSED ERRATA QA Contact: Kevin Alon Goldblatt <kgoldbla>
Severity: low Docs Contact:
Priority: unspecified    
Version: 3.5.6CC: amureini, derez, gklein, lsurette, obockows, oourfali, ratamir, rbalakri, Rhev-m-bugs, srevivo, tnisan, ykaul, ylavi
Target Milestone: ovirt-4.0.0-beta   
Target Release: 4.0.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-08-23 20:34:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Storage RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Olimp Bockowski 2016-04-11 08:09:40 UTC 
Description of problem:
permissions started and propagated on Database Object can't provide permissions to add direct LUN to virtual machine.

Version-Release number of selected component (if applicable):
RHEL 6.6 with rhevm-3.5.1-0.4.el6ev.noarch


How reproducible:

Example settings using AD:

User record: 
cc5490f5-e3c4-4d49-b35b-6d0702c1c06f | Luis              | Docampo Gutierrez   | xunta.local | ldocampo 

permission record:
207f376b-a8b1-4a71-bdb0-b13b33b05497 | 00000000-0000-0000-0000-000000000001 | cc5490f5-e3c4-4d49-b35b-6d0702c1c06f | 7eb08a94-6a36-46c8-846f-7857c9f6bdda |             14

What means SuperUser (00000000-0000-0000-0000-000000000001 and Database object affected by permissions (object_type_id 14)

I have performed exactly the same test on my environment with IdM (both test: users and groups). 
The result is the same, permissions started and propagated on Database Object can't provide permissions to add direct LUN to virtual machine.

Workaround is to put user as Superuser at the top - System (object_type_id 1) - confirmed.

Actual results:
user doesn't have permission to 'add direct LUN' to VMs

Expected results:
user is able to 'add direct LUN'

Additional info:
Workaround is to put user as Superuser at the top - System (object_type_id 1)
Comment 1 Daniel Erez 2016-04-12 08:36:21 UTC 
Hi Olimp,

A few questions for further investigation:
1. Are there any specific reproducing steps for the issue?
2. Have you encountered it only on a specific flow?
3. Is it reproduced consistently?
4. What is the error message you get from the UI/rest?
5. Which role is used by the user?
6. Which permissions are granted to the VM (VMs -> Permissions sub-tab).
7. Can you please attach the relevant engine logs.
Comment 2 Olimp Bockowski 2016-04-27 12:48:03 UTC 
1. Are there any specific reproducing steps for the issue?
just selecting 'Datacenter' tab, pick up one of Datacenters, then tab at the bottom 'Permissions' and add any user with SuperUser role.
2. Have you encountered it only on a specific flow?
I think it is only related to hierarchy of permissions. When SuperUser role is applied not at the top (applied through Configure/System Permissions)
3. Is it reproduced consistently?
Yes
4. What is the error message you get from the UI/rest?
The error is "User is not authorized to perform this action".
5. Which role is used by the user?
SuperUser, PowerUser (but the second one, I don't expect it will work)
6. Which permissions are granted to the VM (VMs -> Permissions sub-tab).
VM weren't set, we expected that SuperUser role for Datacenter will allow to add new LUN to VM
7. Can you please attach the relevant engine logs.
I am to attach

olimpb
Comment 4 Olimp Bockowski 2016-04-27 13:02:47 UTC 
attachment added as private due to restrictions related to customer's policy

olimpb
Comment 14 Kevin Alon Goldblatt 2016-06-19 15:45:41 UTC 
Verified with the following code:
--------------------------------------
rhevm-4.0.0.4-0.1.el7ev.noarch
vdsm-4.18.2-0.el7ev.x86_64


Verified using the following scenario:
--------------------------------------
1. DC Tab -> Select a domain -> Permissions Tab
2. Press the Add Tab in the User Pane
3. Search for the User in the database, select the user and assign the Super User permissions to the user and press OK
4. Log into the Webadmin with the newly created user and select a VM in the VM Tab
5. Add a new direct LUN >>>>> direct LUN is added successfully
6. Create a new VM and add a direct LUN >>>>> direct LUN is added successfully

Moving to VERIFIIED!
Comment 16 errata-xmlrpc 2016-08-23 20:34:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-1743.html