Bug 1368552

Summary: User unable to query disks of assigned VM
Product: [oVirt] ovirt-engine Reporter: Lukas Svaty <lsvaty>
Component: RestAPIAssignee: Juan Hernández <juan.hernandez>
Status: CLOSED CURRENTRELEASE QA Contact: Lucie Leistnerova <lleistne>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0.2.7CC: bugs, lleistne, mgoldboi, mperina
Target Milestone: ovirt-4.0.4Keywords: Regression
Target Release: 4.0.4Flags: rule-engine: ovirt-4.0.z+
rule-engine: ovirt-4.1+
rule-engine: blocker+
mgoldboi: planning_ack+
mperina: devel_ack+
lsvaty: testing_ack+
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-09-26 12:32:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Lukas Svaty 2016-08-19 17:30:00 UTC 
Description of problem:
If uset has user permissions on VM he should be able to list disks via api as it was available in the older versions.

Version-Release number of selected component (if applicable):
ovirt-engine-4.0.2.7-0.1.el7ev.noarch

How reproducible:
100%

Steps to Reproduce:
1. Add user permissions to vm for user test
2. try to query disks of vm on version 4 api 
  curl -X get --insecure -H "Accept: application/xml" -H "Content-Type: application/xml" -H "Filter: true" -u test@internal:$PWD https://my.engine.com/ovirt-engine/api/vms/$VM_ID/diskattachments

3. try on version 3 api
  curl -X get --insecure -H "Accept: application/xml" -H "Version: 3" -H "Content-Type: application/xml" -H "Filter: true" -u test@internal:$PWD https://my.engine.com/ovirt-engine/api/vms/$VM_ID/disks

Actual results:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<fault>
    <detail>query execution failed due to insufficient permissions.</detail>
    <reason>Operation Failed</reason>
</fault>

Expected results:
query disks of vm
Comment 1 Martin Perina 2016-08-24 04:59:41 UTC 
Targeting 4.0.4 for now. Juan if the cause is not in RESTAPI but Engine, please move to storage team.
Comment 2 Red Hat Bugzilla Rules Engine 2016-08-24 04:59:48 UTC 
This bug report has Keywords: Regression or TestBlocker.
Since no regressions or test blockers are allowed between releases, it is also being identified as a blocker for this release. Please resolve ASAP.
Comment 3 Moran Goldboim 2016-08-24 08:24:39 UTC 
changing back priority and severity since it applies only to user level and not admin.
Comment 4 Juan Hernández 2016-08-24 10:53:56 UTC 
The reason for this is that in order to retrieve the disks it is necessary to also retrieve additional information, in particular it is necessary to retrieve the disk attachments, as that is where the "bootable" and "interface" attributes are in version 4 of the API. Apparently the user that has permissions to see the disks doesn't have permission to see the disk attachments, so retrieving that additional data fails, and as a result the complete operation fails. The proposed patch changes the API so that it ignores the failures to retrieve that additional data, but the result will be that the disks won't contain the "bootable" and "interface" attributes. We will probably need additional backend changes to make sure that the user that has permission to see the disks has also permission to see the disk attachments.
Comment 5 Lucie Leistnerova 2016-09-14 08:14:54 UTC 
/vms/$VM_ID/disks version 3 returns disk informations for test user
/vms/$VM_ID/diskattachments version 4 returns disk attachment informations for test user

without header "Filter: true" returns error 'query execution failed due to insufficient permissions.'

verified in ovirt-engine-restapi-4.0.4.2-0.1.el7ev.noarch