Bug 1369046

Summary:	User can't assign CPU profile after upgrade from 3.6 to 4.0
Product:	Red Hat Enterprise Virtualization Manager	Reporter:	Michal Skrivanek <michal.skrivanek>
Component:	ovirt-engine	Assignee:	Andrej Krejcir <akrejcir>
Status:	CLOSED ERRATA	QA Contact:	Shira Maximov <mshira>
Severity:	high	Docs Contact:
Priority:	unspecified
Version:	4.0.0	CC:	akrejcir, audgiri, baptiste.agasse, bgraveno, dfediuck, gklein, jcoscia, jentrena, lsurette, mgoldboi, michal.skrivanek, mkalinin, mshira, pspacek, rbalakri, rgolan, rhev-integ, Rhev-m-bugs, rhodain, srevivo, ykaul
Target Milestone:	ovirt-4.1.0-alpha	Keywords:	Regression, ZStream
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:	Previously, when checking permissions for a CPU profile, group permissions were not considered. Users that were part of a group could not assign a CPU profile and so could not start a virtual machine. This was fixed by using PermissionDao and correct SQL functions when checking permissions, so group permissions are now considered.	Story Points:	---
Clone Of:
Clones:	1371888 1386289 (view as bug list)		Environment:
Last Closed:	2017-04-25 00:51:05 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	SLA	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	1213937, 1371888, 1386289

Description Michal Skrivanek 2016-08-22 11:35:32 UTC

User can no longer create a VM due to "User doesn't have permissions to assign the cpu profile". Template has that profile, likely. 
There is PowerUser permission inherited on the profile (it's the only one in the cluster). 
This was working in 3.6.8

If an additional permission is needed it should be added automatically

Comment 3 Michal Skrivanek 2016-08-22 11:46:11 UTC

adding CpuProfileOperator permission on Cluster didn't help

Comment 5 Doron Fediuck 2016-08-22 12:48:50 UTC

Please see bug 1357995 as this may be dup or related. Are you using IPA?

Comment 6 Michal Skrivanek 2016-08-23 11:05:00 UTC

(In reply to Doron Fediuck from comment #5)
> Please see bug 1357995 as this may be dup or related. Are you using IPA?

it very well might be related, hard to say, it's not causing an exception, just fails permission check gracefully

Comment 10 Roy Golan 2016-08-28 07:46:05 UTC

Probably the same goes for 3.6?

Comment 11 Andrej Krejcir 2016-08-29 08:28:38 UTC

Yes, the bug is in 3.6 and the same fix would work.

Comment 12 Andrej Krejcir 2016-08-30 13:03:41 UTC

*** Bug 1357995 has been marked as a duplicate of this bug. ***

Comment 22 Shira Maximov 2016-12-26 13:55:47 UTC

try to verify on : 
ovirt-engine-4.2.0-0.0.master.20161219225535.git893d571.el7.centos.noarch

verification steps:
1) Create a user X, a group  Y , and add the user  to the group
ovirt-aaa-jdbc-tool group-manage show y
Group: y(5bc122fa-e278-4bb0-b0ea-b73435ec6241) members:
  User: x
2) Remove the permissions CpuProfileOperator for 'Everyone' on a CPU profile
3) Add VmCreator permission for the user X on the cluster
4) Try to create a VM with the CPU profile in the userportal - WORK
5) Remove the permissions for the user 'X' and add the same permission for the group 'Y' (in the webadmin)
6) Create VM in the userportal - FAILED

Comment 23 Doron Fediuck 2016-12-26 14:38:23 UTC

(In reply to Shira Maximov from comment #22)
> try to verify on : 
> ovirt-engine-4.2.0-0.0.master.20161219225535.git893d571.el7.centos.noarch
> 
> verification steps:
> 1) Create a user X, a group  Y , and add the user  to the group
> ovirt-aaa-jdbc-tool group-manage show y
> Group: y(5bc122fa-e278-4bb0-b0ea-b73435ec6241) members:
>   User: x
> 2) Remove the permissions CpuProfileOperator for 'Everyone' on a CPU profile
> 3) Add VmCreator permission for the user X on the cluster
> 4) Try to create a VM with the CPU profile in the userportal - WORK
> 5) Remove the permissions for the user 'X' and add the same permission for
> the group 'Y' (in the webadmin)
> 6) Create VM in the userportal - FAILED

If I understand correctly the original issue was about VMs created from templates, which is not the case here, right?
Also, why are you removing the permissions of X and not trying as a different user from the same group? The point is that removing the permissions as you did it may have removed the permissions for the group as well.

Comment 24 Shira Maximov 2016-12-26 15:04:08 UTC

The bug can be found when creating VM or creating template,
the problem is that when adding a permission to group the users doesn't inherit the permissions too. 

you can see in this bug : https://bugzilla.redhat.com/show_bug.cgi?id=1371888
in comment 5, the steps for verification that Andrej posted.

Comment 25 Doron Fediuck 2016-12-27 09:17:06 UTC

(In reply to Shira Maximov from comment #24)
> The bug can be found when creating VM or creating template,
> the problem is that when adding a permission to group the users doesn't
> inherit the permissions too. 
> 
> you can see in this bug : https://bugzilla.redhat.com/show_bug.cgi?id=1371888
> in comment 5, the steps for verification that Andrej posted.

1. Does the group have a CpuProfileOperator permission?
2. Please add the engine log.

Comment 26 Shira Maximov 2016-12-27 16:11:21 UTC

I'v tested it again on downstream : Red Hat Virtualization Manager Version: 4.1.0-0.3.beta2.el7

and it worked, moving to verified.