Bug 1373546

Summary: explicit required permissions for the RHEV provider user
Product: Red Hat CloudForms Management Engine Reporter: Colin Arnott <carnott>
Component: DocumentationAssignee: Red Hat CloudForms Documentation <cloudforms-docs>
Status: CLOSED WONTFIX QA Contact: Red Hat CloudForms Documentation <cloudforms-docs>
Severity: high Docs Contact:
Priority: unspecified    
Version: 5.6.0CC: adahms, bascar, benglish, cloudforms-docs, hhudgeon, jhardy, mfeifer, molasaga, obarenbo, obockows, sacpatil
Target Milestone: GA   
Target Release: 5.7.0   
Hardware: x86_64   
OS: Linux   
Whiteboard: doc
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-04 04:42:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1480288, 1511957    

Description Colin Arnott 2016-09-06 14:46:44 UTC 
Document URL: 
https://access.redhat.com/documentation/en/red-hat-cloudforms/4.1/managing-providers/#adding_a_red_hat_enterprise_virtualization_manager_provider

Section Number and Name: 
1.2.1.8 Adding a Red Hat Enterprise Virtualization Manager Provider: Credentials

Describe the issue: 
The RHEV provider currently requires the admin@internal account, my security standards prevent me from giving cart blanch access to my RHEV environment. Can you please enumerate the permissions required by CFME so that I can use least privileged when creating the CFME user for RHEV.

Suggestions for improvement: 
Add a section indicating required permissions for the RHEV provider.

Additional information:
Comment 2 Oved Ourfali 2016-09-20 19:06:21 UTC 
Marianne - I'll be happy to help, but can you elaborate on what information is missing?
Comment 4 Andrew Dahms 2017-03-13 22:40:52 UTC 
*** Bug 1430683 has been marked as a duplicate of this bug. ***
Comment 5 Andrew Dahms 2017-03-13 22:43:11 UTC 
Hi Oved,

Just to follow up on this request, my understanding of what is required is as follows -

If a user wants to use an account other than 'admin@internal' to authenticate a RHV provider in CloudForms, what permissions or roles in the RHV environment are required so that the RHV provider can do everything it needs to in CloudForms?

Does that make sense?

Let us know if you have any details, or if you need any extra clarification.

Kind regards,

Andrew
Comment 7 Marianne Feifer 2017-10-03 18:56:17 UTC 
Andrew, can you take a look and see what needs to be done, if anything?
Comment 8 Andrew Dahms 2017-10-04 23:10:07 UTC 
Hi Marianne,

Thank you for the needinfo request.

This bug falls under the larger umbrella of the service accounts discussion we held earlier in the year, and I have just written a response to that to see if there is anything we can do across the board in 4.6.

If it looks like we cannot address this question for all providers, we will look at RHV specifically and see what we can do to resolve this bug during the 4.6 time frame.

Kind regards,

Andrew
Comment 9 Marianne Feifer 2017-10-27 18:51:34 UTC 
Any updates?
Comment 13 Andrew Dahms 2018-04-04 04:42:51 UTC 
Thank you for raising this bug.

After further discussion with the program team, we have been given the advice not to document specific permissions for service accounts at this time based on the following article -

http://cloudformsblog.redhat.com/2017/08/16/security-management-operations/

As such, I will be closing this bug for now, but we can re-investigate this request again in the future if required.