Bug 1376594

Summary: VMware LogUserEvent fails with permission denied
Product: Red Hat CloudForms Management Engine Reporter: Adam Grare <agrare>
Component: ProvidersAssignee: Adam Grare <agrare>
Status: CLOSED NOTABUG QA Contact: Ievgen Zapolskyi <izapolsk>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.6.0CC: greartes, jdeubel, jfrey, jhardy, obarenbo
Target Milestone: GA   
Target Release: 5.7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: provider:event, authentication:maintenance
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-10-26 12:49:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Adam Grare 2016-09-15 21:02:36 UTC
Description of problem:
User actions on a VM that log an event with VMware (e.g.: vm_start, vm_stop, vm_destroy) call the VIM API call EventMonitor.LogUserEvent.  This API call fails with 'Permission to perform this operation was denied.'

[----] E, [2016-09-13T13:53:22.030984 #9274:897998] ERROR -- : MIQ(MiqQueue#m_callback) Message id: [100000000401138]: Handsoap::Fault { :code => 'ServerFault
Code', :reason => 'Permission to perform this operation was denied.' }
[----] E, [2016-09-13T13:53:22.031084 #9274:897998] ERROR -- : MIQ(MiqQueue#m_callback) backtrace: (druby://127.0.0.1:35922) /opt/rh/cfme-gemset/bundler/gems/
handsoap-4b342ee6124d/lib/handsoap/service.rb:195:in `on_fault'
(druby://127.0.0.1:35922) /opt/rh/cfme-gemset/bundler/gems/handsoap-4b342ee6124d/lib/handsoap/service.rb:283:in `dispatch'
(druby://127.0.0.1:35922) /opt/rh/cfme-gemset/bundler/gems/handsoap-4b342ee6124d/lib/handsoap/service.rb:189:in `invoke'
(druby://127.0.0.1:35922) /var/www/miq/vmdb/gems/pending/VMwareWebService/VimService.rb:468:in `logUserEvent'
(druby://127.0.0.1:35922) /var/www/miq/vmdb/gems/pending/VMwareWebService/MiqVimInventory.rb:1933:in `logUserEvent'
(druby://127.0.0.1:35922) /var/www/miq/vmdb/gems/pending/VMwareWebService/MiqVimVm.rb:1210:in `logUserEvent'
(druby://127.0.0.1:35922) /opt/rh/rh-ruby22/root/usr/share/ruby/drb/drb.rb:1624:in `perform_without_block'
(druby://127.0.0.1:35922) /opt/rh/rh-ruby22/root/usr/share/ruby/drb/drb.rb:1584:in `perform'
(druby://127.0.0.1:35922) /opt/rh/rh-ruby22/root/usr/share/ruby/drb/drb.rb:1657:in `block (2 levels) in main_loop'
(druby://127.0.0.1:35922) /opt/rh/rh-ruby22/root/usr/share/ruby/drb/drb.rb:1653:in `loop'
(druby://127.0.0.1:35922) /opt/rh/rh-ruby22/root/usr/share/ruby/drb/drb.rb:1653:in `block in main_loop'
(druby://127.0.0.1:35922) /opt/rh/cfme-gemset/gems/logging-2.1.0/lib/logging/diagnostic_context.rb:450:in `call'
(druby://127.0.0.1:35922) /opt/rh/cfme-gemset/gems/logging-2.1.0/lib/logging/diagnostic_context.rb:450:in `block in create_with_logging_context'
/var/www/miq/vmdb/app/models/manageiq/providers/vmware/infra_manager.rb:448:in `block in invoke_vim_ws'
/var/www/miq/vmdb/app/models/mixins/provider_object_mixin.rb:15:in `block in with_provider_object'
/var/www/miq/vmdb/app/models/mixins/vim_connect_mixin.rb:36:in `with_provider_connection'
/var/www/miq/vmdb/app/models/mixins/provider_object_mixin.rb:12:in `with_provider_object'
/var/www/miq/vmdb/app/models/manageiq/providers/vmware/infra_manager.rb:447:in `invoke_vim_ws'
/var/www/miq/vmdb/app/models/manageiq/providers/vmware/infra_manager.rb:166:in `vm_start'

Version-Release number of selected component (if applicable):
5.6.1.2

Comment 2 Adam Grare 2016-09-19 13:33:24 UTC
I am able to reproduce this error if I do not enable the "Global.LogEvent" privilege for the MIQ user.

This privilege is defined as "Allows logging a user-defined event against a particular managed entity." and is specified as required in the CFME documentation here "1.4.2.1. Using a Non-Administrator Account for Host Credentials"

Can we confirm that this privilege is given to the user that CFME uses to authenticate to vCenter?

Comment 5 Adam Grare 2016-10-26 12:49:13 UTC
Works when user permissions are configured per CFME documentation.