Bug 1379356

Summary: NetworkAdmin is unable to add network interface to template
Product: [oVirt] ovirt-engine Reporter: Aleksei Slaikovskii <aslaikov>
Component: Backend.CoreAssignee: Nobody <nobody>
Status: CLOSED NOTABUG QA Contact: meital avital <mavital>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0.4.3CC: bugs, danken, masayag
Target Milestone: ---Flags: rule-engine: planning_ack?
rule-engine: devel_ack?
rule-engine: testing_ack?
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-10-09 08:24:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Network RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Aleksei Slaikovskii 2016-09-26 12:53:51 UTC 
Hello!
Related to this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1368565 I guess NetworkAdmin now have no permissions to modify a DC entity, right?

Steps to reproduce: same as in bug above but instead of ClusterAdmin role you need to use NetworkAdmin role.

Thank you!
Comment 1 Dan Kenigsberg 2016-09-29 10:34:07 UTC 
Moti, what is your opinion? Should a mere NetworkAdmin be allowed to modify the networking facets of a DC-level template?
Comment 2 Moti Asayag 2016-09-29 18:35:46 UTC 
Some preview:

Currently, adding network interface to a Template is allowed for role which contains the 'CONFIGURE_TEMPLATE_NETWORK' action group on both the template and the vnic profile.

NetworkAdmin already contains the CONFIGURE_TEMPLATE_NETWORK action group. If the 'NetworkAdmin' role is granted on the DC, it should be allowed to add vnic to the template.

However, it means that with current implementation, NetworkAdmin on the network won't be allowed to add vnic to a template without adding permission either on the template or on the DC.

This behavior is aligned with our MLA model. So if a user which isn't the admin was granted with NetworkAdmin role, he should also be granted with permissions for the template or the DC which the template belongs to.

As for the specific question:
It sounds Okay to me to allow NetworkAdmin to modify DC level entity (template), BUT it doesn't aligned with the demand for VM admin (i.e. ClusterAdmin) to require additional permission on the VM entity on top of the vnic profile/network. This creates some inconsistency in the system.

In addition, such engine upgrade will lead to a situation where users that were granted as NetworkAdmin only will be allowed to modify template's network configuration. So if admin wanted to restrict the NetworkAdmin in the system to deal only with Networks and Vnic Profile administration, and to grant the TemplateAdmin role to other users, the user will become more privileged than designed.

The admin of the specific case can grant NetworkAdmin on the DC for the user, and it will allow the user to add vnics to the template, or to use the custom roles to create a role with the exact permitted roles and to assign it to the user for the DC to support both network management and template network management.
Comment 3 Dan Kenigsberg 2016-10-09 08:24:37 UTC 
Aleksei, please reopen the bug if defining a custom role of NetworkAdmin+CONFIGURE_TEMPLATE_NETWORK does not satisfy your needs (and explain why).