Bug 1464093
| Summary: | Not able to retire VM/instance via API unless "Set Retirement Date" feature is checked for role | |||
|---|---|---|---|---|
| Product: | Red Hat CloudForms Management Engine | Reporter: | Sachin <sacpatil> | |
| Component: | API | Assignee: | Jillian Tullo <jtullo> | |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Martin Kourim <mkourim> | |
| Severity: | high | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 5.7.0 | CC: | igortiunov, jhardy, jtullo, mkourim, obarenbo, simaishi, yrudman | |
| Target Milestone: | GA | Keywords: | TestOnly, ZStream | |
| Target Release: | 5.9.0 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | 5.9.0.1 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1468614 1478508 (view as bug list) | Environment: | ||
| Last Closed: | 2018-03-06 15:51:20 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1468614, 1478508 | |||
Verified on 5.9.0.3 that it's possible to retire a VM using the REST API when "Set Retirement Date" is unchecked. |
Description of problem: I have role: EvmGroup-super-admin-psachin(copied from EvmGroup-super-admin) where "Everything" -> "Access Rules for all Virtual Machines" -> "VM Access Rules/Instance Access Rules" -> "Operate" -> "Set Ownership" & "Set Retirement Date" is checked. If I try to retire VM via API it gets retired ~~~ curl -k -l --user psachin:psachin \ -H "Content-Type: application/json" \ -i -X POST -H "Accept: application/json" \ -d { "action": "retire"} \ https://cfme.com/api/vms/21000000000145 HTTP/1.1 200 OK Date: Thu, 22 Jun 2017 12:08:05 GMT Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_kerb/5.4 Access-Control-Allow-Origin: * Access-Control-Allow-Headers: origin, content-type, authorization, x-auth-token Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS Content-Type: application/json; charset=utf-8 Content-Security-Policy: default-src 'self'; connect-src 'self'; frame-src 'self'; script-src 'unsafe-eval' 'unsafe-inline' 'self'; style-src 'unsafe-inline' 'self'; report-uri /dashboard/csp_report Strict-Transport-Security: max-age=631152000 X-Content-Type-Options: nosniff X-Download-Options: noopen X-Frame-Options: SAMEORIGIN X-Permitted-Cross-Domain-Policies: none X-XSS-Protection: 1; mode=block ETag: W/"76590b8bba8d9e8d4afaf2b054cebcd6" Cache-Control: max-age=0, private, must-revalidate X-Request-Id: 9b911396-c726-441c-b5ea-50c759628d8f X-Runtime: 0.408045 Transfer-Encoding: chunked {"success":true,"message":"VM id:21000000000145 name:'psachin-vm-with-2-nics-from-template' retiring","href":"https://10.74.130.155/api/vms/21000000000145"} ~~~ Whereas if "Set Retirement Date" is un-checked, the request is forbidden. ~~~ curl -k -l --user psachin:psachin \ -H "Content-Type: application/json" \ -i -X POST -H "Accept: application/json" \ -d { "action": "retire"} \ https://cfme.com/api/vms/21000000000145 HTTP/1.1 403 Forbidden Date: Thu, 22 Jun 2017 11:59:10 GMT Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_kerb/5.4 Access-Control-Allow-Origin: * Access-Control-Allow-Headers: origin, content-type, authorization, x-auth-token Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS Content-Type: application/json; charset=utf-8 Content-Security-Policy: default-src 'self'; connect-src 'self'; frame-src 'self'; script-src 'unsafe-eval' 'unsafe-inline' 'self'; style-src 'unsafe-inline' 'self'; report-uri /dashboard/csp_report Strict-Transport-Security: max-age=631152000 X-Content-Type-Options: nosniff X-Download-Options: noopen X-Frame-Options: SAMEORIGIN X-Permitted-Cross-Domain-Policies: none X-XSS-Protection: 1; mode=block Cache-Control: no-cache X-Request-Id: 7e05393d-98bc-4fa3-b63b-ef0ed5b74d9a X-Runtime: 0.123695 Transfer-Encoding: chunked {"error":{"kind":"forbidden","message":"Use of Action retire is forbidden","klass":"Api::ForbiddenError"}} ~~~ Version-Release number of selected component (if applicable): 5.7.2.1 How reproducible: Always Steps to Reproduce: 1. Please see description 2. 3. Actual results: Expected results: Additional info: