Bug 1503269

Summary: User without permissions on destination SD can move disk
Product: [oVirt] ovirt-engine Reporter: Gonza <grafuls>
Component: AAAAssignee: Idan Shaby <ishaby>
Status: CLOSED CURRENTRELEASE QA Contact: Radim Hrazdil <rhrazdil>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.2.0CC: amureini, bugs, lsvaty, lveyde, tnisan
Target Milestone: ovirt-4.2.2Keywords: Regression
Target Release: 4.2.2.2Flags: rule-engine: ovirt-4.2+
rule-engine: blocker+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ovirt-engine-4.2.2 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-29 11:07:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Storage RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Gonza 2017-10-17 17:19:59 UTC 
Description of problem:
A user with UserVMManager role on a VM and StorageAdmin role on source SD can move it's disk to an SD without permissions.

Version-Release number of selected component (if applicable):
ovirt-engine-4.2.0-0.0.master.20171012160334.git6fb4578.el7.centos.noarch

How reproducible:
100%

Steps to Reproduce:
1. Create VM from blank template and grant UserVMManager permissions to 'user1'
2. Grant StorageAdmin permission on source SD to 'user1'
3. With 'user1', move disk from source SD to destination SD without permissions

Actual results:
'user1' is able to move disk

Expected results:
'user1' should not be able to move disk to an SD without permissions
Comment 1 Red Hat Bugzilla Rules Engine 2017-12-14 12:28:46 UTC 
This bug report has Keywords: Regression or TestBlocker.
Since no regressions or test blockers are allowed between releases, it is also being identified as a blocker for this release. Please resolve ASAP.
Comment 2 Radim Hrazdil 2018-03-07 08:25:08 UTC 
Verified that after following steps in the description, the user 'test1' with UserVMManager permission to a VM and StorageAdmin permission to source SD cannot move disk to another SD. Message 'Error while executing action: User is not authorized to perform this action.' is displayed.

Software Version:4.2.2.1-0.1.el7
Comment 3 Radim Hrazdil 2018-03-07 08:41:53 UTC 
Also verified for Software Version:4.2.2.2-0.1.el7.
Comment 4 Sandro Bonazzola 2018-03-29 11:07:28 UTC 
This bugzilla is included in oVirt 4.2.2 release, published on March 28th 2018.

Since the problem described in this bug report should be
resolved in oVirt 4.2.2 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.