Bug 1511697

Summary: [RFE] Unable to set permission on all but Hosted-Engine VM and Storage Domain
Product: Red Hat Enterprise Virtualization Manager Reporter: Andrea Perotti <aperotti>
Component: ovirt-engineAssignee: Eli Mesika <emesika>
Status: CLOSED ERRATA QA Contact: Petr Matyáš <pmatyas>
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.1.6CC: aperotti, apinnick, inetkach, lsurette, lsvaty, mgoldboi, michal.skrivanek, mkalinin, mperina, msivak, obockows, rbarry, rdlugyhe, Rhev-m-bugs, srevivo
Target Milestone: ovirt-4.3.1Keywords: FutureFeature
Target Release: 4.3.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Release Note
Doc Text:
Previously, an administrator with the `ClusterAdmin` role was able to modify the self-hosted engine virtual machine, which could cause damage. In the current release, only a `SuperUser` can modify a self-hosted engine and its storage domain.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-05-08 12:36:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1523346    

Description Andrea Perotti 2017-11-09 22:05:51 UTC 
Description of problem:
When setting up permission for a group of users that should manage/offer support on VMs running on RHV but must NOT be admin of the whole infra, is not possible to define some permission that apply to all VMs and Storage Domains, except the Hosted-Engine one.

A typical 1st level support team should perform just following operations:
•	Login to Administration portal
•	Creating, editing and removing vNICs for all VMs (SHE excluded)
•	Full “BASIC OPERATION” (start, poweroff, suspend, reboot etc etc) for all VMs (SHE excluded)
•	Editing properties (hot plug/unplug vCPU, RAM etc etc) for all VMs (SHE excluded)
•	Creating, adding, attaching, detaching, removing, deleting and editing properties (size, alias, description etc etc) vDISKS for all VMs (SHE excluded, so master_hosted_engine storage domain)

So they should absolutely not be able to manage SHE VM and its master_hosted engine storage domain. (only Superuser msut be able).

This is not currently possible, because if the permission are given at system level, they do apply to ALL objects, including SHE and its SD.

That granularity level can be reached by setting VM per VM the permission, but this from an operations PoV is not a viable option.

The request here is to make SHE a special object with dedicated permission or to 
exclude by default when declaring at system level the permissions to exclude SHE and its SD.

Version-Release number of selected component (if applicable):
RHV 4.1.x
Comment 1 Yaniv Kaul 2017-11-09 22:14:39 UTC 
We have not yet released 4.1.9.
Which version is it?
Comment 12 Martin Perina 2017-12-08 13:41:31 UTC 
We are still evaluating possible technical solutions to this issue. When done we will target the bug to relevant release.
Comment 13 Olimp Bockowski 2018-09-13 08:12:22 UTC 
Hello Martin, 
nearly 1 year later, what is the plan?
Comment 15 Martin Perina 2019-02-05 13:00:02 UTC 
Removing devel_ack+, we are still discussing how this could be achieved
Comment 18 Petr Matyáš 2019-02-25 11:42:12 UTC 
Verified on ovirt-engine-4.3.1.1-0.1.el7.noarch
Comment 20 errata-xmlrpc 2019-05-08 12:36:48 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:1085