Bug 1565183
Summary: | Snapshot creation with memory fails on permission validation | ||
---|---|---|---|
Product: | [oVirt] ovirt-engine | Reporter: | Benny Zlotnik <bzlotnik> |
Component: | BLL.Virt | Assignee: | Liran Rotenberg <lrotenbe> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Qin Yuan <qiyuan> |
Severity: | high | Docs Contact: | |
Priority: | medium | ||
Version: | future | CC: | ahadas, bugs, dfodor, mavital, michal.skrivanek, mperina, mzamazal, qiyuan, sasha, tnisan |
Target Milestone: | ovirt-4.5.3 | Keywords: | PrioBumpQA |
Target Release: | --- | Flags: | pm-rhel:
ovirt-4.5?
|
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2022-12-05 12:46:31 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | Virt | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Benny Zlotnik
2018-04-09 14:47:59 UTC
Re-targeting, since this may be important for security (users without permissions to all objects shouldn't be able to perform the action at all) (In reply to Ryan Barry from comment #1) > Re-targeting, since this may be important for security (users without > permissions to all objects shouldn't be able to perform the action at all) Ryan are you sure 4.5 is right target given above comment? You're right, Sandro. Thanks we need to make sure to pick a storage domain that the user has permissions on (and there needs to be one because it's probably not a diskless vm) Tested with ovirt-engine-4.5.2.1-0.1.el8ev.noarch Steps: 1. Create a VM with one disk on storage domain nfs_0, the disk alias is latest-rhel-guest-image-8.6-infra 2. Create a non-admin user - with UserVmManager permission - with attach disk profile permission on storage domain nfs_1 - without attach disk profile permission on storage domain nfs_0 3. Create two disks on storage domain nfs_1, aliases are a-disk, z-disk 4. With the user, attempt to create a live snapshot with memory 5. Attach disk z-disk to the VM 6. With the user, attempt to create a live snapshot with memory 7. Attach disk a-disk to the VM 8. With the user, attempt to create a live snapshot with memory Results: 1. When the VM only has one disk on storage domain nfs_0, creating live snapshot with memory failed: 2022-08-08 13:45:31,084+03 INFO [org.ovirt.engine.core.bll.memory.MemoryStorageHandler] (default task-90) [546713ad-c594-4c7e-8adb-8abb69847ab6] The memory volumes of VM (name 'golden_env_mixed_virtio_0', id '56066d4f-63c0-43b4-9a75-8b596681391c') will be stored in storage domain (name 'nfs_0', id 'c76c2853-666b-4324-93f3-f963adb1790a') ... 2022-08-08 13:45:31,329+03 WARN [org.ovirt.engine.core.bll.storage.disk.AddDiskCommand] (default task-90) [546713ad-c594-4c7e-8adb-8abb69847ab6] Validation of action 'AddDisk' failed for user user1@internal-authz. Reasons: VAR__ACTION__ADD,VAR__TYPE__DISK,USER_NOT_AUTHORIZED_TO_ATTACH_DISK_PROFILE ... 2022-08-08 13:45:31,337+03 ERROR [org.ovirt.engine.core.bll.snapshots.CreateSnapshotForVmCommand] (default task-90) [546713ad-c594-4c7e-8adb-8abb69847ab6] Command 'org.ovirt.engine.core.bll.snapshots.CreateSnapshotForVmCommand' failed: EngineException: Failed to create disk! golden_env_mixed_virtio_0_snapshot_memory (Failed with error ENGINE and code 5001) ... 2022-08-08 13:45:31,355+03 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-90) [546713ad-c594-4c7e-8adb-8abb69847ab6] EVENT_ID: USER_FAILED_CREATE_SNAPSHOT(117), Failed to create Snapshot snap1 for VM golden_env_mixed_virtio_0 (User: user1@internal-authz). 2. When disk z-disk is attached to the VM, creating live snapshot with memory failed: 2022-08-08 13:50:59,996+03 INFO [org.ovirt.engine.core.bll.memory.MemoryStorageHandler] (default task-99) [05833de3-1a9d-4822-9b4a-4c12bced2ba8] The memory volumes of VM (name 'golden_env_mixed_virtio_0', id '56066d4f-63c0-43b4-9a75-8b596681391c') will be stored in storage domain (name 'nfs_0', id 'c76c2853-666b-4324-93f3-f963adb1790a') ... 2022-08-08 13:51:00,482+03 WARN [org.ovirt.engine.core.bll.storage.disk.AddDiskCommand] (default task-99) [05833de3-1a9d-4822-9b4a-4c12bced2ba8] Validation of action 'AddDisk' failed for user user1@internal-authz. Reasons: VAR__ACTION__ADD,VAR__TYPE__DISK,USER_NOT_AUTHORIZED_TO_ATTACH_DISK_PROFILE ... 2022-08-08 13:51:00,491+03 ERROR [org.ovirt.engine.core.bll.snapshots.CreateSnapshotForVmCommand] (default task-99) [05833de3-1a9d-4822-9b4a-4c12bced2ba8] Command 'org.ovirt.engine.core.bll.snapshots.CreateSnapshotForVmCommand' failed: EngineException: Failed to create disk! golden_env_mixed_virtio_0_snapshot_memory (Failed with error ENGINE and code 5001) ... 2022-08-08 13:51:00,501+03 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-99) [05833de3-1a9d-4822-9b4a-4c12bced2ba8] EVENT_ID: USER_FAILED_CREATE_SNAPSHOT(117), Failed to create Snapshot snap1 for VM golden_env_mixed_virtio_0 (User: user1@internal-authz). 3. When disk a-disk is attached to the VM, creating live snapshot with memory succeeded: 2022-08-08 13:58:44,416+03 INFO [org.ovirt.engine.core.bll.memory.MemoryStorageHandler] (default task-93) [5ea9d0fb-6407-414d-85d6-a648e4098f78] The memory volumes of VM (name 'golden_env_mixed_virtio_0', id '56066d4f-63c0-43b4-9a75-8b596681391c') will be stored in storage domain (name 'nfs_1', id '3b052619-5922-46eb-834c-17077b66f991') ... 2022-08-08 13:59:10,371+03 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (EE-ManagedScheduledExecutorService-engineScheduledThreadPool-Thread-22) [] EVENT_ID: USER_CREATE_SNAPSHOT_FINISHED_SUCCESS(68), Snapshot 'snap1' creation for VM 'golden_env_mixed_virtio_0' has been completed. According to the tests, it seems that the storage domain of the first disk of the VM will be selected to store the memory volumes of VM when creating live snapshot with memory. If the user doesn't have attach disk profile permission on that storage domain, creating snapshot will fail at adding disk because of USER_NOT_AUTHORIZED_TO_ATTACH_DISK_PROFILE. Another issue is, do we need to consider the situation that the user with UserVmManager permission doesn't have attach disk profile permission on any of the VM disk storage domains? will it happen in customer use cases? The strange thing is that the user is using a storage domain without permission, seem it works for step 8 (a-disk on nfs_1 which the user have permission). Another, is without permission to nfs_0, it still being used (maybe something wrong with the query, or handling the result). The current PR changed to query only SDs the user have permission to use for memory snapshot. Therefore, if we wish to prevent the command, we may validate it on the command to prevent the whole command. Verified with: ovirt-engine-4.5.3-0.2.el8ev.noarch Steps: The same steps as in comment #5 Results: Live snapshot with memory can be created successfully when the non-admin user has UserVmManager permission but don't have the "attach disk profile" permission. The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days |