Bug 1641048

Summary: Engine raises 'insufficient permissions' error when normal user try to access /datacenters?follow=storage_domains
Product: [oVirt] ovirt-engine Reporter: Lucie Leistnerova <lleistne>
Component: RestAPIAssignee: Ahmad Khiet <akhiet>
Status: CLOSED CURRENTRELEASE QA Contact: Lucie Leistnerova <lleistne>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.3.0CC: bugs, frolland, lleistne, tnisan
Target Milestone: ovirt-4.3.0Flags: rule-engine: ovirt-4.3+
lleistne: testing_ack+
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ovirt-engine-4.3.0_rc Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-02-21 14:17:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Storage RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lucie Leistnerova 2018-10-19 13:42:21 UTC 
Description of problem:
Calling storagedomains?follow=storage_domains with non admin users shows error 'insufficient permissions' in engine log and returns not all informations.

Version-Release number of selected component (if applicable):
ovirt-engine-restapi-4.3.0-0.0.master.20181016132820.gite60d148.el7.noarch

How reproducible: always


Steps to Reproduce:
1. call as nonadmin user with VmCreator role
curl -k -u test@internal:passw -H "Prefer: persistent-auth" https://engine/ovirt-engine/api/datacenters?follow=storage_domains


Actual results: storage element contains only:

                <storage>
                    <type>nfs</type>
                </storage>

error 3x in engine log

2018-10-19 15:36:02,485+02 ERROR [org.ovirt.engine.core.bll.storage.domain.GetStorageDomainListByIdQuery] (default task-29) [2873abfe-5332-48a6-a309-f46596df59da] Query execution failed due to insufficient permissions.



Expected results:
storage with all information and no error
Comment 1 Ondra Machacek 2018-10-22 12:26:57 UTC 
It's because GetStorageDomainListByIdQuery is not user query.
Comment 2 Tal Nisan 2018-10-22 13:22:51 UTC 
(In reply to Ondra Machacek from comment #1)
> It's because GetStorageDomainListByIdQuery is not user query.

Exactly, why is this query needed for an unprivileged user?
Comment 3 Lucie Leistnerova 2018-10-22 14:50:14 UTC 
VM portal calls that query when it checks available data storage domains for creating new disks.
For VM portal are used only id, name and type of the storage_domain, so it's not necessary to return all values in <storage> element. But it shouldn't show error in engine.log
Comment 4 Ahmad Khiet 2018-12-11 12:50:05 UTC 
The Error message in the log removed. after adding GetStorageDomainListById(QueryAuthType.User) to QueryType

but the storage domain information was intentionally filtered for admin only requests.

this change was made in the following patch : 
https://gerrit.ovirt.org/c/7003

where the isFiltered() filters admin users only to view the infromation.

https://github.com/oVirt/ovirt-engine/blob/23cb61706a11a589c7586b366fe0981291d4d816/backend/manager/modules/restapi/jaxrs/src/main/java/org/ovirt/engine/api/restapi/resource/BackendStorageDomainsResource.java#L334
Comment 5 Lucie Leistnerova 2019-02-18 07:50:29 UTC 
No error in log and storage contains values that VM portal needs.

verified in ovirt-engine-restapi-4.3.0.4-0.1.el7.noarch
Comment 6 Sandro Bonazzola 2019-02-21 14:17:12 UTC 
This bugzilla is included in oVirt 4.3.0 release, published on February 4th 2019.

Since the problem described in this bug report should be
resolved in oVirt 4.3.0 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.