Bug 1687597

Summary: User with custom role cannot retire VM
Product: Red Hat CloudForms Management Engine Reporter: David Luong <dluong>
Component: AutomateAssignee: Lucy Fu <lufu>
Status: CLOSED ERRATA QA Contact: Ganesh Hubale <ghubale>
Severity: medium Docs Contact: Red Hat CloudForms Documentation <cloudforms-docs>
Priority: medium    
Version: 5.10.1CC: abellott, dmetzger, ghubale, gmccullo, jrafanie, mkanoor, obarenbo, simaishi
Target Milestone: GA   
Target Release: 5.11.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 5.11.0.14 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-12-12 13:36:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: Bug
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: CFME Core Target Upstream Version:
Embargoed:
Attachments:
Description Flags
request error none

Description David Luong 2019-03-11 20:30:13 UTC 
Description of problem:
User with custom role cannot retire VM.

Version-Release number of selected component (if applicable):
5.10.1

How reproducible:
Always

Steps to Reproduce:
1.  Copy vm-user role
2.  Assign it to user
3.  User retire VM

Actual results:
User can't retire VM

Expected results:
User should be able to to retire VM

Additional info:
Not sure if this happens on the vm-user default role, have not tested that out

[----] I, [2019-03-11T12:00:52.113483 #11151:14fe4e8]  INFO -- : <AuditSuccess> MIQ(MiqRequest.log_request_success) userid: [sbr-cfme] - VM Retire requested by <sbr-cfme> for Vm:[12000000000857]
[----] I, [2019-03-11T12:00:52.124757 #11151:14fe4e8]  INFO -- : MIQ(MiqQueue.put) Message id: [12000008436191],  id: [], Zone: [CFME-RHV], Role: [], Server: [], MiqTask id: [], Ident: [generic], Target id: [], Instance id: [12000000000913], Task id: [], Command: [VmRetireRequest.call_automate_event], Timeout: [3600], Priority: [100], State: [ready], Deliver On: [], Data: [], Args: ["request_created"]
[----] E, [2019-03-11T12:00:52.125469 #11151:14fe4e8] ERROR -- : MIQ(vm_infra_controller-x_button): Error during 'retire_now': not authorized
Comment 2 Joe Rafaniello 2019-03-26 19:32:46 UTC 
David, do you have logs?  Do we know if the current group for the user is the group with that role?  You assign the role to the group, not the user. If they're in more than one group, the current group dropdown could be on the wrong group.

In user.rb, we:
  delegate   :miq_user_role, ...
             :to => :current_group ...

Can you test the default vm_user in the way you recreated it?

It should have access to the retire now.

db/fixtures/miq_user_roles.yml:

...
- :name: EvmRole-vm_user
  :read_only: true
  :miq_product_feature_identifiers:
  - about
  - all_vm_rules
...
  - vm_retire_now

After testing this with the out of box vm_user, please try with the copied one and provide the logs.  Specifically, I need to see the evm.log, audit.log and production.log but the current logs would be great.

Thanks!
Joe
Comment 3 David Luong 2019-03-27 21:02:49 UTC 
Hey Joe,

I just created a vm_user with default vm_user group and I don't even have the option to retire the VM.  The only option I have in the UI is to provision.
Comment 4 David Luong 2019-03-27 21:08:49 UTC 
Ah, it looks like it's Retire this VM isn't showing up in the VM overview, but if I click on a specific virtual machine, it'll let me click on retire, BUT, it gives me the same error.  Immediately after clicking retire I'm brought to the requests on UI with this message: 'Error during 'retire_now': not authorized'

The retire this VM does show up on my custom role on a different VM though, so I'm not sure what's going on there.  Attaching pics and logs.
Comment 6 David Luong 2019-03-27 21:23:48 UTC 
Created attachment 1548706 [details]
request error
Comment 8 Joe Rafaniello 2019-03-28 16:03:14 UTC 
I believe this is in automate.  It looks to be hitting call_automate_event_queue and somehow it's not being approved with a "not authorized".  Does this code look at the role of the group the user is currently in?

The vm_user role has the vm_retire_now product feature found in db/fixtures/miq_user_roles.yml: 


- :name: EvmRole-vm_user
  :read_only: true
  :miq_product_feature_identifiers:
  - about
  - all_vm_rules
...
  - vm_retire_now
...
Comment 9 CFME Bot 2019-04-04 16:00:45 UTC 
https://github.com/ManageIQ/manageiq/pull/18626
Comment 10 CFME Bot 2019-07-09 20:15:44 UTC 
New commit detected on ManageIQ/manageiq/master:

https://github.com/ManageIQ/manageiq/commit/0cefc4c7f567484086321e0265d164e8655a941a
commit 0cefc4c7f567484086321e0265d164e8655a941a
Author:     Lucy Fu <lufu>
AuthorDate: Wed Apr  3 11:52:03 2019 -0400
Commit:     Lucy Fu <lufu>
CommitDate: Wed Apr  3 11:52:03 2019 -0400

    Use admin to auto approve a request.

    The approver needs to have miq_request_approval role and admin is the only default user with that role.

    https://bugzilla.redhat.com/show_bug.cgi?id=1687597

 app/models/miq_request.rb | 2 +-
 spec/models/automation_request_spec.rb | 3 +
 spec/models/miq_request_spec.rb | 12 +
 spec/models/miq_schedule_spec.rb | 1 +
 4 files changed, 17 insertions(+), 1 deletion(-)
Comment 11 Ganesh Hubale 2019-07-15 09:58:44 UTC 
Checked on version: 5.11.0.14.20190710225033_cb17ff0

Created user(new_user) with custom role(coping default vm_user role) attached to custom group and retired VM.

VM retired successfully.  

Retire VM option is available on Vm's all and details page.

Hence verifying this BZ.
Comment 13 errata-xmlrpc 2019-12-12 13:36:02 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:4199