Bug 1951579

Summary: RHV api issues when account has only "UserRole" permissions
Product: Red Hat Enterprise Virtualization Manager Reporter: Marian Jankular <mjankula>
Component: ovirt-engineAssignee: Ori Liel <oliel>
Status: CLOSED ERRATA QA Contact: Guilherme Santos <gdeolive>
Severity: medium Docs Contact:
Priority: low    
Version: 4.3.11CC: mavital, mperina, oliel, robert.dahlem
Target Milestone: ovirt-4.4.7Keywords: ZStream
Target Release: 4.4.7   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ovirt-engine-4.4.7 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-07-22 15:12:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marian Jankular 2021-04-20 13:53:42 UTC 
Description of problem:
RHV api issues when user has only "UserRole" permissions

Version-Release number of selected component (if applicable):
4.3.x
4.4.x as well

How reproducible:
everytime

Steps to Reproduce:
1. create user with "UserRole" permission only
2. try to get host info with query below issued on the manager:
# curl --cacert /etc/pki/ovirt-engine/ca.pem -u <USER>:<PASSWORD> https://<manager_fqdn>/ovirt-engine/api/hosts?search=page%2050

or even 

# curl --cacert /etc/pki/ovirt-engine/ca.pem -u <USER>:<PASSWORD> https://<manager_fqdn>/ovirt-engine/api/hosts?search=page%20100
3.

Actual results:
even there is only one host im my environment the same host repeats on and on  in pages 1-100+ 

Expected results:
if all hosts were shown on the first page, do not show them on the next pages

Additional info:
if user has any of the admin account (tested with "ReadOnlyAdmin" and "SuperUser") the query is correct, in my case i get ouput of one host on page 1 and when i query page 2 the output is:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<hosts/>
Comment 1 Ori Liel 2021-04-22 08:50:22 UTC 
From a brief examination it doesn't look to me like the problem is in the API layer, rather I tend to believe that its somewhere in the search implementation in the Engine
Comment 5 Guilherme Santos 2021-07-01 15:26:51 UTC 
Verified on:
ovirt-engine-4.4.7.5-0.9.el8ev.noarch

Steps:
1. Create a new user (user1) with User Role
2. Query paginated hosts info tru rest api
# curl -u user1@internal:<password> "https://<engine-fqdn>/ovirt-engine/api/hosts?search=page%201" -k
# curl -u user1@internal:<password> "https://<engine-fqdn>/ovirt-engine/api/hosts?search=page%202" -k
# curl -u user1@internal:<password> "https://<engine-fqdn>/ovirt-engine/api/hosts?search=page%203" -k

Results:
Info properly queried and not repetition of info in empty pages (same response as admin user):
# curl -u user1@internal:<password> "https://<engine-fqdn>/ovirt-engine/api/hosts?search=page%203" -k
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<hosts/>
Comment 10 errata-xmlrpc 2021-07-22 15:12:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: RHV Manager (ovirt-engine) security update [ovirt-4.4.7]), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2865
Comment 11 meital avital 2022-08-03 12:01:22 UTC 
Due to QE capacity, we are not going to cover this issue in our automation