Bug 796380

Summary: Unable to define a 'system administrator' user for a zone
Product: [Retired] CloudForms Cloud Engine Reporter: Steve Reichard <sreichar>
Component: aeolus-conductorAssignee: Dave Johnson <dajohnso>
Status: CLOSED CURRENTRELEASE QA Contact: Dave Johnson <dajohnso>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 1.0.0CC: akarol, cpelland, deltacloud-maint, hbrock, rlandy, scollier, ssachdev, sseago
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-12-13 19:49:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
Cloud Resource Zone Blueprint Administrator none

Description Steve Reichard 2012-02-22 19:27:39 UTC 
Description of problem:

I am trying to make a user who can maintain images/applications/catalog for one zone.

I have multiple Cloud Resource Providers.
I created accounts for Provider.
I have create a cloud named 'refarch'.
I added the provider accounts to the 'refarch' Cloud.
In this cloud I created a zone named 'dev' and made enabled
A catalog named 'devcat' was created and associated with zone 'dev'
I have created  a user named 'sadev'.
'sadev' was given the only roles 'Applicaiton Bluepint Administrator', 'Image Administrator', and  'Profile Global User' (not individually assignable) 
'sadev' user was given the 'Cloud User' role to the 'refarch' Cloud.
the user 'sadev' was given the Zone Owner role to the 'dev' zone


When I log in as sadev,  I had no problem launching an existing AppForm.

Then I went to attempt to build a new applation,  I was able to load a TDL file, but when I save I get the error "Images cannot be built, as no provider accounts are currently enabled"

When I log in as an adminstrator I see there are roles associated with providers, but the only option is Provider Owner.  This did not seem right, I could see Provider User.

Checking under Global Role Grants - I see Provider Administrator and Provider Creator.  Since I just want them to be a user, neither of these seem correct either.





Version-Release number of selected component (if applicable):


[root@cf-cloudforms9 imagefactory]# /pub/scripts/post_install_configuration_scripts/cf-versions 
Red Hat Enterprise Linux Server release 6.2 (Santiago)
Linux cf-cloudforms9.cloud.lab.eng.bos.redhat.com 2.6.32-220.4.2.el6.x86_64 #1 SMP Mon Feb 6 16:39:28 EST 2012 x86_64 x86_64 x86_64 GNU/Linux
postgresql-8.4.9-1.el6_1.1.x86_64
mongodb-1.8.2-3.el6.x86_64
euca2ools-1.3.1-4.el6_0.noarch
ruby-1.8.7.352-5.el6_2.x86_64
rubygems-1.8.10-1.el6.noarch
deltacloud-core-0.5.0-5.el6.noarch
rubygem-deltacloud-client-0.5.0-2.el6.noarch
package libdeltacloud is not installed
hail-0.8-0.2.gf9c5b967.el6_0.x86_64
puppet-2.6.11-1.el6_1.noarch
aeolus-configure-2.5.0-14.el6.noarch
iwhd-1.2-3.el6.x86_64
imagefactory-1.0.0rc5-1.el6.noarch
aeolus-conductor-daemons-0.8.0-28.el6.noarch
aeolus-conductor-0.8.0-28.el6.noarch
[root@cf-cloudforms9 imagefactory]# 




How reproducible:

I've been able to create the proper role since I've been using CE. However I keep seeming to get closer.


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Scott Seago 2012-02-24 17:07:56 UTC 
So a few comments here:
1) images belong to the cloud, and there will be a "Cloud Image Administrator" role that can upload/build/push images and manage catalogs within the cloud.
2) at the Zone level, it sounds like we need a "Zone Application Blueprint Administrator" that can manage catalogs/app blueprints within the zone
3) Adding provider accounts to the zone will be part of "Cloud Administrator" The assigned Cloud Administrator will also need "Provider Account User" rights to add a given provider account. The Cloud admin will not need any specific rights on the Provider itse.f
4) Regarding Provider Owner and User roles -- this relates to a discussion that Jay and I had -- really "Owner" and "Administrator" grant the same level of rights, but there are subtle differences in implication around numbers of users, etc. basically for Provider Accounts, Instances, Applications we'll keep Owner, but for Zones, Clouds, Providers, we should use Administrator. In any case, the rights conferred are the same -- edit/view/use/delete/etc.
Comment 2 Hugh Brock 2012-02-27 16:22:56 UTC 
Scott, we'll wait for the roles docs you're working on to make a decision on this bug one way or another.
Comment 3 Scott Seago 2012-02-29 16:50:24 UTC 
The fix for 788148 should include everything needed here. Should this be considered a duplicate?
Comment 4 Ronelle Landy 2012-09-27 13:58:55 UTC 
This BZ is still marked as 'NEEDINFO' so checking in on what the final decision is ...

In the mean time,

Tested rpms:

>> rpm -qa |grep aeolus
aeolus-configure-2.8.7-1.el6cf.noarch
rubygem-aeolus-image-0.3.0-12.el6.noarch
rubygem-aeolus-cli-0.7.2-1.el6cf.noarch
aeolus-conductor-0.13.14-1.el6cf.noarch
aeolus-conductor-daemons-0.13.14-1.el6cf.noarch
aeolus-conductor-doc-0.13.14-1.el6cf.noarch
aeolus-all-0.13.14-1.el6cf.noarch

I can see that Zone specific roles have been added. 

 - As admin user, I could assign another user as a Cloud Resource Zone Application Blueprint Administrator. I could then ...
 - Log in as that user
 - Create a new Application Blueprint and save it

Considering the above results and the fact thet BZ-788148 is closed ... can we verify this BZ?
Comment 5 Ronelle Landy 2012-09-27 14:01:42 UTC 
Created attachment 618089 [details]
Cloud Resource Zone Blueprint Administrator
Comment 6 Hugh Brock 2012-10-31 20:31:27 UTC 
I think this is sorted now...
Comment 7 Dave Johnson 2012-11-06 16:08:35 UTC 
Good 2 go with the following rpms:

aeolus-conductor-0.13.24-1.el6cf.noarch
aeolus-conductor-daemons-0.13.24-1.el6cf.noarch
aeolus-conductor-doc-0.13.24-1.el6cf.noarch