Bug 805480

Summary: [RFE] engine-manage-domains should contain -role=superuser
Product: [Retired] oVirt Reporter: Pavel Stehlik <pstehlik>
Component: ovirt-engine-configAssignee: Doron Fediuck <dfediuck>
Status: CLOSED WONTFIX QA Contact:
Severity: high Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: acathrow, iheim, ykaul
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: infra
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-05-30 13:23:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Pavel Stehlik 2012-03-21 12:50:33 UTC 
Description of problem:
 In case of adding new domain, the user which is supposed to connect to the AD/IPA is not added as superuser. It would be nice to have it added as superuser too. Would it be possible to have new param (e.g. -role=superuser) ?

Version-Release number of selected component (if applicable):
ovirt-engine-3.0.0_0001-3.git4364f1b.fc16.x86_64

How reproducible:


Steps to Reproduce:
1. try to add new domain
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Doron Fediuck 2012-03-22 05:04:55 UTC 
Pavel,
the user you write when adding a domain is an ldap entity with
sufficient privileges for querying the ldap server. This does
not need any special permission in the backend. Can you please
explain why do you need superuser role for that query user?
Comment 2 Pavel Stehlik 2012-03-22 08:40:21 UTC 
(In reply to comment #1)
> Pavel,
> the user you write when adding a domain is an ldap entity with
> sufficient privileges for querying the ldap server. This does
> not need any special permission in the backend. Can you please
> explain why do you need superuser role for that query user?

I'd suspect the customer has more systems in the house than our solution. I'd suspect, that each system uses own permissions (backup, virt, etc.). 
I wouldn't suspect, I must have 2 accounts for each service in AD (or other DS). 
Based on above, I think it's good idea at least to offer this option.

Can you please explain why not to have it there?
Comment 3 Doron Fediuck 2012-03-27 11:56:30 UTC 
(In reply to comment #2)
> (In reply to comment #1)
> 
> Can you please explain why not to have it there?

Pavel,
I still do not see the use case, but in general the following
will always be true;
Permission are given on a need-to-have basis, since any extra
permission may cause a security issue. No permission mechanism
will allow extra permission on a nice-to-have basis. So in this
case the specific customer may use the users dialog to add roles
to his user.
Comment 4 Doron Fediuck 2012-05-30 13:23:42 UTC 
It's been a while, with  no response.
This RFE has a potential of giving accessive permissions, so it's being closed.