Bug 839275

Summary: RHEVM - Backend: User with no quota privileges can consume quota resources
Product: Red Hat Enterprise Virtualization Manager Reporter: Daniel Paikov <dpaikov>
Component: ovirt-engineAssignee: Gilad Chaplik <gchaplik>
Status: CLOSED CURRENTRELEASE QA Contact: Dafna Ron <dron>
Severity: high Docs Contact:
Priority: high    
Version: 3.1.0CC: amureini, dfediuck, dyasny, hateya, iheim, lpeer, Rhev-m-bugs, sgrinber, yeylon, ykaul
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: sla
Fixed In Version: SI13 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-12-04 20:04:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: SLA RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
engine.log none

Description Daniel Paikov 2012-07-11 12:48:12 UTC
Created attachment 597557 [details]
engine.log

* Create VM under a quota.
* Don't assign consumers to VM.
* Run VM as a user.
* VM runs and consumes quota resources even though the user isn't assigned to the quota.

Comment 2 Dafna Ron 2012-08-06 09:23:56 UTC
not verified. 
it seems that consumer tab has no effect. 
we are blocking a user from running a vm because the vm itself is part of the quota and not the user. 

reproduction: 

1. create a quota with no limit
2. create a vm under the quota
3. assign a user to the vm but do not add the user to the consumer tab
4. try to run the vm

results -> user will be able to run the vm 

second reproduction: 

1. create a quota with 256M limit
2. create a vm under the quota
3. assign a user to the vm but not to the consumer tab
4. try to run the vm

results -> the user will not be able to run the vm

this means that the limitation is determined by the vm and not by adding a user to the consumer tab (if it was the consumer tab we should have been blocked on running the vm on both times since user has no quota privileges)

Comment 3 Itamar Heim 2012-08-06 10:30:39 UTC
true - sound like you verified everything works correctly.
user permission to a quota is a permission to assign the quota to a VM.
anyone with a permission for the VM can run it from that quota after it has been assigned.

Comment 4 Dafna Ron 2012-08-07 08:10:49 UTC
speaking to gilad, this is the design.
moving to verified on si13