Red Hat Bugzilla – Full Text Bug Listing
|Summary:||ovirt-engine-backend [MLA]: DomainAdmin role cannot add user permissions to created objects with CanDoAction|
|Product:||Red Hat Enterprise Virtualization Manager||Reporter:||Dafna Ron <dron>|
|Component:||ovirt-engine||Assignee:||Oved Ourfali <oourfali>|
|Status:||CLOSED CURRENTRELEASE||QA Contact:||Ondra Machacek <omachace>|
|Version:||3.1.0||CC:||dyasny, ecohen, hateya, iheim, lpeer, mkenneth, oourfali, Rhev-m-bugs, sgrinber, yeylon, ykaul, yzaslavs|
|Fixed In Version:||si14||Doc Type:||Enhancement|
|Doc Text:||Story Points:||---|
|oVirt Team:||Infra||RHEL 7.3 requirements from Atomic Host:|
Description Dafna Ron 2012-08-01 10:30:57 EDT
Created attachment 601754 [details] log Description of problem: as a DataCenterAdmin I was trying to add user permissions on objects under the DC (quota and vm's). I got a CanDoAction that user is not permitted to perfor action Version-Release number of selected component (if applicable): si12 How reproducible: 100% Steps to Reproduce: 1. create a user and assign it with DataCenterAdmin role. 2. login to the admin portal 3. add a vm -> try to assign a user under the vm -> permissions tab Actual results: we are getting CanDoAction Expected results: Data Center Admin should be allowed to add permissions on objects. Additional info: 2012-08-01 17:16:45,727 WARN [org.ovirt.engine.core.bll.AddPermissionCommand] (ajp-/127.0.0.1:8009-35) CanDoAction of action AddPermission failed. Reasons:USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
Comment 2 Itamar Heim 2012-08-02 06:46:33 EDT
why would creator roles need this permission? the created object would be created with an owner permission?
Comment 4 Oved Ourfali 2012-08-02 07:31:30 EDT
(In reply to comment #2) > why would creator roles need this permission? the created object would be > created with an owner permission? The creator will indeed become the owner (have UserVmManager role on the created VM, and TemplateOwner on the created template template). However, as a UserVmManager, he won't be able to add permission to other people (unless we decide to include the UserVmManager, and the TemplateOwner in the list of roles that have AddPermission action group).
Comment 6 Itamar Heim 2012-08-05 17:23:30 EDT
miki - for which roles? it seems no one in the field is using our roles that way as this is the current status and no one complained about this? oved - please discuss with Alon - I find UserVmManager a very strange default ownership role if it doesn't contain permission manipulation for object creator. please check behavior for disks as well.
Comment 11 Oved Ourfali 2012-08-09 05:34:48 EDT
Commit: a8ffb6fcef5c79dd641f51176e8b13de6824ce27 http://gerrit.ovirt.org/gitweb?p=ovirt-engine.git;a=commit;h=a8ffb6fcef5c79dd641f51176e8b13de6824ce27