Bug 854296

Summary: vm.start() doesn't work for users with 'vm_basic_operations' permissions
Product: Red Hat Enterprise Virtualization Manager Reporter: Ondra Machacek <omachace>
Component: ovirt-engine-restapiAssignee: Oved Ourfali <oourfali>
Status: CLOSED CURRENTRELEASE QA Contact: Ondra Machacek <omachace>
Severity: high Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: clasohm, dyasny, ecohen, iheim, lpeer, mkenneth, mpastern, oourfali, oramraz, Rhev-m-bugs, yeylon, ykaul
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: virt
Fixed In Version: si18 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-12-04 20:02:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
engine log none

Description Ondra Machacek 2012-09-04 15:06:56 UTC 
Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:
1. Create VM.
2. Assign VM some role, which has 'vm_basic_operations' perms.
3. Via ovirtsdk try to start created VM.
  
Actual results:
Error: query execution failed due to insufficient permissions

Expected results:
VM starts

Additional info:
sample code:

API = ovirtsdk.api.API(
                    url='https://url:443/api', insecure=True,
                    username='newUser',
                    password='password', filter=True)
vm = API.vms.get(CREATED_VM)
vm.start() # FAIL

-------------------------------
vm.stop() works fine.
Comment 1 Oved Ourfali 2012-09-05 05:32:16 UTC 
Do you have the engine logs?
(just making sure it is indeed an MLA issue, and not a problem somewhere in the API).

Thank you.
Comment 2 Oved Ourfali 2012-09-05 08:50:37 UTC 
I tried to reproduce this issue, and both Start and Stop work for me.
What were the exact permissions you gave the user?
Were the permissions granted via the SDK/CLI?

Can you give the exact steps to reproduce?
Comment 3 Ondra Machacek 2012-09-05 09:26:31 UTC 
Created attachment 609938 [details]
engine log
Comment 4 Oved Ourfali 2012-09-05 09:33:57 UTC 
Just making sure - did you see my second comment?
I wasn't able to reproduce it, so more details will be helpful in finding the problem.
I saw in the log that the failed query was GetVmByVmId, but you should be able to see the VM if the have the correct permissions on it.
Comment 5 Ondra Machacek 2012-09-05 09:51:14 UTC 
Steps:

In webadmin as admin do:
1) Create VM with name 'a'.
2) In permissions tab add permission to user 'someuser' and assing it 'UserRole' role


Then run this code:
API = ovirtsdk.api.API(
                    url='https://10.34.63.30:443/api',
                    insecure=True, username='someuser',
                    password='123456', filter=True)
vm = API.vms.get('a')
vm.start() # Fails with error specified in decription

-----------------------------------------------------
vm.stop() worsk fine

In userportal everything works fine(start, stop).
Also this works:
$curl -k -X POST -H "Content-type: application/xml" -H "Accept: application/xml" -H "Filter: True" -d "<action/>" -u portaluser2.eng.brq.redhat.com:123456 https://10.34.63.30/api/vms/vm-id/start
Comment 6 Michael Pasternak 2012-09-05 11:02:35 UTC 
(In reply to comment #5)
> Steps:
> 
> In webadmin as admin do:
> 1) Create VM with name 'a'.
> 2) In permissions tab add permission to user 'someuser' and assing it
> 'UserRole' role
> 
> 
> Then run this code:
> API = ovirtsdk.api.API(
>                     url='https://10.34.63.30:443/api',
>                     insecure=True, username='someuser',

it cannot be related to sdk, make sure you used in sdk same
user you are using in gui/api/curl
Comment 7 Michael Pasternak 2012-09-05 11:05:11 UTC 
btw, what version of sdk you are using?, on sdk < 3.1.0.8 you had to
specify filter=true in methods as well.
Comment 8 Oved Ourfali 2012-09-05 11:27:37 UTC 
(In reply to comment #7)
> btw, what version of sdk you are using?, on sdk < 3.1.0.8 you had to
> specify filter=true in methods as well.

There is an issue there. The "filter" header isn't passed to the start VM operation. Will post a fix soon.
Comment 9 Michael Pasternak 2012-09-05 12:14:32 UTC 
lack of rsdl descriptor
Comment 10 Oved Ourfali 2012-09-05 12:21:45 UTC 
Posted patch to gerrit:
http://gerrit.ovirt.org/7769
Comment 11 Oved Ourfali 2012-09-06 08:46:01 UTC 
Commit: 292c58575c7ea6b6cd5c8fcff6d583b29a16b0eb

http://gerrit.ovirt.org/gitweb?p=ovirt-engine.git;a=commit;h=292c58575c7ea6b6cd5c8fcff6d583b29a16b0eb