Bug 869433

Summary: [MLA] StorageAdmin can't attach disk.
Product: Red Hat Enterprise Virtualization Manager Reporter: Ondra Machacek <omachace>
Component: ovirt-engineAssignee: Nobody's working on this, feel free to take it <nobody>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: unspecified    
Version: 3.1.0CC: dyasny, iheim, lpeer, oourfali, Rhev-m-bugs, yeylon, ykaul
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-10-24 02:16:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ondra Machacek 2012-10-23 21:17:34 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
si21

How reproducible:
always

Steps to Reproduce:
1. As admin create disk and vm without disk.
1. Add user StorageAdmin permissions on 'system' object.
2. As user try to attach disk to vm.
  
Actual results:
User is not authorized to perform this action.

Expected results:
Disk is attached.

Additional info:

2012-10-23 23:07:14,896 INFO  [org.ovirt.engine.core.bll.LoginAdminUserCommand] (ajp-/127.0.0.1:8009-18) Checking if user portaluser2 is an admin, result true
2012-10-23 23:07:14,896 INFO  [org.ovirt.engine.core.bll.LoginAdminUserCommand] (ajp-/127.0.0.1:8009-18) Running command: LoginAdminUserCommand internal: false.
2012-10-23 23:07:49,107 WARN  [org.ovirt.engine.core.bll.AttachDiskToVmCommand] (ajp-/127.0.0.1:8009-18) [33aeaa1f] CanDoAction of action AttachDiskToVm failed. Reasons:VAR__ACTION__ATTACH_ACTION_TO,VAR__TYPE__VM_DISK,USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
Comment 1 Itamar Heim 2012-10-24 02:16:59 UTC 
storage admin is allowed to manage storage domains, and disks. not VMs.
attaching/removing disks from VMs requires more permissions.
I don't see this as a bug.
Comment 2 Ondra Machacek 2012-10-24 11:17:39 UTC 
So the backend shouldn't return that it can:

for r in API.roles.list():
    if r.get_name() == 'StorageAdmin':
        print 'attach_disk' in [p.get_name() for p in r.get_permits().list()]

>>> True
Comment 3 Oved Ourfali 2012-10-24 11:46:52 UTC 
(In reply to comment #2)
> So the backend shouldn't return that it can:
> 
> for r in API.roles.list():
>     if r.get_name() == 'StorageAdmin':
>         print 'attach_disk' in [p.get_name() for p in r.get_permits().list()]
> 
> >>> True

That's true as well.
You need two permissions in order to attach a disk to a VM:
1. Permissions on the disk, that allows you to attach it - "ATTACH_DISK" on the disk.
2. Permissions on the VM, that allows you to configure storage for it - "CONFIGURE_VM_STORAGE".