Bug 878812

Summary: [RFE] In user view there is no consideration of the permission type
Product: [oVirt] ovirt-engine Reporter: lpeer <lpeer>
Component: RFEsAssignee: Oved Ourfali <oourfali>
Status: CLOSED WONTFIX QA Contact:
Severity: high Docs Contact:
Priority: unspecified    
Version: ---CC: amureini, bazulay, bsettle, bugs, emesika, jbelka, lpeer, mkenneth, oourfali, rbalakri, Rhev-m-bugs, sputhenp, yeylon, ylavi
Target Milestone: ---Keywords: FutureFeature
Target Release: ---Flags: pkliczew: needinfo+
ylavi: ovirt-future?
rule-engine: planning_ack?
lpeer: devel_ack?
rule-engine: testing_ack?
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: infra
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-02 06:14:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 950503    
Bug Blocks: 910846, 951935, 978968    

Description lpeer 2012-11-21 09:38:45 UTC 
Description of problem:
When calculating the entities a user can view in the user API/portal we do not take into consideration what type of permission is given on the entity.

For example if I want to give a user permission to use all the templates in the data center I'll give him permission to consumeTemplate on the data center, the impact today is that the user API can view ALL the VM in the data center.

This is just an example there are many other examples.

proposed solution -
We are missing some kind of containers in a DC, if I want to give permission on the templates in the data center or if I want to give permissions on the networks in the data center it should be given on containers which leaves in the DC: Networks, Storage-Domains, Templates etc. 

Other option is to classify Action-Groups to entities and use it in user view calculation



Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 lpeer 2012-11-21 09:47:17 UTC 
maybe a more clear explanation -

Today when we give permission on an entity like a data center the user gets the permission on all the entities in the data center hierarchy.

for example -

- I gave a user permission to use the templates in the data center now he can see all VM in the dc.

- I gave a user permission to use the networks in the data center now he can see all VMs in the dc.
Comment 2 Miki Kenneth 2012-11-22 09:49:53 UTC 
this is definetly a bug. I'm not sure that container is the right term, I would say let's have differentiatation  between the place in the Hierarchy and the actual objects:
- all VMs in Cluster A.
- all templates in DC DC1
- all networks in cluster A

etc.
Comment 3 Yair Zaslavsky 2012-12-30 11:27:13 UTC 
After consulting with Oved, it sounds to us more of a "sub feature" at permissions, which is not that trivial to implement in the given timeframe for 3.2.
I suggest to handle it in future version.
Comment 6 Piotr Kliczewski 2013-11-14 14:12:30 UTC 
Can you please provide the role names that you assigned to the users?
Comment 7 lpeer 2013-12-31 12:46:15 UTC 
(In reply to Piotr Kliczewski from comment #6)
> Can you please provide the role names that you assigned to the users?

Piotr,
This bug is about the concept, not a specific case, Please see comment 1 for more details.
You can also talk to Oved who is also familiar with the issue.

The general problem as described in earlier comments is that the permission hierarchy is not sensitive to entities type.
When I give permission on a DC is propagates to all the entities in the DC instead-of, for example, all the templates in the DC or all the VMs in the DC.
Comment 9 Barak 2014-03-18 12:32:17 UTC 
*** Bug 910846 has been marked as a duplicate of this bug. ***