Bug 923191

Summary: [UserPortal] User can see other users only from one domain, selected domain is ignored.
Product: Red Hat Enterprise Virtualization Manager Reporter: Ondra Machacek <omachace>
Component: ovirt-engineAssignee: Ravi Nori <rnori>
Status: CLOSED DUPLICATE QA Contact: Ondra Machacek <omachace>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 3.2.0CC: acathrow, bazulay, ecohen, emesika, iheim, jkt, lpeer, movciari, pstehlik, Rhev-m-bugs, yeylon, yzaslavs
Target Milestone: ---   
Target Release: 3.4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: infra
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-01-08 21:10:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1078909, 1142926    
Attachments:
Description Flags
user_portal_add_perms_to_user_screenshot none

Description Ondra Machacek 2013-03-19 11:56:01 UTC 
Created attachment 712608 [details]
user_portal_add_perms_to_user_screenshot

Description of problem:
When we wanna add permissions to other users in userportal, then the filtering ignore selected domain, and also it shows users only from one domain.

Version-Release number of selected component (if applicable):
sf10

How reproducible:
always

Steps to Reproduce:
1. Add two domains to rhevm.
2. Add UserVmManager permissions on cluster to user1.
3. Login as user1 and try to add permissions on some object in cluster.
  
Actual results:
If we select domain within we wanna search - it is ingored, we still search in one domain. It is not possible to search for users in other domains.

Expected results:
User can search within all domains all users, maybe? Or he should view only users which are already added to system. See also bug 923100.

Additional info:

2013-03-19 12:35:09,204 INFO  [org.ovirt.engine.core.bll.LoginUserCommand] (ajp-/127.0.0.1:8702-9) Running command: LoginUserCommand internal: false.
2013-03-19 12:35:09,216 WARN  [org.ovirt.engine.core.bll.GetConfigurationValueQuery] (ajp-/127.0.0.1:8702-9) calling GetConfigurationValueQuery (ApplicationMode) with null version, using default general for version
2013-03-19 12:35:09,216 WARN  [org.ovirt.engine.core.bll.GetConfigurationValueQuery] (ajp-/127.0.0.1:8702-9) calling GetConfigurationValueQuery (VdcVersion) with null version, using default general for version
2013-03-19 12:35:31,297 INFO  [org.ovirt.engine.core.bll.LoginUserCommand] (ajp-/127.0.0.1:8702-1) Running command: LoginUserCommand internal: false.
2013-03-19 12:35:31,308 WARN  [org.ovirt.engine.core.bll.GetConfigurationValueQuery] (ajp-/127.0.0.1:8702-1) calling GetConfigurationValueQuery (ApplicationMode) with null version, using default general for version
2013-03-19 12:35:31,308 WARN  [org.ovirt.engine.core.bll.GetConfigurationValueQuery] (ajp-/127.0.0.1:8702-1) calling GetConfigurationValueQuery (VdcVersion) with null version, using default general for version
2013-03-19 12:35:39,421 INFO  [org.ovirt.engine.core.bll.LoginUserCommand] (ajp-/127.0.0.1:8702-5) Running command: LoginUserCommand internal: false.
2013-03-19 12:35:39,429 WARN  [org.ovirt.engine.core.bll.GetConfigurationValueQuery] (ajp-/127.0.0.1:8702-5) calling GetConfigurationValueQuery (ApplicationMode) with null version, using default general for version
2013-03-19 12:35:39,430 WARN  [org.ovirt.engine.core.bll.GetConfigurationValueQuery] (ajp-/127.0.0.1:8702-5) calling GetConfigurationValueQuery (VdcVersion) with null version, using default general for version
2013-03-19 12:35:41,158 INFO  [org.ovirt.engine.core.bll.AddPermissionCommand] (pool-3-thread-37) [cbf6fa4] Running command: AddPermissionCommand internal: false. Entities affected :  ID: fea51314-f9bf-45a0-9c5b-3bb2085b1876 Type: VdsGroups
2013-03-19 12:35:57,982 INFO  [org.ovirt.engine.core.bll.LoginUserCommand] (ajp-/127.0.0.1:8702-11) [2bfe00e3] Running command: LoginUserCommand internal: false.
2013-03-19 12:36:09,330 INFO  [org.ovirt.engine.core.bll.LoginUserCommand] (ajp-/127.0.0.1:8702-12) Running command: LoginUserCommand internal: false.
2013-03-19 12:36:09,341 WARN  [org.ovirt.engine.core.bll.GetConfigurationValueQuery] (ajp-/127.0.0.1:8702-12) calling GetConfigurationValueQuery (ApplicationMode) with null version, using default general for version
2013-03-19 12:36:09,341 WARN  [org.ovirt.engine.core.bll.GetConfigurationValueQuery] (ajp-/127.0.0.1:8702-12) calling GetConfigurationValueQuery (VdcVersion) with null version, using default general for version
2013-03-19 12:36:31,426 INFO  [org.ovirt.engine.core.bll.LoginUserCommand] (ajp-/127.0.0.1:8702-12) Running command: LoginUserCommand internal: false.
2013-03-19 12:36:31,438 WARN  [org.ovirt.engine.core.bll.GetConfigurationValueQuery] (ajp-/127.0.0.1:8702-12) calling GetConfigurationValueQuery (ApplicationMode) with null version, using default general for version
2013-03-19 12:36:31,439 WARN  [org.ovirt.engine.core.bll.GetConfigurationValueQuery] (ajp-/127.0.0.1:8702-12) calling GetConfigurationValueQuery (VdcVersion) with null version, using default general for version
2013-03-19 12:36:37,793 INFO  [org.ovirt.engine.core.bll.AddPermissionCommand] (pool-3-thread-37) [63ef1192] Running command: AddPermissionCommand internal: false. Entities affected :  ID: 00000000-0000-0000-0000-000000000000 Type: VmTemplate
Comment 1 Simon Grinberg 2013-04-07 15:24:31 UTC 
Ondra, 

Is the domain the user can search limited to the domain the user belongs to or is it an arbitrary domain? 

If the user is limited only to domain he belongs to, then it should not be a bug since not sure the user should have permissions to see users from other domains it may be a security issue.
Comment 2 Ondra Machacek 2013-04-09 11:46:11 UTC 
(In reply to comment #1)
> Ondra, 
> 
> Is the domain the user can search limited to the domain the user belongs to
> or is it an arbitrary domain?

Seems, that are shown users from last domain in alphabet.
Comment 3 Yair Zaslavsky 2013-06-16 14:25:09 UTC 
This happens only in user portal.
Does not happen in admin portal.
Comment 4 Yair Zaslavsky 2013-06-16 14:25:48 UTC 
*** Bug 972751 has been marked as a duplicate of this bug. ***
Comment 5 Yair Zaslavsky 2013-06-16 15:09:16 UTC 
At UserPortal we use two user queries - AdUserSearch and AdGroupSearch.

At Webadmin we call two queries of SearchQuery and pass pass each time different search type - Group or User.

Seems like the search patterns are different -

For user portal (looking for a*) 

groups: ADGROUP: name=a*
users:  ADUSER: allnames=a*

For admin portal: (looking for a* at domain example.com)
users: ADUSER: allnames=a*
groups: ADGROUP: name=*

Since there is no domain in case of user portal, the getDefaultDomain() (at the SearchQuery class) method is invoked which returns the default name which gets the first domain from the domains list that is defined in vdc_options (DomainName entry).


Simon, if a user can add permissions via user portal, is it ok that he will add permissions from multiple domains? if so, we just need to fix the AdUserSearch and AdGroupSearch queries
Comment 6 Simon Grinberg 2013-06-17 12:50:45 UTC 
(In reply to Yair Zaslavsky from comment #5)
> 
> Simon, if a user can add permissions via user portal, is it ok that he will
> add permissions from multiple domains? if so, we just need to fix the
> AdUserSearch and AdGroupSearch queries

Look at #comment 1
Comment 7 Yair Zaslavsky 2013-06-17 13:49:44 UTC 
(In reply to Simon Grinberg from comment #6)
> (In reply to Yair Zaslavsky from comment #5)
> > 
> > Simon, if a user can add permissions via user portal, is it ok that he will
> > add permissions from multiple domains? if so, we just need to fix the
> > AdUserSearch and AdGroupSearch queries
> 
> Look at #comment 1

Ok, then what we should do is not use getDefaultDomain, but getCurrentDomain (from the user on the session).
Comment 8 Mooli Tayer 2013-06-23 07:51:26 UTC 
So to summarize the above discussion,
this is what I am going to do:

1.) In UserPortal's add permissions dialog - remove other domains from selection, the user should only see users from his own domain.

2.) Make sure the users he can actually see after searching are those from his own domain, and not some other randomly selected domain.

makes sense?
Comment 9 Simon Grinberg 2013-06-23 11:58:28 UTC 
(In reply to Mooli Tayer from comment #8)
> So to summarize the above discussion,
> this is what I am going to do:
> 
> 1.) In UserPortal's add permissions dialog - remove other domains from
> selection, the user should only see users from his own domain.
> 
> 2.) Make sure the users he can actually see after searching are those from
> his own domain, and not some other randomly selected domain.
> 
> makes sense?

Yes. 
Also make sure that the user have the permission to manipulate users in the first place. 

Long term we may need to add domains as an entity we can set permissions on. 
Then admin can grant a user with permission to assign permission to users from this domain.
Comment 11 Ravi Nori 2014-01-08 21:10:31 UTC 

*** This bug has been marked as a duplicate of bug 923197 ***