Bug 986448

Summary: Permissions for group "Everyone" do not apply to VM Pool
Product: Red Hat Enterprise Virtualization Manager Reporter: wdaniel
Component: ovirt-engineAssignee: Yair Zaslavsky <yzaslavs>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: unspecified    
Version: 3.2.0CC: acathrow, bazulay, benglish, iheim, lpeer, michal.skrivanek, oourfali, pstehlik, Rhev-m-bugs, thildred, yeylon
Target Milestone: ---Keywords: Triaged
Target Release: 3.2.3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: infra
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-07-22 12:18:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description wdaniel 2013-07-19 20:09:37 UTC 
Description of problem:

The group "Everyone" has been given the "UserRole" permissions so that they may log in and view the VM Pool. Users are not even able to log into the portal and are going the "User is not authorized" message preventing them from getting to the pool. Specifying individual AD users grants them access without issue.

Actual results:
User prevented from logging in


Expected results:
User can log in and launch VM from pool

Additional info:
This occurred to a 3.2 setup after upgrading from 3.1. Updating to 3.2.1 did not change anything.
Comment 4 Itamar Heim 2013-07-22 14:52:07 UTC 
note customer can give this to domain\everyone group which should work
Comment 7 wdaniel 2013-07-24 19:52:40 UTC 
Itamar,

The customer has responded with the following:

"Regarding the update from Itamar in the BZ, this is not accurate.  There is no "Everyone" group in AD.  Adding "Domain Users" also does not work, if that was his intention.  It seems that AD groups are not being properly enumerated."

Could this be linked to bug 980521?
Comment 8 Itamar Heim 2013-07-24 20:17:19 UTC 
I'm pretty sure there is an everyone group in windows, but it has been a while and i may be confusing local server groups with AD ones.
domain users would have the same effect - yes.
and yes, seems like you should request 3.2.z for bug 980521.