Bug 1018552 - REST-API: role should not be added to user without having a resource in context
Summary: REST-API: role should not be added to user without having a resource in context
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine-restapi
Version: 3.4.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 3.4.0
Assignee: Juan Hernández
QA Contact: Ondra Machacek
URL:
Whiteboard: infra
Depends On: 1064829
Blocks: rhev3.4beta 1142926
TreeView+ depends on / blocked
 
Reported: 2013-10-13 08:35 UTC by Michael Pasternak
Modified: 2016-02-10 19:05 UTC (History)
9 users (show)

Fixed In Version: av2
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-06-12 14:03:35 UTC
oVirt Team: Infra
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
oVirt gerrit 20357 None None None Never
oVirt gerrit 20358 None None None Never

Description Michael Pasternak 2013-10-13 08:35:31 UTC
Description of problem:

today role can be added to user via /roles sub-collection [1],
this design have two issues:

1. it's not restful implementation cause behind the scenes when
added new role to user, permissions automatically applied on the
entire system (user+role=system-permissions) - i.e unrelated /system resource
is involved

2. later on, is truly hard to figure out where from the system permissions
are came, as it not intuitive.

[1] /api/users/xxx/roles


resolution:
==========

1. deprecate role assignment to user (without resource) by:

POST /api/users/xxx/roles

<role id=xxx/>

this collection will be r/o for listing user's roles only.

2. add new root-collection /api/permissions (for displaying system-permissions)

3. allow adding system permissions only via #2

POST /api/permissions

<permission>
  <role id=xxx/>
  <user id=yyy/>
</permission>

Comment 1 Michael Pasternak 2013-10-15 13:10:28 UTC
(In reply to Michael Pasternak from comment #0)
> Description of problem:
> 
> today role can be added to user via /roles sub-collection [1],
> this design have two issues:
> 
> 1. it's not restful implementation cause behind the scenes when
> added new role to user, permissions automatically applied on the
> entire system (user+role=system-permissions) - i.e unrelated /system resource
> is involved
> 
> 2. later on, is truly hard to figure out where from the system permissions
> are came, as it not intuitive.
> 
> [1] /api/users/xxx/roles
> 
> 
> resolution:
> ==========
> 
> 1. deprecate role assignment to user (without resource) by:
> 
> POST /api/users/xxx/roles
> 
> <role id=xxx/>

actually when thinking about this, it's a bug rather than feature,
so we should disallow it.

> 
> this collection will be r/o for listing user's roles only.
> 
> 2. add new root-collection /api/permissions (for displaying
> system-permissions)
> 
> 3. allow adding system permissions only via #2
> 
> POST /api/permissions
> 
> <permission>
>   <role id=xxx/>
>   <user id=yyy/>
> </permission>

Comment 2 Juan Hernández 2013-10-21 11:12:15 UTC
I have submitted two changes for this bug. The first one adds the /api/permissions resource to handle (list, add, remove) system permissions and the second one makes the /api/users/{user:id}/roles resource read only:

  http://gerrit.ovirt.org/20357
  http://gerrit.ovirt.org/20358

Comment 5 Sandro Bonazzola 2014-01-14 08:42:40 UTC
ovirt 3.4.0 alpha has been released

Comment 6 Ondra Machacek 2014-02-17 15:55:52 UTC
1) OK. When running write on this collection error is returned.
   "The specified HTTP method is not allowed for the requested resource."
   GET method is working correctly.

2) url /ovirt-engine/api/permissions/ returns system permissions

3) Failed.

I added user via users-> add user.

Then running:

curl -k -X POST -H "Accept: application/xml" -H "Content-Type: application/xml" \
    -u $ADMIN -d "<permission> <role 
id=\"00000000-0000-0000-0000-000000000001\"/>  <user id=\"b4afc555-cce2-47efb769-c24714c5af2e\"/> </permission>"\
    $URL/permissions

Getting this error:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<fault>
    <reason>Operation Failed</reason>
    <detail>[Internal Engine Error]</detail>
</fault>


engine.log:

2014-02-17 16:52:58,124 INFO  [org.ovirt.engine.core.bll.LoginUserCommand] (ajp-/127.0.0.1:8702-9) Running command: LoginUserCommand internal: false.
2014-02-17 16:52:58,150 INFO  [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-9) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User admin logged in.
2014-02-17 16:52:58,163 INFO  [org.ovirt.engine.core.bll.AddPermissionCommand] (ajp-/127.0.0.1:8702-9) [39d29be6] Running command: AddPermissionCommand internal: false. Entities affected :  ID: aaa00000-0000-0000-0000-123456789aaa Type: System
2014-02-17 16:52:58,164 ERROR [org.ovirt.engine.core.bll.AddPermissionCommand] (ajp-/127.0.0.1:8702-9) [39d29be6] Command org.ovirt.engine.core.bll.AddPermissionCommand throw exception: java.lang.NullPointerException
	at org.ovirt.engine.core.dao.DbUserDAODbFacadeImpl.getByExternalId(DbUserDAODbFacadeImpl.java:85) [dal.jar:]
	at org.ovirt.engine.core.bll.AddPermissionCommand.executeCommand(AddPermissionCommand.java:94) [bll.jar:]
	at org.ovirt.engine.core.bll.CommandBase.executeWithoutTransaction(CommandBase.java:1123) [bll.jar:]
	at org.ovirt.engine.core.bll.CommandBase.executeActionInTransactionScope(CommandBase.java:1208) [bll.jar:]
	at org.ovirt.engine.core.bll.CommandBase.runInTransaction(CommandBase.java:1884) [bll.jar:]
	at org.ovirt.engine.core.utils.transaction.TransactionSupport.executeInNewTransaction(TransactionSupport.java:210) [utils.jar:]
	at org.ovirt.engine.core.utils.transaction.TransactionSupport.executeInRequired(TransactionSupport.java:149) [utils.jar:]
	at org.ovirt.engine.core.utils.transaction.TransactionSupport.executeInScope(TransactionSupport.java:118) [utils.jar:]
	at org.ovirt.engine.core.bll.CommandBase.execute(CommandBase.java:1228) [bll.jar:]
	at org.ovirt.engine.core.bll.CommandBase.executeAction(CommandBase.java:351) [bll.jar:]
	at org.ovirt.engine.core.bll.Backend.runAction(Backend.java:413) [bll.jar:]
	at org.ovirt.engine.core.bll.Backend.runActionImpl(Backend.java:392) [bll.jar:]
	at org.ovirt.engine.core.bll.Backend.runAction(Backend.java:350) [bll.jar:]
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_09-icedtea]
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_09-icedtea]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_09-icedtea]
	at java.lang.reflect.Method.invoke(Method.java:601) [rt.jar:1.7.0_09-icedtea]
	at org.jboss.as.ee.component.ManagedReferenceMethodInterceptorFactory$ManagedReferenceMethodInterceptor.processInvocation(ManagedReferenceMethodInterceptorFactory.java:72) [jboss-as-ee.jar:7.3.0.Final-redhat-14]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.invocation.WeavedInterceptor.processInvocation(WeavedInterceptor.java:53) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:58) [jboss-as-ee.jar:7.3.0.Final-redhat-14]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.invocation.InterceptorContext$Invocation.proceed(InterceptorContext.java:374) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.ovirt.engine.core.bll.interceptors.ThreadLocalSessionCleanerInterceptor.injectWebContextToThreadLocal(ThreadLocalSessionCleanerInterceptor.java:13) [bll.jar:]
	at sun.reflect.GeneratedMethodAccessor7.invoke(Unknown Source) [:1.7.0_09-icedtea]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_09-icedtea]
	at java.lang.reflect.Method.invoke(Method.java:601) [rt.jar:1.7.0_09-icedtea]
	at org.jboss.as.ee.component.ManagedReferenceLifecycleMethodInterceptorFactory$ManagedReferenceLifecycleMethodInterceptor.processInvocation(ManagedReferenceLifecycleMethodInterceptorFactory.java:123) [jboss-as-ee.jar:7.3.0.Final-redhat-14]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.invocation.WeavedInterceptor.processInvocation(WeavedInterceptor.java:53) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:58) [jboss-as-ee.jar:7.3.0.Final-redhat-14]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.as.ejb3.component.invocationmetrics.ExecutionTimeInterceptor.processInvocation(ExecutionTimeInterceptor.java:43) [jboss-as-ejb3.jar:7.3.0.Final-redhat-14]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.invocation.InitialInterceptor.processInvocation(InitialInterceptor.java:21) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.as.ee.component.interceptors.ComponentDispatcherInterceptor.processInvocation(ComponentDispatcherInterceptor.java:53) [jboss-as-ee.jar:7.3.0.Final-redhat-14]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.as.ejb3.component.singleton.SingletonComponentInstanceAssociationInterceptor.processInvocation(SingletonComponentInstanceAssociationInterceptor.java:52) [jboss-as-ejb3.jar:7.3.0.Final-redhat-14]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInNoTx(CMTTxInterceptor.java:259) [jboss-as-ejb3.jar:7.3.0.Final-redhat-14]
	at org.jboss.as.ejb3.tx.CMTTxInterceptor.supports(CMTTxInterceptor.java:398) [jboss-as-ejb3.jar:7.3.0.Final-redhat-14]
	at org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:242) [jboss-as-ejb3.jar:7.3.0.Final-redhat-14]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41) [jboss-as-ejb3.jar:7.3.0.Final-redhat-14]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64) [jboss-as-ejb3.jar:7.3.0.Final-redhat-14]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59) [jboss-as-ejb3.jar:7.3.0.Final-redhat-14]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) [jboss-as-ee.jar:7.3.0.Final-redhat-14]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.as.ee.component.TCCLInterceptor.processInvocation(TCCLInterceptor.java:45) [jboss-as-ee.jar:7.3.0.Final-redhat-14]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:165) [jboss-as-ee.jar:7.3.0.Final-redhat-14]
	at org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:182) [jboss-as-ee.jar:7.3.0.Final-redhat-14]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:72) [jboss-as-ee.jar:7.3.0.Final-redhat-14]
	at org.ovirt.engine.core.common.interfaces.BackendLocal$$$view10.runAction(Unknown Source) [common.jar:]
	at org.ovirt.engine.api.restapi.resource.BackendResource.doAction(BackendResource.java:254)
	at org.ovirt.engine.api.restapi.resource.AbstractBackendCollectionResource.doCreateEntity(AbstractBackendCollectionResource.java:246)
	at org.ovirt.engine.api.restapi.resource.AbstractBackendCollectionResource.performCreate(AbstractBackendCollectionResource.java:119)
	at org.ovirt.engine.api.restapi.resource.AbstractBackendCollectionResource.performCreate(AbstractBackendCollectionResource.java:109)
	at org.ovirt.engine.api.restapi.resource.AbstractBackendCollectionResource.performCreate(AbstractBackendCollectionResource.java:128)
	at org.ovirt.engine.api.restapi.resource.BackendAssignedPermissionsResource.add(BackendAssignedPermissionsResource.java:104)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_09-icedtea]
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_09-icedtea]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_09-icedtea]
	at java.lang.reflect.Method.invoke(Method.java:601) [rt.jar:1.7.0_09-icedtea]
	at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167) [resteasy-jaxrs.jar:2.3.7.Final-redhat-2]
	at org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269) [resteasy-jaxrs.jar:2.3.7.Final-redhat-2]
	at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227) [resteasy-jaxrs.jar:2.3.7.Final-redhat-2]
	at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:216) [resteasy-jaxrs.jar:2.3.7.Final-redhat-2]
	at org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:542) [resteasy-jaxrs.jar:2.3.7.Final-redhat-2]
	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:524) [resteasy-jaxrs.jar:2.3.7.Final-redhat-2]
	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:126) [resteasy-jaxrs.jar:2.3.7.Final-redhat-2]
	at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208) [resteasy-jaxrs.jar:2.3.7.Final-redhat-2]
	at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55) [resteasy-jaxrs.jar:2.3.7.Final-redhat-2]
	at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50) [resteasy-jaxrs.jar:2.3.7.Final-redhat-2]
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec.jar:1.0.2.Final-redhat-1]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
	at org.ovirt.engine.core.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:80) [common.jar:]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:499)
	at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97)
	at org.jboss.web.rewrite.RewriteValve.invoke(RewriteValve.java:466)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:336)
	at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:488)
	at org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:420)
	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:920)
	at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_09-icedtea]

2014-02-17 16:52:58,173 ERROR [org.ovirt.engine.core.bll.AddPermissionCommand] (ajp-/127.0.0.1:8702-9) [39d29be6] Transaction rolled-back for command: org.ovirt.engine.core.bll.AddPermissionCommand.
2014-02-17 16:52:58,191 INFO  [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-9) [39d29be6] Correlation ID: 39d29be6, Call Stack: null, Custom Event ID: -1, Message: User admin failed to grant permission for Role SuperUser on System System to User/Group portaluser2.
2014-02-17 16:52:58,191 ERROR [org.ovirt.engine.api.restapi.resource.AbstractBackendResource] (ajp-/127.0.0.1:8702-9) Operation Failed: [Internal Engine Error]
2014-02-17 16:52:58,198 INFO  [org.ovirt.engine.core.bll.LogoutUserCommand] (ajp-/127.0.0.1:8702-9) [34b19ea7] Running command: LogoutUserCommand internal: false.
2014-02-17 16:52:58,216 INFO  [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-9) [34b19ea7] Correlation ID: 34b19ea7, Call Stack: null, Custom Event ID: -1, Message: User admin logged out.
2014-02-17 16:52:58,231 INFO  [org.ovirt.engine.core.bll.LoginUserCommand] (ajp-/127.0.0.1:8702-2) Running command: LoginUserCommand internal: false.

Comment 7 Juan Hernández 2014-02-17 16:01:48 UTC
Adding permissions is currently failing in general, not only here, see bug 1064829. Once that is fixed you should be able to verify this.

Comment 8 Sandro Bonazzola 2014-02-19 13:41:49 UTC
This bug should be fixed in ovirt-3.4.0-beta3 but it has already a fixed-in-version set and is in state modified instead of ON_QA.
Assignee please fix the bug status and consider adding a reference to ovirt 3.4.0 release notes page if relevant.

Comment 9 Juan Hernández 2014-02-19 14:19:30 UTC
This bug was actually fixed in ovirt-3.4.0-alpha1, as described in fixed-in-version. It can't be tested because bug 1064829 prevents it, and that isn't fixed yet. So it can't be moved to ON_QA, as it would fail again. We can only move to ON_QA when we do a release containing the fix for bug 1064829.

Comment 10 Itamar Heim 2014-06-12 14:03:35 UTC
Closing as part of 3.4.0


Note You need to log in before you can comment on or make changes to this bug.