Bug 1018552 - REST-API: role should not be added to user without having a resource in context
REST-API: role should not be added to user without having a resource in context
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine-restapi (Show other bugs)
3.4.0
Unspecified Unspecified
unspecified Severity medium
: ---
: 3.4.0
Assigned To: Juan Hernández
Ondra Machacek
infra
:
Depends On: 1064829
Blocks: rhev3.4beta 1142926
  Show dependency treegraph
 
Reported: 2013-10-13 04:35 EDT by Michael Pasternak
Modified: 2016-02-10 14:05 EST (History)
9 users (show)

See Also:
Fixed In Version: av2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-12 10:03:35 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: Infra
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
oVirt gerrit 20357 None None None Never
oVirt gerrit 20358 None None None Never

  None (edit)
Description Michael Pasternak 2013-10-13 04:35:31 EDT
Description of problem:

today role can be added to user via /roles sub-collection [1],
this design have two issues:

1. it's not restful implementation cause behind the scenes when
added new role to user, permissions automatically applied on the
entire system (user+role=system-permissions) - i.e unrelated /system resource
is involved

2. later on, is truly hard to figure out where from the system permissions
are came, as it not intuitive.

[1] /api/users/xxx/roles


resolution:
==========

1. deprecate role assignment to user (without resource) by:

POST /api/users/xxx/roles

<role id=xxx/>

this collection will be r/o for listing user's roles only.

2. add new root-collection /api/permissions (for displaying system-permissions)

3. allow adding system permissions only via #2

POST /api/permissions

<permission>
  <role id=xxx/>
  <user id=yyy/>
</permission>
Comment 1 Michael Pasternak 2013-10-15 09:10:28 EDT
(In reply to Michael Pasternak from comment #0)
> Description of problem:
> 
> today role can be added to user via /roles sub-collection [1],
> this design have two issues:
> 
> 1. it's not restful implementation cause behind the scenes when
> added new role to user, permissions automatically applied on the
> entire system (user+role=system-permissions) - i.e unrelated /system resource
> is involved
> 
> 2. later on, is truly hard to figure out where from the system permissions
> are came, as it not intuitive.
> 
> [1] /api/users/xxx/roles
> 
> 
> resolution:
> ==========
> 
> 1. deprecate role assignment to user (without resource) by:
> 
> POST /api/users/xxx/roles
> 
> <role id=xxx/>

actually when thinking about this, it's a bug rather than feature,
so we should disallow it.

> 
> this collection will be r/o for listing user's roles only.
> 
> 2. add new root-collection /api/permissions (for displaying
> system-permissions)
> 
> 3. allow adding system permissions only via #2
> 
> POST /api/permissions
> 
> <permission>
>   <role id=xxx/>
>   <user id=yyy/>
> </permission>
Comment 2 Juan Hernández 2013-10-21 07:12:15 EDT
I have submitted two changes for this bug. The first one adds the /api/permissions resource to handle (list, add, remove) system permissions and the second one makes the /api/users/{user:id}/roles resource read only:

  http://gerrit.ovirt.org/20357
  http://gerrit.ovirt.org/20358
Comment 5 Sandro Bonazzola 2014-01-14 03:42:40 EST
ovirt 3.4.0 alpha has been released
Comment 6 Ondra Machacek 2014-02-17 10:55:52 EST
1) OK. When running write on this collection error is returned.
   "The specified HTTP method is not allowed for the requested resource."
   GET method is working correctly.

2) url /ovirt-engine/api/permissions/ returns system permissions

3) Failed.

I added user via users-> add user.

Then running:

curl -k -X POST -H "Accept: application/xml" -H "Content-Type: application/xml" \
    -u $ADMIN -d "<permission> <role 
id=\"00000000-0000-0000-0000-000000000001\"/>  <user id=\"b4afc555-cce2-47efb769-c24714c5af2e\"/> </permission>"\
    $URL/permissions

Getting this error:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<fault>
    <reason>Operation Failed</reason>
    <detail>[Internal Engine Error]</detail>
</fault>


engine.log:

2014-02-17 16:52:58,124 INFO  [org.ovirt.engine.core.bll.LoginUserCommand] (ajp-/127.0.0.1:8702-9) Running command: LoginUserCommand internal: false.
2014-02-17 16:52:58,150 INFO  [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-9) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User admin logged in.
2014-02-17 16:52:58,163 INFO  [org.ovirt.engine.core.bll.AddPermissionCommand] (ajp-/127.0.0.1:8702-9) [39d29be6] Running command: AddPermissionCommand internal: false. Entities affected :  ID: aaa00000-0000-0000-0000-123456789aaa Type: System
2014-02-17 16:52:58,164 ERROR [org.ovirt.engine.core.bll.AddPermissionCommand] (ajp-/127.0.0.1:8702-9) [39d29be6] Command org.ovirt.engine.core.bll.AddPermissionCommand throw exception: java.lang.NullPointerException
	at org.ovirt.engine.core.dao.DbUserDAODbFacadeImpl.getByExternalId(DbUserDAODbFacadeImpl.java:85) [dal.jar:]
	at org.ovirt.engine.core.bll.AddPermissionCommand.executeCommand(AddPermissionCommand.java:94) [bll.jar:]
	at org.ovirt.engine.core.bll.CommandBase.executeWithoutTransaction(CommandBase.java:1123) [bll.jar:]
	at org.ovirt.engine.core.bll.CommandBase.executeActionInTransactionScope(CommandBase.java:1208) [bll.jar:]
	at org.ovirt.engine.core.bll.CommandBase.runInTransaction(CommandBase.java:1884) [bll.jar:]
	at org.ovirt.engine.core.utils.transaction.TransactionSupport.executeInNewTransaction(TransactionSupport.java:210) [utils.jar:]
	at org.ovirt.engine.core.utils.transaction.TransactionSupport.executeInRequired(TransactionSupport.java:149) [utils.jar:]
	at org.ovirt.engine.core.utils.transaction.TransactionSupport.executeInScope(TransactionSupport.java:118) [utils.jar:]
	at org.ovirt.engine.core.bll.CommandBase.execute(CommandBase.java:1228) [bll.jar:]
	at org.ovirt.engine.core.bll.CommandBase.executeAction(CommandBase.java:351) [bll.jar:]
	at org.ovirt.engine.core.bll.Backend.runAction(Backend.java:413) [bll.jar:]
	at org.ovirt.engine.core.bll.Backend.runActionImpl(Backend.java:392) [bll.jar:]
	at org.ovirt.engine.core.bll.Backend.runAction(Backend.java:350) [bll.jar:]
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_09-icedtea]
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_09-icedtea]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_09-icedtea]
	at java.lang.reflect.Method.invoke(Method.java:601) [rt.jar:1.7.0_09-icedtea]
	at org.jboss.as.ee.component.ManagedReferenceMethodInterceptorFactory$ManagedReferenceMethodInterceptor.processInvocation(ManagedReferenceMethodInterceptorFactory.java:72) [jboss-as-ee.jar:7.3.0.Final-redhat-14]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.invocation.WeavedInterceptor.processInvocation(WeavedInterceptor.java:53) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:58) [jboss-as-ee.jar:7.3.0.Final-redhat-14]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.invocation.InterceptorContext$Invocation.proceed(InterceptorContext.java:374) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.ovirt.engine.core.bll.interceptors.ThreadLocalSessionCleanerInterceptor.injectWebContextToThreadLocal(ThreadLocalSessionCleanerInterceptor.java:13) [bll.jar:]
	at sun.reflect.GeneratedMethodAccessor7.invoke(Unknown Source) [:1.7.0_09-icedtea]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_09-icedtea]
	at java.lang.reflect.Method.invoke(Method.java:601) [rt.jar:1.7.0_09-icedtea]
	at org.jboss.as.ee.component.ManagedReferenceLifecycleMethodInterceptorFactory$ManagedReferenceLifecycleMethodInterceptor.processInvocation(ManagedReferenceLifecycleMethodInterceptorFactory.java:123) [jboss-as-ee.jar:7.3.0.Final-redhat-14]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.invocation.WeavedInterceptor.processInvocation(WeavedInterceptor.java:53) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:58) [jboss-as-ee.jar:7.3.0.Final-redhat-14]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.as.ejb3.component.invocationmetrics.ExecutionTimeInterceptor.processInvocation(ExecutionTimeInterceptor.java:43) [jboss-as-ejb3.jar:7.3.0.Final-redhat-14]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.invocation.InitialInterceptor.processInvocation(InitialInterceptor.java:21) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.as.ee.component.interceptors.ComponentDispatcherInterceptor.processInvocation(ComponentDispatcherInterceptor.java:53) [jboss-as-ee.jar:7.3.0.Final-redhat-14]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.as.ejb3.component.singleton.SingletonComponentInstanceAssociationInterceptor.processInvocation(SingletonComponentInstanceAssociationInterceptor.java:52) [jboss-as-ejb3.jar:7.3.0.Final-redhat-14]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInNoTx(CMTTxInterceptor.java:259) [jboss-as-ejb3.jar:7.3.0.Final-redhat-14]
	at org.jboss.as.ejb3.tx.CMTTxInterceptor.supports(CMTTxInterceptor.java:398) [jboss-as-ejb3.jar:7.3.0.Final-redhat-14]
	at org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:242) [jboss-as-ejb3.jar:7.3.0.Final-redhat-14]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41) [jboss-as-ejb3.jar:7.3.0.Final-redhat-14]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64) [jboss-as-ejb3.jar:7.3.0.Final-redhat-14]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59) [jboss-as-ejb3.jar:7.3.0.Final-redhat-14]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) [jboss-as-ee.jar:7.3.0.Final-redhat-14]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.as.ee.component.TCCLInterceptor.processInvocation(TCCLInterceptor.java:45) [jboss-as-ee.jar:7.3.0.Final-redhat-14]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:165) [jboss-as-ee.jar:7.3.0.Final-redhat-14]
	at org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:182) [jboss-as-ee.jar:7.3.0.Final-redhat-14]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) [jboss-invocation.jar:1.1.2.Final-redhat-1]
	at org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:72) [jboss-as-ee.jar:7.3.0.Final-redhat-14]
	at org.ovirt.engine.core.common.interfaces.BackendLocal$$$view10.runAction(Unknown Source) [common.jar:]
	at org.ovirt.engine.api.restapi.resource.BackendResource.doAction(BackendResource.java:254)
	at org.ovirt.engine.api.restapi.resource.AbstractBackendCollectionResource.doCreateEntity(AbstractBackendCollectionResource.java:246)
	at org.ovirt.engine.api.restapi.resource.AbstractBackendCollectionResource.performCreate(AbstractBackendCollectionResource.java:119)
	at org.ovirt.engine.api.restapi.resource.AbstractBackendCollectionResource.performCreate(AbstractBackendCollectionResource.java:109)
	at org.ovirt.engine.api.restapi.resource.AbstractBackendCollectionResource.performCreate(AbstractBackendCollectionResource.java:128)
	at org.ovirt.engine.api.restapi.resource.BackendAssignedPermissionsResource.add(BackendAssignedPermissionsResource.java:104)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_09-icedtea]
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_09-icedtea]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_09-icedtea]
	at java.lang.reflect.Method.invoke(Method.java:601) [rt.jar:1.7.0_09-icedtea]
	at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167) [resteasy-jaxrs.jar:2.3.7.Final-redhat-2]
	at org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269) [resteasy-jaxrs.jar:2.3.7.Final-redhat-2]
	at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227) [resteasy-jaxrs.jar:2.3.7.Final-redhat-2]
	at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:216) [resteasy-jaxrs.jar:2.3.7.Final-redhat-2]
	at org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:542) [resteasy-jaxrs.jar:2.3.7.Final-redhat-2]
	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:524) [resteasy-jaxrs.jar:2.3.7.Final-redhat-2]
	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:126) [resteasy-jaxrs.jar:2.3.7.Final-redhat-2]
	at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208) [resteasy-jaxrs.jar:2.3.7.Final-redhat-2]
	at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55) [resteasy-jaxrs.jar:2.3.7.Final-redhat-2]
	at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50) [resteasy-jaxrs.jar:2.3.7.Final-redhat-2]
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec.jar:1.0.2.Final-redhat-1]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
	at org.ovirt.engine.core.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:80) [common.jar:]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:499)
	at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97)
	at org.jboss.web.rewrite.RewriteValve.invoke(RewriteValve.java:466)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:336)
	at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:488)
	at org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:420)
	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:920)
	at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_09-icedtea]

2014-02-17 16:52:58,173 ERROR [org.ovirt.engine.core.bll.AddPermissionCommand] (ajp-/127.0.0.1:8702-9) [39d29be6] Transaction rolled-back for command: org.ovirt.engine.core.bll.AddPermissionCommand.
2014-02-17 16:52:58,191 INFO  [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-9) [39d29be6] Correlation ID: 39d29be6, Call Stack: null, Custom Event ID: -1, Message: User admin failed to grant permission for Role SuperUser on System System to User/Group portaluser2.
2014-02-17 16:52:58,191 ERROR [org.ovirt.engine.api.restapi.resource.AbstractBackendResource] (ajp-/127.0.0.1:8702-9) Operation Failed: [Internal Engine Error]
2014-02-17 16:52:58,198 INFO  [org.ovirt.engine.core.bll.LogoutUserCommand] (ajp-/127.0.0.1:8702-9) [34b19ea7] Running command: LogoutUserCommand internal: false.
2014-02-17 16:52:58,216 INFO  [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-9) [34b19ea7] Correlation ID: 34b19ea7, Call Stack: null, Custom Event ID: -1, Message: User admin logged out.
2014-02-17 16:52:58,231 INFO  [org.ovirt.engine.core.bll.LoginUserCommand] (ajp-/127.0.0.1:8702-2) Running command: LoginUserCommand internal: false.
Comment 7 Juan Hernández 2014-02-17 11:01:48 EST
Adding permissions is currently failing in general, not only here, see bug 1064829. Once that is fixed you should be able to verify this.
Comment 8 Sandro Bonazzola 2014-02-19 08:41:49 EST
This bug should be fixed in ovirt-3.4.0-beta3 but it has already a fixed-in-version set and is in state modified instead of ON_QA.
Assignee please fix the bug status and consider adding a reference to ovirt 3.4.0 release notes page if relevant.
Comment 9 Juan Hernández 2014-02-19 09:19:30 EST
This bug was actually fixed in ovirt-3.4.0-alpha1, as described in fixed-in-version. It can't be tested because bug 1064829 prevents it, and that isn't fixed yet. So it can't be moved to ON_QA, as it would fail again. We can only move to ON_QA when we do a release containing the fix for bug 1064829.
Comment 10 Itamar Heim 2014-06-12 10:03:35 EDT
Closing as part of 3.4.0

Note You need to log in before you can comment on or make changes to this bug.