Bug 1032131 - Users unable to authenticate to user portal unless explicitly added
Users unable to authenticate to user portal unless explicitly added
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine-webadmin-portal (Show other bugs)
All Linux
urgent Severity urgent
: ---
: ---
Assigned To: nobody nobody
Pavel Stehlik
Depends On:
  Show dependency treegraph
Reported: 2013-11-19 10:32 EST by Allan Voss
Modified: 2013-11-20 02:15 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-11-20 02:15:18 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Allan Voss 2013-11-19 10:32:04 EST
Description of problem:
After upgrading from 3.0.x to 3.2.4, there seems to be a behavioral change regarding new users. In the past, any valid user in the auth domain could log into the portal and the user would automatically get added to the users list in RHEVM. And with the pool permissions set so that the "everyone" user had access to the pool, then anyone could take a VM from the pool.

After upgrading to 3.2.4 nobody can log in unless I explicitly add the user AND also explicitly add the user to the pool (even though the everyone user already has permissions to the pool)..

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Create pool with "everyone" user access
2. Log in from valid user in auth domain
3. Attempt to get VM from pool

Actual results:
This error (when debug logging is enabled)
2013-11-15 15:38:55,139 DEBUG [org.ovirt.engine.core.bll.LoginUserCommand] (ajp-/ [6650df7b] No permission found for user when running action LoginUser, on object Bottom for action group LOGIN with id bbb00000-0000-0000-0000-123456789bbb.
2013-11-15 15:38:55,139 WARN [org.ovirt.engine.core.bll.LoginUserCommand] (ajp-/ [6650df7b] CanDoAction of action LoginUser failed. Reasons:USER_NOT_AUTHORIZED_TO_PERFORM_ACTION

Expected results:
Access to VM
Comment 1 Itamar Heim 2013-11-20 02:15:18 EST
the special built-in everyone group is ignored for login permission. 
you can use any other domain group for the pool permission (domain users, etc.) which will work.

see Bug 986448 for more details

Note You need to log in before you can comment on or make changes to this bug.