Description of problem: For VM pools, if a user in the admin portal (aside from admin@internal) does not have the 'TemplateAdmin' and 'VmPoolAdmin' roles assigned explicitly on that pool, the user is given permission denied errors when trying to add other permissions to the pool. If the user has admin roles such as the above, or SuperUser/ClusterAdmin/etc.. roles assigned to a cluster or data center, those roles *appear* to be inherited to the pool (they display properly in the permissions tab) however they do not actually give the user the permissions they imply - the same "Permission denied" error is generated Version-Release number of selected component (if applicable): Tested on rhevm-3.3.2-0.50 How reproducible: Always Steps to Reproduce: 1. Assign the 'TemplateAdmin' and 'VmPoolAdmin' roles to a user on a cluster or data center 2. Using that user (not admin@internal) try to add permissions to a VM pool (for example adding the UserRole to another user) 3. Actual results: User is given a permission denied error until the TemplateAdmin and VmPoolAdmin roles are assigned explicitly on the pool the user is attempting to modify Expected results: Pool should properly inherit the roles from the higher-level cluster/data center Additional info: It also appears that setting SuperUser on a cluster or data center results in the same errors until the role (or the TemplateAdmin and VmPoolAdmin roles) is assigned explicitly on the pool to be modified. This is also incorrect behavior.
I should probably clarify on the points of the cluster/data center permissions. The VM Pool *is* inside the cluster/data center for which the user has SuperUser/TemplateAdmin/VmPoolAdmin roles assigned.
Verified upstream in ovirt-engine-3.5.0-0.0.master.20140804172041.git23b558e.el6.noarch (rc1). Verification steps: 1. As a super-user, add roles 'TemplateAdmin' and 'VmPoolAdmin' on a data center or cluster (containing a VM pool) to user user1.org 2. Log into Webadmin as user1.org 3. Assign on the VM pool role 'UserRole' to user user2.org Result: success, role UserRole on the VM pool is successfully assigned by user1@ to user2@
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0158.html