Bug 1108153 - [RFE] Export Domain - Create a new role for users who can export/import VMs
Summary: [RFE] Export Domain - Create a new role for users who can export/import VMs
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine
Version: 3.3.0
Hardware: All
OS: All
high
medium
Target Milestone: ovirt-3.6.0-rc
: 3.6.0
Assignee: Ala Hino
QA Contact: Ondra Machacek
URL:
Whiteboard:
Depends On: 1255405
Blocks: 1213937 1236984
TreeView+ depends on / blocked
 
Reported: 2014-06-11 13:18 UTC by Robert McSwain
Modified: 2019-10-10 09:22 UTC (History)
22 users (show)

Fixed In Version: 3.6.0-4 alpha3
Doc Type: Enhancement
Doc Text:
A new user role 'VmImporterExporter' is now available. The role allows users to export and import virtual machines in the Administration Portal. The 'DataCenterAdmin' permission is no longer required for performing such actions.
Clone Of:
Environment:
Last Closed: 2016-03-09 20:46:57 UTC
oVirt Team: Virt
sherold: Triaged+


Attachments (Terms of Use)
error import vm (15.46 KB, image/png)
2015-07-30 16:22 UTC, Ondra Machacek
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2016:0376 normal SHIPPED_LIVE Red Hat Enterprise Virtualization Manager 3.6.0 2016-03-10 01:20:52 UTC
oVirt gerrit 41055 master MERGED database: Define admin roles to import/export domains Never
oVirt gerrit 43380 master MERGED core: Add missing login priv to importer_exporter Never

Description Robert McSwain 2014-06-11 13:18:06 UTC
1. Proposed title of this feature request  
       New role for users who can export/import vms
      
    3. What is the nature and description of the request?
	We need users to be able to export VM using the User Portal without the permission "DataCenterAdmin"
      
    4. Why does the customer need this? (List the business requirements here)  
	We have final users and operators that need export/import vms from distinct datacenters.
      
    5. How would the customer like to achieve this? (List the functional requirements here)  
	We need a new role that permits this option
      
    6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.  
	Yes
      
    7. Is there already an existing RFE upstream or in Red Hat Bugzilla?  
	No
      
    8. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL5, RHEL6)?  
	No
      
    10. List any affected packages or components.  
      
    11. Would the customer be able to assist in testing this functionality if implemented?  
	Yes

Comment 12 Michal Skrivanek 2015-06-05 08:12:20 UTC
Ala, what was the reason for abandoning your patches?

Comment 13 Ala Hino 2015-06-05 08:15:45 UTC
(In reply to Michal Skrivanek from comment #12)
> Ala, what was the reason for abandoning your patches?

I started working on this RFE as part of the hackathon but then realized that it's not a one week RFE so, at least for now, I am not going to work on it.

The patches may still be relevant for those who will work on this one.

Comment 14 Michal Skrivanek 2015-06-05 08:52:36 UTC
why make it complicated? comment #11 as well as previous comments suggest that simply adding permissions is enough.
That's what you did, IIUC, so why not merge it?

Comment 15 Ala Hino 2015-06-05 09:19:21 UTC
(In reply to Michal Skrivanek from comment #14)
> why make it complicated? comment #11 as well as previous comments suggest
> that simply adding permissions is enough.
> That's what you did, IIUC, so why not merge it?

In this case, merging the changes is the easy part.

Comment 20 Allon Mureinik 2015-06-21 14:08:29 UTC
Michal - patch https://gerrit.ovirt.org/#/c/41055/ (referenced in the external bugs, merged earlier today) adds a new ADMIN role, VmImproterExporter that allows an admin user to export/import a VM its granted on.

If this covers the functional requirement, please move the BZ to MODIFIED.
If not, up to you on how to continue with it.

Comment 23 Max Kovgan 2015-06-28 14:13:43 UTC
ovirt-3.6.0-3 release

Comment 24 Ondra Machacek 2015-07-09 11:03:15 UTC
Role 'VmImproterExporter' is missing 'login' permission.

Comment 25 Ondra Machacek 2015-07-30 16:22:39 UTC
Created attachment 1057737 [details]
error import vm

User has VmImporterExport on system. Export worked fine. Import don't:

2015-07-30 18:20:16,199 INFO  [org.ovirt.engine.core.vdsbroker.irsbroker.GetVmsInfoVDSCommand] (default task-3) [] START, GetVmsInfoVDSCommand( GetVmsInfoVDSCommandParameters:{runAsync='true', storagePoolId='41816623-ced4-4661-84c4-d1a2fca396a8', ignoreFailoverLimit='false', storageDomainId='becdc5d5-b622-4fed-9eb2-d04da484cfeb', vmIdList='null'}), log id: 6a9ce136
2015-07-30 18:20:16,246 INFO  [org.ovirt.engine.core.vdsbroker.irsbroker.GetVmsInfoVDSCommand] (default task-3) [] FINISH, GetVmsInfoVDSCommand, log id: 6a9ce136
2015-07-30 18:20:22,064 INFO  [org.ovirt.engine.core.bll.ImportVmCommand] (default task-17) [7297c3e6] Lock Acquired to object 'EngineLock:{exclusiveLocks='[vm=<VM_NAME, ACTION_TYPE_FAILED_NAME_ALREADY_USED>, 9c89b6b9-3760-47a9-96a4-5262366de2ed=<VM, ACTION_TYPE_FAILED_VM_IS_BEING_IMPORTED$VmName vm>]', sharedLocks='[de18affc-cbff-42bd-9ced-b7e53f8be288=<REMOTE_VM, ACTION_TYPE_FAILED_VM_IS_BEING_IMPORTED$VmName vm>]'}'
2015-07-30 18:20:22,078 INFO  [org.ovirt.engine.core.vdsbroker.irsbroker.GetVmsInfoVDSCommand] (default task-17) [7297c3e6] START, GetVmsInfoVDSCommand( GetVmsInfoVDSCommandParameters:{runAsync='true', storagePoolId='41816623-ced4-4661-84c4-d1a2fca396a8', ignoreFailoverLimit='false', storageDomainId='becdc5d5-b622-4fed-9eb2-d04da484cfeb', vmIdList='null'}), log id: 68245fba
2015-07-30 18:20:22,115 INFO  [org.ovirt.engine.core.vdsbroker.irsbroker.GetVmsInfoVDSCommand] (default task-17) [7297c3e6] FINISH, GetVmsInfoVDSCommand, log id: 68245fba
2015-07-30 18:20:22,396 INFO  [org.ovirt.engine.core.vdsbroker.irsbroker.DoesImageExistVDSCommand] (default task-17) [7297c3e6] START, DoesImageExistVDSCommand( GetImageInfoVDSCommandParameters:{runAsync='true', storagePoolId='41816623-ced4-4661-84c4-d1a2fca396a8', ignoreFailoverLimit='false', storageDomainId='becdc5d5-b622-4fed-9eb2-d04da484cfeb', imageGroupId='2af451eb-6a65-4902-9016-eea91753db08', imageId='e47c2c29-3b30-436e-85f0-e9c3ed1857a4'}), log id: 66056f1
2015-07-30 18:20:22,441 INFO  [org.ovirt.engine.core.vdsbroker.irsbroker.DoesImageExistVDSCommand] (default task-17) [7297c3e6] FINISH, DoesImageExistVDSCommand, return: true, log id: 66056f1
2015-07-30 18:20:22,485 WARN  [org.ovirt.engine.core.bll.ImportVmCommand] (default task-17) [] CanDoAction of action 'ImportVm' failed for user user1@PROFILE. Reasons: VAR__ACTION__IMPORT,VAR__TYPE__VM,USER_NOT_AUTHORIZED_TO_ATTACH_DISK_PROFILE
2015-07-30 18:20:22,486 INFO  [org.ovirt.engine.core.bll.ImportVmCommand] (default task-17) [] Lock freed to object 'EngineLock:{exclusiveLocks='[vm=<VM_NAME, ACTION_TYPE_FAILED_NAME_ALREADY_USED>, 9c89b6b9-3760-47a9-96a4-5262366de2ed=<VM, ACTION_TYPE_FAILED_VM_IS_BEING_IMPORTED$VmName vm>]', sharedLocks='[de18affc-cbff-42bd-9ced-b7e53f8be288=<REMOTE_VM, ACTION_TYPE_FAILED_VM_IS_BEING_IMPORTED$VmName vm>]'}'

Comment 26 Allon Mureinik 2015-08-02 09:43:27 UTC
It seems to be failing on a permission to attach a disk profile. I have to admit I'm unclear on what disk profiles have to do with importing.

Roy - can someone from your team take a look please?

Comment 27 Roy Golan 2015-08-02 10:40:30 UTC
(In reply to Ondra Machacek from comment #25)

One must have permissions to use a disk profile. There should be always one profile which is allowed to everyone thought (also called 'default profile')

The import is no different from Add/Update VM in that sense - A cando action will prevent you from using a profile you don't have permission to. 

The business case behind this is to prevent users from opt-in to QoS which will take resources you don't want to give them.



I'd except the UI filter out profiles which you don't have permissions to. Can you confirm that?

Comment 28 Ondra Machacek 2015-08-10 15:31:31 UTC
Sorry for late reply.
I didn't created any new DiskProfiles, nor delete any, just using default setup.
I can see the default profile, which is named same as the storage domain is.
In the import domain dialog there is no option to choose the disk_profile.

Comment 29 Yaniv Lavi 2015-08-20 13:26:23 UTC
Please open a bug on this feature and block the feature, but don't fail it.

Comment 30 Yaniv Lavi 2015-08-20 13:27:55 UTC
It needs to be tracked separately.

Comment 31 Tal Nisan 2016-01-04 16:00:43 UTC
Ala, please add doc text

Comment 33 Ondra Machacek 2016-01-26 11:52:33 UTC
Doc Text:
A new user role 'VmImporterExporter' is now available. The role allows users to export and import virtual machines using the User Portal. The 'DataCenterAdmin' permission is no longer required for performing such actions.

Julie it is not possible in UserPortal only webadmin.

Comment 35 errata-xmlrpc 2016-03-09 20:46:57 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-0376.html


Note You need to log in before you can comment on or make changes to this bug.