Bug 1111095 - [RFE] finer grained user permissions/roles on snapshots and live storage migration
Summary: [RFE] finer grained user permissions/roles on snapshots and live storage migr...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: RFEs
Version: 3.3.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ovirt-3.6.0-rc
: 3.6.0
Assignee: Maor
QA Contact: Ori Gofen
URL:
Whiteboard:
Depends On:
Blocks: 1188081 1194272
TreeView+ depends on / blocked
 
Reported: 2014-06-19 08:49 UTC by Paul Dwyer
Modified: 2019-09-12 07:57 UTC (History)
16 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Previously, the DISK_STORAGE_MANIPULATION permission allowed users to perform live storage migration as standard. Now, a new permission, DISK_LIVE_STORAGE_MIGRATION, has been introduced to allow finer control over which users can perform live storage migration. Upgrading to a version that includes this fix (3.6.0 or 3.5.1) will grant the new permission to all roles that included the DISK_STORAGE_MANIPULATION permission (DataCenterAdmin, StorageAdmin, ClusterAdmin, and relevant custom roles) to maintain functionality.
Clone Of:
: 1194272 (view as bug list)
Environment:
Last Closed: 2016-03-09 20:47:24 UTC
oVirt Team: Storage
sherold: Triaged+


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2016:0376 normal SHIPPED_LIVE Red Hat Enterprise Virtualization Manager 3.6.0 2016-03-10 01:20:52 UTC
oVirt gerrit 37094 master MERGED core: Add role of VM run time manager. Never
oVirt gerrit 37287 master NEW core: Use new permission for LSM Never
oVirt gerrit 37295 None None None Never

Description Paul Dwyer 2014-06-19 08:49:25 UTC

Comment 10 Maor 2015-01-19 18:23:50 UTC
The permission of snapshots can be configured through the custom roles:
 VM -> Provisioning Operations -> Edit Snapshots

I've added a new, predefined Role, called VM run time manager, which includes the permissions of UserVmManager only without the vm snapshot manipulation.

Comment 11 Maor 2015-01-27 15:22:53 UTC
The permission that should be used for live storage snapshot is DISK_LIVE_STORAGE_MIGRATION.
This permission should be added to the permission DISK_STORAGE_MANIPULATION for the complete operation to work properly.

Comment 16 Ori Gofen 2015-05-27 11:52:39 UTC
Maor, can you please list all The new roles and their explicit permissions.
right now I know only about the DISK_LIVE_STORAGE_MIGRATION permission, is there any other new ones?

Comment 17 Maor 2015-05-28 07:21:39 UTC
(In reply to Ori Gofen from comment #16)
> Maor, can you please list all The new roles and their explicit permissions.
> right now I know only about the DISK_LIVE_STORAGE_MIGRATION permission, is
> there any other new ones?

no

Comment 18 Ori Gofen 2015-06-14 11:40:23 UTC
The new DISK_LIVE_STORAGE_MIGRATION permission enable RHEVM admin to prevent this action from a certain user.
I am verifying this one according to doc text.

please be advised: per comment #17 there are no new Snapshot operation permissions that had been added with this RFE

Comment 19 Allon Mureinik 2015-11-16 09:23:41 UTC
Thanks for the doctext, Andrew!
However, I think there's some confusion here. DISK_STORAGE_MANIPULATION and DISK_LIVE_STORAGE_MIGRATION are different permissions.

Prior to this fix, DISK_STORAGE_MANIPULATION also allowed users to perform live storage migration. With this fix, a new permission, DISK_LIVE_STORAGE_MIGRATION was introduced to allow performing live storage migration, and DISK_STORAGE_MANIPULATION no longer allows to perform this operation. When upgrading to a version that includes this fix (3.6.0, or the z-stream clone on 3.5.1), this new permission is granted to all the roles that had the old DISK_STORAGE_MANIPULATION (Data Center Admin, Storage Admin, Cluster Admin, or any custom role the user may have created), so that the functionality of the system isn't impacted. This allows the admin to later create roles (or edit his pre-existing custom roles) to give some user the capability of doing some administrive operations excluding live storage migration.

Comment 20 Andrew Burden 2015-11-16 23:09:33 UTC
Hi Allon,

Thank you for the excellent feedback!
Doctext updated as per your suggestion.

Comment 22 errata-xmlrpc 2016-03-09 20:47:24 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-0376.html


Note You need to log in before you can comment on or make changes to this bug.