1111095 – [RFE] finer grained user permissions/roles on snapshots and live storage migration

Bug 1111095 - [RFE] finer grained user permissions/roles on snapshots and live storage migration

Summary: [RFE] finer grained user permissions/roles on snapshots and live storage migr...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Virtualization Manager
Classification:	Red Hat
Component:	RFEs
Sub Component:
Version:	3.3.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	ovirt-3.6.0-rc
Target Release:	3.6.0
Assignee:	Maor
QA Contact:	Ori Gofen
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1188081 1194272
TreeView+	depends on / blocked

Reported:	2014-06-19 08:49 UTC by Paul Dwyer
Modified:	2019-09-12 07:57 UTC (History)
CC List:	16 users (show)
Fixed In Version:
Doc Type:	Enhancement
Doc Text:	Previously, the DISK_STORAGE_MANIPULATION permission allowed users to perform live storage migration as standard. Now, a new permission, DISK_LIVE_STORAGE_MIGRATION, has been introduced to allow finer control over which users can perform live storage migration. Upgrading to a version that includes this fix (3.6.0 or 3.5.1) will grant the new permission to all roles that included the DISK_STORAGE_MANIPULATION permission (DataCenterAdmin, StorageAdmin, ClusterAdmin, and relevant custom roles) to maintain functionality.
Clone Of:
Clones:	1194272 (view as bug list)
Environment:
Last Closed:	2016-03-09 20:47:24 UTC
oVirt Team:	Storage
Target Upstream Version:
Embargoed:
Flags:	sherold: Triaged+

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2016:0376	normal	SHIPPED_LIVE	Red Hat Enterprise Virtualization Manager 3.6.0	2016-03-10 01:20:52 UTC
oVirt gerrit	37094	master	MERGED	core: Add role of VM run time manager.	Never
oVirt gerrit	37287	master	NEW	core: Use new permission for LSM	Never
oVirt gerrit	37295	None	None	None	Never

Description Paul Dwyer 2014-06-19 08:49:25 UTC

Comment 10 Maor 2015-01-19 18:23:50 UTC

The permission of snapshots can be configured through the custom roles:
 VM -> Provisioning Operations -> Edit Snapshots

I've added a new, predefined Role, called VM run time manager, which includes the permissions of UserVmManager only without the vm snapshot manipulation.

Comment 11 Maor 2015-01-27 15:22:53 UTC

The permission that should be used for live storage snapshot is DISK_LIVE_STORAGE_MIGRATION.
This permission should be added to the permission DISK_STORAGE_MANIPULATION for the complete operation to work properly.

Comment 16 Ori Gofen 2015-05-27 11:52:39 UTC

Maor, can you please list all The new roles and their explicit permissions.
right now I know only about the DISK_LIVE_STORAGE_MIGRATION permission, is there any other new ones?

Comment 17 Maor 2015-05-28 07:21:39 UTC

(In reply to Ori Gofen from comment #16)
> Maor, can you please list all The new roles and their explicit permissions.
> right now I know only about the DISK_LIVE_STORAGE_MIGRATION permission, is
> there any other new ones?

no

Comment 18 Ori Gofen 2015-06-14 11:40:23 UTC

The new DISK_LIVE_STORAGE_MIGRATION permission enable RHEVM admin to prevent this action from a certain user.
I am verifying this one according to doc text.

please be advised: per comment #17 there are no new Snapshot operation permissions that had been added with this RFE

Comment 19 Allon Mureinik 2015-11-16 09:23:41 UTC

Thanks for the doctext, Andrew!
However, I think there's some confusion here. DISK_STORAGE_MANIPULATION and DISK_LIVE_STORAGE_MIGRATION are different permissions.

Prior to this fix, DISK_STORAGE_MANIPULATION also allowed users to perform live storage migration. With this fix, a new permission, DISK_LIVE_STORAGE_MIGRATION was introduced to allow performing live storage migration, and DISK_STORAGE_MANIPULATION no longer allows to perform this operation. When upgrading to a version that includes this fix (3.6.0, or the z-stream clone on 3.5.1), this new permission is granted to all the roles that had the old DISK_STORAGE_MANIPULATION (Data Center Admin, Storage Admin, Cluster Admin, or any custom role the user may have created), so that the functionality of the system isn't impacted. This allows the admin to later create roles (or edit his pre-existing custom roles) to give some user the capability of doing some administrive operations excluding live storage migration.

Comment 20 Andrew Burden 2015-11-16 23:09:33 UTC

Hi Allon,

Thank you for the excellent feedback!
Doctext updated as per your suggestion.

Comment 22 errata-xmlrpc 2016-03-09 20:47:24 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-0376.html

Note You need to log in before you can comment on or make changes to this bug.