Bug 1121144 - User doesn't get the UserVmManager permission on a VM
Summary: User doesn't get the UserVmManager permission on a VM
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine
Version: 3.4.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ovirt-3.6.0-rc
: 3.6.0
Assignee: Shmuel Melamud
QA Contact: Ondra Machacek
URL:
Whiteboard:
Depends On:
Blocks: 1213937 1232419
TreeView+ depends on / blocked
 
Reported: 2014-07-18 13:32 UTC by Michal Skrivanek
Modified: 2016-04-20 01:11 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: If a VM was created using Admin Portal UI or using REST API with "Filter: false", the user that created the VM was never given ownership of it. Consequence: It was OK for admin users, because they can set ownership afterwards. But regular user having ReadOnlyAdmin (to give access to Admin Portal) and PowerUser permission can create VMs from Admin Portal UI, but cannot access it after that. Similar problem existed with REST API. Fix: New rule was introduced: users without admin rights are always given permission to manage the VM if they have permission to create it. Result: The behaviour has been changed only for regular users without admin rights that create VMs using Admin Portal or REST API with "Filter: false" (which is treated like usage of Admin Portal). Now they are always given ownership of the VMs they've created. In other cases the behaviour is still the same. For VMs created using User Portal or with REST API with "Filter: true" the ownership is always given to the creator - regular users and admin users are treated equally. For VMs created by admin users using Admin Portal or with REST API with "Filter: false" the ownership is not given to the creator, because admin users are typically using Admin Portal to create VMs for others.
Clone Of:
: 1232419 (view as bug list)
Environment:
Last Closed: 2016-04-20 01:11:49 UTC
oVirt Team: Virt


Attachments (Terms of Use)
Unable to progress, please help us (3.67 MB, image/jpeg)
2015-01-08 15:42 UTC, Tomas Babej
no flags Details


Links
System ID Priority Status Summary Last Updated
oVirt gerrit 42392 master MERGED core: Make regular user owner of VMs he created Never

Description Michal Skrivanek 2014-07-18 13:32:38 UTC
Description of problem:
seems a VM doesn't get any permissions; there is a failure in the log…but VM is created anyway

Version-Release number of selected component (if applicable):
3.4.1

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:

The only relevant thing in the log seems to be:

2014-07-18 16:26:41,786 INFO  [org.ovirt.engine.core.bll.AddVmFromScratchCommand] (ajp-/127.0.0.1
:8702-16) [61b8077e] Lock freed to object EngineLock [exclusiveLocks= key: pspacek-test value: VM
_NAME
, sharedLocks= ]
2014-07-18 16:26:43,641 WARN  [org.ovirt.engine.core.bll.network.vm.ReorderVmNicsCommand] (ajp-/1
27.0.0.1:8702-7) [312b7dc0] CanDoAction of action ReorderVmNics failed. Reasons:USER_NOT_AUTHORIZ
ED_TO_PERFORM_ACTION
2014-07-18 16:26:43,641 WARN  [org.ovirt.engine.core.bll.network.vm.ReorderVmNicsCommand] (ajp-/1
27.0.0.1:8702-7) [312b7dc0] CanDoAction of action ReorderVmNics failed. Reasons:USER_NOT_AUTHORIZ
ED_TO_PERFORM_ACTIO


Expected results:
either fail on missing perms or add the right permission

Additional info:

Comment 1 Michal Skrivanek 2014-07-18 13:37:20 UTC
seems to me the NIC errors are not related, tried on a different user and still there's no UserVmManager.
Omer?

Anyway, the template was Blank and there was no NICs, so why ReorderVmNics?

Comment 2 Michal Skrivanek 2014-07-18 13:44:56 UTC
(better the other way around)
Lior, any insight regarding the ReorderVmNics err?

Comment 3 Lior Vernia 2014-07-20 07:56:22 UTC
Yes, the command is triggered without checking the number of NICs, and does nothing if there are no NICs (but doesn't fail - the failure here is due to the permissions). It's easy to change but I don't think it requires changing.

Comment 4 Omer Frenkel 2014-07-20 14:53:30 UTC
Mihcal, what client did you use to create the vm?
the permissions are created upon client request, and afair, the webadmin always sends false, user portal sends true, and the rest-api has some logic when to request create-permissions

Comment 5 Michal Skrivanek 2014-07-28 11:16:00 UTC
that's an interesting behavior, ok.
though it doesn't make sense for ReadOnlyAdmin role. We should check whether one can actually add the permission afterwards

Comment 6 Michal Skrivanek 2014-08-21 14:19:58 UTC
Oved, thoughts? I guess this is part of the ReadOnlyAdmin feature…we should reconsider the check or leave as is?

Comment 7 Oved Ourfali 2014-08-21 14:41:39 UTC
You didn't answer what client did you use?

Comment 8 Michal Skrivanek 2014-08-22 09:21:29 UTC
Webadmin; browser…not sure, either FF 24.7.0 ESR or Safari 6
is it relevant?

Comment 9 Oved Ourfali 2014-08-25 05:57:29 UTC
(In reply to Michal Skrivanek from comment #8)
> Webadmin; browser…not sure, either FF 24.7.0 ESR or Safari 6
> is it relevant?

It is relevant, as when adding VMs through the webadmin (or admin API), you are not supposed to grant any permissions on them. Only when doing that through the User Portal (or user API).

The only issue in this bug is that we reorder the VM nics, and in order to do that you must have the CONFIGURE_VM_NETWORK permission. See VdcActionType
ReorderVmNics(17, ActionGroup.CONFIGURE_VM_NETWORK, false, QuotaDependency.NONE)

Moving the bug back to network to consider whether to change this requirement or not.

Comment 10 Lior Vernia 2014-08-27 18:51:47 UTC
Created Bug 1134554 for the re-ordering issue, leaving this in case there's a design issue with ReadOnlyAdmin.

Comment 11 Oved Ourfali 2014-09-01 08:15:16 UTC
(In reply to Lior Vernia from comment #10)
> Created Bug 1134554 for the re-ordering issue, leaving this in case there's
> a design issue with ReadOnlyAdmin.

I don't understand what design issue are you talking about.
Closing this one as not a bug.

Comment 12 Michal Skrivanek 2014-11-05 09:12:23 UTC
(In reply to Oved Ourfali from comment #11)
> (In reply to Lior Vernia from comment #10)
> > Created Bug 1134554 for the re-ordering issue, leaving this in case there's
> > a design issue with ReadOnlyAdmin.
> 
> I don't understand what design issue are you talking about.
> Closing this one as not a bug.

the design issue is that the current check for isAdmin() doesn't make sense. In case of ReadOnlyAdmin the user is not able to add any permission, even for himself. comment #5

Comment 13 Tomas Babej 2014-11-05 09:16:05 UTC
It is a bug. If you are ReadOnlyAdmin, and create a VM, the VM apaprently requires admin privileges for its management (i.e. to add network interface).

However, you don't have these admin privileges, thus you cannot manage a VM you created, which is a serious flaw.

See the traceback from my script which tries to add network interface to VM that it has just created.

Traceback (most recent call last):
  File "./make_vm_template.py", line 42, in <module>
    rhev_vm.create(memory = 3*rhevm.GB)
  File "/home/pspacek/rhev/rhevm.py", line 208, in create
    self._get_me().nics.add(nic)
  File "/usr/lib/python2.6/site-packages/ovirtsdk/infrastructure/brokers.py", line 18002, in add
    headers={"Expect":expect, "Correlation-Id":correlation_id}
  File "/usr/lib/python2.6/site-packages/ovirtsdk/infrastructure/proxy.py", line 88, in add
    return self.request('POST', url, body, headers)
  File "/usr/lib/python2.6/site-packages/ovirtsdk/infrastructure/proxy.py", line 118, in request
    persistent_auth=self._persistent_auth)
  File "/usr/lib/python2.6/site-packages/ovirtsdk/infrastructure/proxy.py", line 140, in __doRequest
    persistent_auth=persistent_auth
  File "/usr/lib/python2.6/site-packages/ovirtsdk/web/connection.py", line 134, in doRequest
    raise RequestError, response
ovirtsdk.infrastructure.errors.RequestError: 
status: 400

The same behaviour can be reproduced using webUI.
reason: Bad Request
detail: User is not authorized to perform this action.

Comment 14 Oved Ourfali 2014-11-05 09:17:55 UTC
(In reply to Michal Skrivanek from comment #12)
> (In reply to Oved Ourfali from comment #11)
> > (In reply to Lior Vernia from comment #10)
> > > Created Bug 1134554 for the re-ordering issue, leaving this in case there's
> > > a design issue with ReadOnlyAdmin.
> > 
> > I don't understand what design issue are you talking about.
> > Closing this one as not a bug.
> 
> the design issue is that the current check for isAdmin() doesn't make sense.
> In case of ReadOnlyAdmin the user is not able to add any permission, even
> for himself. comment #5

What isAdmin check?
Please elaborate more here.
ReadOnlyAdmin is an admin role that doesn't allow doing operations.
So he shouldn't be able to add permissions as well.
If he can add a VM then something is wrong, and you need to address that as part of the permissions required for adding a VM.

Comment 15 Oved Ourfali 2014-11-05 09:19:06 UTC
(In reply to Tomas Babej from comment #13)
> It is a bug. If you are ReadOnlyAdmin, and create a VM, the VM apaprently
> requires admin privileges for its management (i.e. to add network interface).
> 

If you only have ReadOnlyAdmin then you shouldn't be able to add VMs at all.
If you can then it is a bug in the AddVm flow.

Comment 16 Michal Skrivanek 2014-11-05 09:30:07 UTC
The same user has a user level permission allowing to create VM, PowerUserRole.

Comment 17 Oved Ourfali 2014-11-05 09:35:58 UTC
(In reply to Michal Skrivanek from comment #16)
> The same user has a user level permission allowing to create VM,
> PowerUserRole.

So he is lacking permissions to reorder the nics, right?

In addition, there was a decision not to grant permissions on VMs automatically when creating a VM through the admin portal.
We can easily change it, but that's the behavior that was decided.
So if you need further permissions then you should add them.
The ReadOnlyAdmin was created to support a ReadOnlyAdmin use-case.
If you add other roles you need to make sure they are complete, and satisfies this users needs.

Do you have another suggestion here?

Comment 18 Michal Skrivanek 2014-11-05 09:48:31 UTC
(In reply to Oved Ourfali from comment #17)
> (In reply to Michal Skrivanek from comment #16)
> > The same user has a user level permission allowing to create VM,
> > PowerUserRole.
> 
> So he is lacking permissions to reorder the nics, right?

right. that's supposedly fixed in 3.5

 
> In addition, there was a decision not to grant permissions on VMs
> automatically when creating a VM through the admin portal.

that's fine, understood (though probably not documented)
when done via User Portal the permissions are correct
However REST API is the same as webadmin, so the VM is not usable.

> We can easily change it, but that's the behavior that was decided.
> So if you need further permissions then you should add them.
> The ReadOnlyAdmin was created to support a ReadOnlyAdmin use-case.
> If you add other roles you need to make sure they are complete, and
> satisfies this users needs.
> 
> Do you have another suggestion here?

One solution would be to fix REST API to not require admin role for any connection to API (bug 1160331). I thought ReadOnlyAdmin might be a suitable workaround but it seems it's not

Comment 19 Tomas Babej 2014-11-05 09:59:23 UTC
Still, the fact that the permissions required to manage the VM differ when using different interfaces (userportal vs. adminportal) seems as a serious bug to me.

VMs created by the same user should require the same pemissions regardless of the way they were created.

Comment 20 Oved Ourfali 2014-11-05 12:30:30 UTC
No comment here explained the real issue and use-case... so it is not possible to solve this without these details.

1. It originally started with an issue to reorder nics, which was resolved.
2. Then moved to some lack of design of ReadOnlyAdmin.
3. The purpose of ReadOnlyAdmin is to be able to see everything, and do nothing... and that's what it does.
4. If you want the user to be able to do more than that, then you need to give him proper permissions for it.
5. The fact that the behavior is different for admins and users is by design, as the use-case is different. Users usually create VMs for themselves, whereas admins create them for others.

Again, I suggest to close this one.
Also, based on that, reducing urgency.

Scott?

Comment 21 Tomas Babej 2014-11-05 12:41:42 UTC
Even if you're ReadOnlyAdmin, it's legitimate use case to create a VM for yourself using the webadmin interface.

Currently, you can create it, but you cannot do anything with it (delete, add disks / interfaces).

The attributes of the created VMs for the user should not differ depending on the what interface (UserPortal or WebAdmin) he used. This is simply not a sane behaviour and not something that any user will expect.

If that's the behaviour according to the design, than the design is flawed.

Comment 22 Oved Ourfali 2014-11-05 12:46:05 UTC
(In reply to Tomas Babej from comment #21)
> Even if you're ReadOnlyAdmin, it's legitimate use case to create a VM for
> yourself using the webadmin interface.
> 
> Currently, you can create it, but you cannot do anything with it (delete,
> add disks / interfaces).
> 
> The attributes of the created VMs for the user should not differ depending
> on the what interface (UserPortal or WebAdmin) he used. This is simply not a
> sane behaviour and not something that any user will expect.
> 
> If that's the behaviour according to the design, than the design is flawed.

ReadOnlyAdmin is a role, and it is up to the administrator to use it.
We don't protect the user from setting wrong permissions.
We could have, but we don't.
In some cases it might be a good thing, and in others it might not, but we decided not to protect/limit/monitor the usage of permissions.

Comment 23 Omer Frenkel 2014-11-05 13:06:59 UTC
my 2 cents:
first, the idea of different permissions to create and login the vm came from this kind of scenario: Admin creates vms for users, he is using the webadmin (or api), so we dont want him to be the owner of ther vms, he needs to give permissions to the right user on the vm, this is why owner is not set when using webadmin/api.

the second scenario, is the power user, that creates vms to himself, he should be using the user portal, so he is automatically granted with vm owner.

this bug describes a scenario where power user, with some other admin permission (not on the vms, like the readOnlyAdmin) is creating vms, and using the webadmin (which wasn't the intention), this is why he dont have the permission, and can't use the vms.

i suggest to expose the flag "grant owner permission" in the webadmin and api (default to false) and allow the admin to set it (assuming there is no security issue with that..)

Comment 25 Tomas Babej 2014-11-05 13:18:28 UTC
Responding to Comment 22.

The problem here is not monitoring setting the permissions. The problem here is that user with ReadOnlyAdmin role can create VMs for himself which are then not managable.

ReadOnlyAdmin has no way to set the permissions himself.

The way I see it, you should either:
a) Prohibit creation of VMs in the webadmin for users with ReadOnlyAdmin role, since then they cannot manage them.
b) Make the VMs created in the webadmin managable as though they were created using the UserPortal (this can be optional as Comment 23 suggests).

Comment 26 Oved Ourfali 2014-11-05 13:22:03 UTC
(In reply to Tomas Babej from comment #25)
> Responding to Comment 22.
> 
> The problem here is not monitoring setting the permissions. The problem here
> is that user with ReadOnlyAdmin role can create VMs for himself which are
> then not managable.
> 
> ReadOnlyAdmin has no way to set the permissions himself.
> 
> The way I see it, you should either:
> a) Prohibit creation of VMs in the webadmin for users with ReadOnlyAdmin
> role, since then they cannot manage them.

We won't check what permissions was used to create a VM. Again, we don't protect administrators in that way. They need to set proper permissions.

> b) Make the VMs created in the webadmin managable as though they were
> created using the UserPortal (this can be optional as Comment 23 suggests).

That's possible. PM decision.

Comment 27 Tomas Babej 2014-11-05 13:51:21 UTC
(In reply to Oved Ourfali from comment #26)
> (In reply to Tomas Babej from comment #25)
> > Responding to Comment 22.
> > 
> > The problem here is not monitoring setting the permissions. The problem here
> > is that user with ReadOnlyAdmin role can create VMs for himself which are
> > then not managable.
> > 
> > ReadOnlyAdmin has no way to set the permissions himself.
> > 
> > The way I see it, you should either:
> > a) Prohibit creation of VMs in the webadmin for users with ReadOnlyAdmin
> > role, since then they cannot manage them.
> 
> We won't check what permissions was used to create a VM. Again, we don't
> protect administrators in that way. They need to set proper permissions.
> 

My whole objection here is that by adding a ReadOnlyAdmin role to a user, you effectively (from the user's point of view) remove the ability to manage VMs he created for himself.

Which will take users aback. What was working before is not anymore, and the only thing what changed is that I gained additional role and used different interface.

Can this be at least shown as warning in the UI?

> > b) Make the VMs created in the webadmin managable as though they were
> > created using the UserPortal (this can be optional as Comment 23 suggests).
> 
> That's possible. PM decision.

Comment 28 Barak 2014-11-06 15:02:55 UTC
(In reply to Tomas Babej from comment #27)
> (In reply to Oved Ourfali from comment #26)
> > (In reply to Tomas Babej from comment #25)
> > > Responding to Comment 22.
> > > 
> > > The problem here is not monitoring setting the permissions. The problem here
> > > is that user with ReadOnlyAdmin role can create VMs for himself which are
> > > then not managable.
> > > 
> > > ReadOnlyAdmin has no way to set the permissions himself.
> > > 
> > > The way I see it, you should either:
> > > a) Prohibit creation of VMs in the webadmin for users with ReadOnlyAdmin
> > > role, since then they cannot manage them.
> > 
> > We won't check what permissions was used to create a VM. Again, we don't
> > protect administrators in that way. They need to set proper permissions.
> > 
> 
> My whole objection here is that by adding a ReadOnlyAdmin role to a user,
> you effectively (from the user's point of view) remove the ability to manage
> VMs he created for himself.

This is incorrect.
ReadOnlyAdmin is a role for viewing only.
In case a user is a power user than he should create the VMs from user portal and than he can manage them.
It is confusing in this specific case ... but this case is far from being a common case. 

> 
> Which will take users aback. What was working before is not anymore, and the
> only thing what changed is that I gained additional role and used different
> interface.
> 
> Can this be at least shown as warning in the UI?
> 
> > > b) Make the VMs created in the webadmin managable as though they were
> > > created using the UserPortal (this can be optional as Comment 23 suggests).
> > 
> > That's possible. PM decision.


This is a minor issue,
One can argue whether ReadOnlyAdmin should override all other permissions and not allow doing anything through the webadmin ... but as said above this use case is very specific.

Comment 29 Petr Spacek 2014-11-11 10:56:45 UTC
(In reply to Barak from comment #28)
> (In reply to Tomas Babej from comment #27)
> > My whole objection here is that by adding a ReadOnlyAdmin role to a user,
> > you effectively (from the user's point of view) remove the ability to manage
> > VMs he created for himself.
> 
> This is incorrect.
> ReadOnlyAdmin is a role for viewing only.
> In case a user is a power user than he should create the VMs from user
> portal and than he can manage them.

Could you give us an advice which permission we should add to make it work, please?

> It is confusing in this specific case ... but this case is far from being a
> common case. 

(I have re-ordered paragraph so related ideas are on the same spot.)
> One can argue whether ReadOnlyAdmin should override all other permissions
> and not allow doing anything through the webadmin ... but as said above this
> use case is very specific.

From identity management point of view it would make sense to use different user account for web admin (this would be equivalent to admin/username principal in Kerberos world) and do not apply different access controls depending on the API/interface you use. How does current rules apply to RHEV API?

(Parallel: Does you file system make a difference if you create a file using command line 'touch' or a dialog in your web browser?)

> > Which will take users aback. What was working before is not anymore, and the
> > only thing what changed is that I gained additional role and used different
> > interface.
> > 
> > Can this be at least shown as warning in the UI?
> > 
> > > > b) Make the VMs created in the webadmin managable as though they were
> > > > created using the UserPortal (this can be optional as Comment 23 suggests).
> > > 
> > > That's possible. PM decision.
> 
> 
> This is a minor issue,

This is an usability issue in general because this does not follow principle of least surprise. Sure, it makes perfect sense for developers but usual usability guidelines (e.g. http://www.nngroup.com/articles/ten-usability-heuristics/) put 'help and documentation' as 'last resort' option - and the ordering here really does matter :-)

Comment 30 Petr Spacek 2014-12-15 13:56:34 UTC
(In reply to Petr Spacek from comment #29)
> (In reply to Barak from comment #28)
> > (In reply to Tomas Babej from comment #27)
> > > My whole objection here is that by adding a ReadOnlyAdmin role to a user,
> > > you effectively (from the user's point of view) remove the ability to manage
> > > VMs he created for himself.
> > 
> > This is incorrect.
> > ReadOnlyAdmin is a role for viewing only.
> > In case a user is a power user than he should create the VMs from user
> > portal and than he can manage them.
> 
> Could you give us an advice which permission we should add to make it work,
> please?

Oved or anybody else, could you tell us which permission we should add to make it work as suggested in comment 26, please? Thank you in advance!

Comment 31 Oved Ourfali 2014-12-15 14:03:05 UTC
(In reply to Petr Spacek from comment #30)
> (In reply to Petr Spacek from comment #29)
> > (In reply to Barak from comment #28)
> > > (In reply to Tomas Babej from comment #27)
> > > > My whole objection here is that by adding a ReadOnlyAdmin role to a user,
> > > > you effectively (from the user's point of view) remove the ability to manage
> > > > VMs he created for himself.
> > > 
> > > This is incorrect.
> > > ReadOnlyAdmin is a role for viewing only.
> > > In case a user is a power user than he should create the VMs from user
> > > portal and than he can manage them.
> > 
> > Could you give us an advice which permission we should add to make it work,
> > please?
> 
> Oved or anybody else, could you tell us which permission we should add to
> make it work as suggested in comment 26, please? Thank you in advance!

There are many admin roles that will allow you to create VMs, and also some user roles that allow that.
Please read the documentation with regards to permissions, it has the details needed to understand what permissions are needed in order to do different tasks, among those also creating VMs.

Some useful links:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5-Beta/html/Administration_Guide/sect-Virtual_Machines_and_Permissions.html
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5-Beta/html/Administration_Guide/Data_center_storage_entities.html
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5-Beta/html/Administration_Guide/Virtual_Machine_User_Roles_Explained.html

and more...

Comment 32 Petr Spacek 2014-12-16 10:40:46 UTC
Thank you for links to documentation!

Unfortunately I'm not able to find any privilege which would solve the problem, i.e. add the ability to manage VMs I created via API/web admin (which seem to be the same from privilege perspective) or at least an ability to add UserVmManager privilege to myself.

Did I overlook something?

Thank you for advice!

Comment 33 Oved Ourfali 2014-12-16 11:23:03 UTC
(In reply to Petr Spacek from comment #32)
> Thank you for links to documentation!
> 
> Unfortunately I'm not able to find any privilege which would solve the
> problem, i.e. add the ability to manage VMs I created via API/web admin
> (which seem to be the same from privilege perspective) or at least an
> ability to add UserVmManager privilege to myself.
> 
> Did I overlook something?
> 
> Thank you for advice!

You can have UserVmManager (user role) on the DC/cluster, for example, to have access to all VMs in that DC/cluster.
You can make yourself a ClusterAdmin (admin role), which will also allow that, iirc. I referred you to the documentation because there are many roles you can use... You can also define a new custom role if you want, to allow you to set permissions, and put it on the system/DC/cluster level.

Comment 34 Petr Spacek 2014-12-16 11:34:37 UTC
I'm afraid that putting *Manager role on DC or cluster level is not an option. The cluster is shared among multiple teams and it would unnecesairly escalate privileges for Jenkins instance if we put *Manager role on the whole DC.

Naturally, Jenkins should manage its own VMs and should not have privileges to touch anything else. (The same applies to advanced users who want to use admin portal because user portal is ... not that advanced, to say it politely.)

Comment 35 Oved Ourfali 2015-01-08 14:20:18 UTC
Referring to *Manager is wrong here. UserVmManager is allowing you to manage VMs. Even if being granted on the DC, it won't allow you to manage other entities/services.

This bug is here for a while, with no clear action item.
Closing it.

Scott - if you think otherwise please reopen.

Comment 36 Petr Spacek 2015-01-08 14:36:26 UTC
(In reply to Oved Ourfali from comment #35)
> Referring to *Manager is wrong here. UserVmManager is allowing you to manage
> VMs. Even if being granted on the DC, it won't allow you to manage other
> entities/services.
Maybe I misunderstood something ... but I'm asking about privilege which would allow me to manage VMs *I* created (and do not allow me to touch VMs created by other people/teams) or alternativelly a way how to assign UserVmManager persmission *for myself* for VMs created via API.

Comment 37 Oved Ourfali 2015-01-08 14:38:38 UTC
When creating VMs through the user-level API, the user who created the VM is also assigned as the owner.
If you're an administrator, and you create a VM, you need to add permissions to a user explicitly.

Comment 38 Tomas Babej 2015-01-08 15:42:45 UTC
Created attachment 977831 [details]
Unable to progress, please help us

Comment 39 Tomas Babej 2015-01-08 15:43:49 UTC
This is a good solution. In theory. Reality is that user-level API does not work.

Our goals is to allow each user of rhevm instance manage his own VMs via API.

See attached graphical representation of our progress in reaching the goal.

This bug seems as the path of least resistance when wanting to achieve this goal in RHEVM 3.4.

Please, guide us how to solve this problem.

Comment 40 Oved Ourfali 2015-01-08 17:06:26 UTC
If it doesn't work then a bug should be filed.

Comment 41 Petr Spacek 2015-01-09 08:47:20 UTC
Sure, bugs 1160331 and 1155967 were filled a while ago.

Itamar, would it be possible to scope these bugs and if possible to prioritize them to some near release, please? Thank you!

Comment 42 Petr Spacek 2015-01-09 08:51:36 UTC
To clarify: Comment #39 (and the diagram from Tomas attached to this bug) is trying to explain that all attemps to meaningfully use API without write-admin privileges on DC/cluster level (which is of course undesirable) failed because of (bugs 1160331 and 1155967) or this bug.

Comment 43 Michal Skrivanek 2015-01-09 14:51:02 UTC
(In reply to Petr Spacek from comment #42)

while waiting for fixing the user level api, would it work for you if we create a new role which is:
- admin role because you have to use admin level api
- being able to manipulate permissions so you're able to explicitly add the UserVmManager

Comment 44 Petr Spacek 2015-01-09 15:34:55 UTC
Technically it should work, sure, except the fact that it defeats purpose of access control system :-)

The account we are talking about is going to be baked into multiple scripts and used by multiple persons (for user-written scripts used as replacement for web UI & automated systems (Jenkins & internal reporting scripts).

Comment 46 Petr Spacek 2015-01-12 12:20:54 UTC
I'm reopening this because it was reassigned to different team for consideration.

Comment 47 Michal Skrivanek 2015-01-13 12:25:02 UTC
there's no easy solution other than wait for proper filtering support in user level api

hence moving to 3.6 but still keeping open for a backport if we decide to create a new role

Comment 48 Petr Spacek 2015-01-13 12:49:35 UTC
I think that an option to add UserVmManager permission for user logged-in admin API (during VM creation) could do the trick and should be relatively easy to do. Am I missing something?

Comment 49 Michal Skrivanek 2015-01-16 09:37:47 UTC
admin doesn't get it - per design
user does get it - ok in the User Portal, but not in API due to:
    bug 1160331 - "Filter: true" is the differentiation between user/admin API at the moment, it is not an easy fix. So you have to use filtering for now
    bug 1155967 - search doesn't work with filtering so most of the queries are unusable anyway

so yes, this would be a good enough workaround. I don't think we even need any option, just at the point where we decide to add or not add the UserVmManager we should check if there is a permissions to add it later, combined with the filter true/false check.

if filter:true || do_not_have_perms_to_add_later
  grant UserVmManager
    
users would always get it (same as today, if user api would work)
admins will get it when filter:false
even readonlyadmin via API would get it

Oved?

Comment 50 Oved Ourfali 2015-01-16 12:43:06 UTC
(In reply to Michal Skrivanek from comment #49)
> admin doesn't get it - per design
> user does get it - ok in the User Portal, but not in API due to:
>     bug 1160331 - "Filter: true" is the differentiation between user/admin
> API at the moment, it is not an easy fix. So you have to use filtering for
> now
>     bug 1155967 - search doesn't work with filtering so most of the queries
> are unusable anyway
> 
> so yes, this would be a good enough workaround. I don't think we even need
> any option, just at the point where we decide to add or not add the
> UserVmManager we should check if there is a permissions to add it later,
> combined with the filter true/false check.
> 
> if filter:true || do_not_have_perms_to_add_later
>   grant UserVmManager
>     
> users would always get it (same as today, if user api would work)
> admins will get it when filter:false
> even readonlyadmin via API would get it
> 
> Oved?

As far as I know there is a flag saying whether to add permissions or not,so you can pass it along the chain. By design the decision was not to add permissions for administrators. Making it configurable at ui/api level also wasn't accepted. And changing it to set permissions also wasn't accepted. 

Michal - you need to decide with PMs whether to change the behaviour by applying one of the alternatives above or not.

Comment 51 Michal Skrivanek 2015-01-16 15:23:25 UTC
Sure, I was just checking if it does sound reasonable to you.
I'd go with the differentiation in rest api (since we already have the logic based on filtered true/false), just extend it to check the actual permission the client has
this should be ok for the timebeing till we have a true user level api implemented as per the linked bugs

Comment 52 Michal Skrivanek 2015-01-16 15:42:29 UTC
(In reply to Michal Skrivanek from comment #49)

> if filter:true || do_not_have_perms_to_add_later
>   grant UserVmManager
>     
> users would always get it (same as today, if user api would work)
> admins will get it when filter:false
> even readonlyadmin via API would get it

sure, let's make a mistake in a concise summary;-)
it should read:

if filter:true || do_not_have_perms_to_add_later
  grant UserVmManager

users would always get it (same as today, if user api would work)
admins will get it when filter:true (also in userportal)
admins will NOT get it when filter:false (also in webadmin)
even readonlyadmin via API would get it

Comment 53 Oved Ourfali 2015-01-16 17:37:25 UTC
(In reply to Michal Skrivanek from comment #51)
> Sure, I was just checking if it does sound reasonable to you.
> I'd go with the differentiation in rest api (since we already have the logic
> based on filtered true/false), just extend it to check the actual permission
> the client has
> this should be ok for the timebeing till we have a true user level api
> implemented as per the linked bugs

I wouldn't check permissions on the rest api level. This is wrong, and will probably also be nacked by maintainers. 

I'd expose the flag of whether to assign permissions or not in the API. So, changing the API call to set this field to true will assign permissions. Not setting it at all will leave previous behavior, as we need to be backward compatible. You can expose this as checkbook in the UI as well. That's what I would do. In my opinion, implicit logic in any layer is unacceptable.

Comment 54 Juan Hernández 2015-01-16 18:03:36 UTC
The RESTAPI doesn't have any explicit flag to indicate if or what permissions should be added when creating a VM. It just takes the value of the "Filter" header and puts it in the "makeCreatorExplicitOwner" parameter of the VM creation operation. I think this is wrong, as "filter query results according to user permissions" (that is the theoretical meaning of the "Filter" header) and "make creator explicitly owner" are different meanings. Doing this makes the meaning of "Filter" even more confusing than it already is. Unfortunately this can't be changed before 4.0, as it would break backwards compatibility. 

The business rule suggested in comment 52 goes in the same direction, and increases confusion. Try to reformulate without using "Filter", for example:

  if user_is_not_admin || do_not_have_perms_to_add_later
    grant UserVmManager
  
This business rule (any business rule) should be implemented in the backend, not in the RESTAPI.

If for whatever the reason we don't want to implement this or a similar business rule in the backend then the correct way to solve this issue in the RESTAPI would be to allow the user to POST simultaneously the VM and its permissions:

  POST /vms
  <vm>
    <name>myvm</name>
    ...
    <permissions>
      <permission>
        <role id="..."/>
        <user id="...."/>
      </permission>
      ...
    </permission>
    ...
  </vm>

To implement this the backend would need to provide a command that receives as parameters the VM and the permissions, it should then check if the caller is allowed or not to create that VM with those permissions.

Comment 55 Oved Ourfali 2015-01-16 18:27:04 UTC
Or we can just expose the flag that sets creator as owner through the API.

Comment 56 Juan Hernández 2015-01-16 18:30:09 UTC
That is RPC style, not REST.

Comment 57 Oved Ourfali 2015-01-16 18:41:10 UTC
I know. I'm suggesting to add rest support to that as well.

Comment 58 Juan Hernández 2015-01-16 19:01:11 UTC
I reject that suggestion based on the fact that there is a reasonable "restful" alternative, as described in comment 54.

Comment 59 Michal Skrivanek 2015-01-19 13:30:19 UTC
(In reply to Juan Hernández from comment #54)
> The RESTAPI doesn't have any explicit flag to indicate if or what
> permissions should be added when creating a VM. It just takes the value of
> the "Filter" header and puts it in the "makeCreatorExplicitOwner" parameter
> of the VM creation operation. I think this is wrong, as "filter query
> results according to user permissions" (that is the theoretical meaning of
> the "Filter" header) and "make creator explicitly owner" are different
> meanings. Doing this makes the meaning of "Filter" even more confusing than
> it already is. Unfortunately this can't be changed before 4.0, as it would
> break backwards compatibility. 

well, today the business logic _is_ in REST, I don't think we will be able to change this before 4.0 hence I don't see other *easy* way other than adding the piece of additional logic as I suggested in comment #52

 
> The business rule suggested in comment 52 goes in the same direction, and
> increases confusion. Try to reformulate without using "Filter", for example:
> 
>   if user_is_not_admin || do_not_have_perms_to_add_later
>     grant UserVmManager

this is not exactly the same thing. We don't actually care which user is it, admin uses both filter: true and false and by that differentiate between the mode of operation.

Comment 60 Michal Skrivanek 2015-01-22 12:46:47 UTC
Juan, I understand how you think it should look like in 4.0, however what would be your suggestion short-term?
Seems to me other solutions than extending the business logic in REST layer require quite some effort

Comment 61 Juan Hernández 2015-01-27 10:12:37 UTC
My suggestion for short term is to implement it correctly, as described in comment 54. If this isn't feasible and the bug is really urgent then you can implement as you consider appropriate, assuming that it will be re-implemented correctly in 4.0.

Comment 62 Eyal Edri 2015-02-25 08:39:39 UTC
3.5.1 is already full with bugs (over 80), and since none of these bugs were added as urgent for 3.5.1 release in the tracker bug, moving to 3.5.2

Comment 65 Michal Skrivanek 2015-03-25 10:49:47 UTC
(In reply to Juan Hernández from comment #61)
> My suggestion for short term is to implement it correctly, as described in
> comment 54. If this isn't feasible and the bug is really urgent then you can
> implement as you consider appropriate, assuming that it will be
> re-implemented correctly in 4.0.

ok, we don't have much time left, let's go with Oved's suggestion to expose a flag and I'll open a follow-up bug for proper 4.0 implementation based on comment #54

Comment 66 Petr Spacek 2015-04-20 14:50:29 UTC
Please note that this bug most probably affects VM import too.

Environment:
I'm importing VM As a member of idm-dev-lab group which has PowerUserRole on whole DC + ReadOnlyAdmin permission too.

Actual result:
I'm able to import a VM using Admin Portal but the VM does not have any permissions associated with it and so it is unusable (and I do not have any extra permissions so I'm unable to add any).

Expected result:
The VM implicitly gets a permission which allows the user who imported the VM to modify VM parameters and permissions too.

Comment 67 Omer Frenkel 2015-04-20 15:43:23 UTC
PowerUserRole cannot do import by default, so you might have another permission allowing you to do the import?
basically to do import you have to have IMPORT_EXPORT_VM on the storage domain.
the system, by default, ship with ClusterAdmin and DataCenterAdmin that have this action, and both has the required MANIPULATE_PERMISSIONS to set permissions later on the imported vm.

the only issue here that whoever gave you the permission, gave it on the export domain, this allows you to import a vm to cluster X, but not on cluster X, so you cannot manipulate the permissions...

on the other hand, if you were given ClusterAdmin on this cluster, you could manipulate permissions of any vm in this cluster, which might be too much.

i guess the assumption was that import is an admin task, and this admin will have all permissions needed.
we might need to allow (by default?) setting vm_owner on the vm to the user who performs the action

Comment 68 Petr Spacek 2015-04-21 14:08:27 UTC
Omer, I forgot to mention that we have ClusterAdmin and UserVmManager roles on the export domain, too.

What can we do to fix this? Is there a permission we need somewhere to make imported VM useful, i.e. to enable us to edit them and run them as necessary (after the import finishes)?

Thank you for answers!

Comment 69 Omer Frenkel 2015-04-21 14:22:06 UTC
as i said above in comment 67
if you have also cluster admin on the target cluster (the cluster you import the vm to) then you will have manipulate permission on the vm on you can add permissions to it. please be aware that you will have this permission on ANY VM in this cluster, so give it to a trusted user.

the other solution is to ask for permission from the admin that can do it for you..

Comment 70 Petr Spacek 2015-04-21 14:37:35 UTC
As you said in comment #67, ClusterAdmin on cluster level would be too much. We have the ClusterAdmin permission only on export domain level so it has limited scope: It allows us to import VMs and delete imported VMs from export domain after that and that is all.

I very much agree with your idea
> we might need to allow (by default?) setting vm_owner on the vm to the user who performs the action

That would be elegant and solve the problem! Thank you!

Comment 71 Petr Spacek 2015-06-02 17:14:28 UTC
I would be really glad if you could contact us while fixing this so we can make sure that the change will work for our specific use case.

Thank you very much!

Comment 72 Shmuel Melamud 2015-06-15 16:31:07 UTC
I've posted a patch implementing the logic explained in comment 52: https://gerrit.ovirt.org/#/c/42392/

This will affect current behaviour as follows:

1. Users of User Portal have isMakeCreatorExplicitOwner = true, so they'll get ownership of all of their VMs. No changes here.
2. Users of Admin Portal that have admin rights will not get the ownership. No changes here.
3. Users of Admin Portal that don't have admin rights will get the ownership.
4. Users of REST API with Filter: true will get the ownership. No changes here.
5. Users of REST API with Filter: false that have admin rights will not get the ownership. No changes here.
6. Users of REST API with Filter: false that don't have admin rights will get the ownership.

I think, there is no sense to expose an option for this. The behaviour is mostly the same except the situation when a non-admin is creating a VM through admin UI or REST API. In this situation he must always get the ownership or he will loose access to his VM. The general rule: users without admin rights must be given permission to manage the VM if they have permission to create it.

On the other side, users with admin privileges may set the ownership afterwards or they may use User Portal or REST API with Filter: true to create VMs, so this option is not critical for them.

Taking into account that this option is anyway a temporary solution that will be removed in 4.0, we can easily go without it.

Any objections?

Comment 73 Petr Spacek 2015-06-16 08:13:17 UTC
From user's point of view it sounds good to me.

Comment 74 Michal Skrivanek 2015-06-16 17:27:16 UTC
please document it in the bug so a proper explanation gets to admin guide. It will now be even more confusing than before. We can live with that indeed, but worth a line in docs...

Comment 76 Max Kovgan 2015-06-28 14:12:28 UTC
ovirt-3.6.0-3 release

Comment 77 Ondra Machacek 2015-06-29 09:54:48 UTC
ok in 3.6.0-3

1) Admin User with CREATE_VM perm and without MANIPULATE_PERMS will obtain UserVmManager role on his newly creted vm for webadmin/userportal/restAPI filter=true/restAPI filter=false.

2) Admin User with CREATE_VM perm and with MANIPULATE_PERMS will not obtain UserVmManager role on his newly creted vm for webadmin/restAPI filter=false, but it do for userportal/restAPI filter=true


Note You need to log in before you can comment on or make changes to this bug.