Bug 1123676 - Unable to use RHEV/ovirt without admin permissions on the rhev cluster
Summary: Unable to use RHEV/ovirt without admin permissions on the rhev cluster
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Compute Resources
Version: 6.0.3
Hardware: Unspecified
OS: Unspecified
unspecified
medium vote
Target Milestone: Unspecified
Assignee: Marek Hulan
QA Contact: Katello QA List
URL: http://projects.theforeman.org/issues...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-07-27 22:11 UTC by Ivan Necas
Modified: 2019-04-01 20:27 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-04-12 13:43:28 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 1370993 None None None Never

Description Ivan Necas 2014-07-27 22:11:45 UTC
Description of problem:
When trying to create a rhev compute resource with non-admin RHEV user, the following error occurs:

"query execution failed due to insufficient permissions."


The reason for this is the RHEV needs to be called with 'Filter: true' headers
for the api to work correctly with non-admin user.

The rbovirt client library supports to specify the filtered_api option, but fog and foreman don't have a support for that

https://github.com/abenari/rbovirt/blob/a7c277e3fc5698e55e95a9432997b1a9c8d486ae/lib/rbovirt.rb#L54-L55

Comment 1 RHEL Product and Program Management 2014-07-27 22:23:32 UTC
Since this issue was entered in Red Hat Bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.

Comment 3 Dominic Cleal 2014-07-30 09:47:04 UTC
Created redmine issue http://projects.theforeman.org/issues/6835 from this bug

Comment 5 Bryan Kearney 2015-08-25 17:59:33 UTC
Upstream bug component is Compute Resources

Comment 6 Netbulae 2015-11-04 09:59:55 UTC
Still not working properly in current release. 

foreman-ovirt-1.9.2-1.el6.noarch
ruby193-rubygem-rbovirt-0.0.35-1.el6.noarch

2015-11-02 10:29:17,126 DEBUG [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (ajp--127.0.0.1-8702-9) Found permission fbcb73a0-226e-49d4-9e7a-01c665127a07 for user when running LoginUser, on Bottom with id bbb00000-0000-0000-0000-123456789bbb
    2015-11-02 10:29:17,128 DEBUG [org.ovirt.engine.core.bll.aaa.LoginBaseCommand] (ajp--127.0.0.1-8702-9) Checking if user testuser is an admin, result false
    2015-11-02 10:29:17,129 INFO  [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (ajp--127.0.0.1-8702-9) Running command: LoginUserCommand(LoginName = null, ProfileName = netbulae.test, AuthRecord = {Extkey[name=AAA_AUTHN_AUTH_RECORD_PRINCIPAL;type=class java.lang.String;uuid=AAA_AUTHN_AUTH_RECORD_PRINCIPAL[c3498f07-11fe-464c-958c-8bd7490b119a];]=testuser}, IsAdmin = false, ActionType = LoginUser, AuthType = CREDENTIALS) internal: false.
    2015-11-02 10:29:17,132 TRACE [org.ovirt.engine.core.bll.GetConfigurationValueQuery] (ajp--127.0.0.1-8702-9) START, GetConfigurationValueQuery(version: general, configuration value: ApplicationMode, refresh: false, filtered: false), log id: 438b23b5
    2015-11-02 10:29:17,134 TRACE [org.ovirt.engine.core.bll.GetConfigurationValueQuery] (ajp--127.0.0.1-8702-9) FINISH, GetConfigurationValueQuery, log id: 438b23b5
    2015-11-02 10:29:17,134 TRACE [org.ovirt.engine.core.bll.aaa.GetValueBySessionQuery] (ajp--127.0.0.1-8702-9) START, GetValueBySessionQuery(refresh: false, filtered: false), log id: 63d562b7
    2015-11-02 10:29:17,135 TRACE [org.ovirt.engine.core.bll.aaa.GetValueBySessionQuery] (ajp--127.0.0.1-8702-9) FINISH, GetValueBySessionQuery, log id: 63d562b7
    2015-11-02 10:29:17,136 TRACE [org.ovirt.engine.core.bll.SearchQuery] (ajp--127.0.0.1-8702-9) START, SearchQuery(search type: StoragePool, search pattern: [Datacenter : ], case sensitive: true [from: 0, max: -1] refresh: true, filtered: false), log id: 4e440f95
    2015-11-02 10:29:17,138 ERROR [org.ovirt.engine.core.bll.SearchQuery] (ajp--127.0.0.1-8702-9) Query execution failed due to insufficient permissions.

Comment 7 Bryan Kearney 2016-03-08 13:06:46 UTC
Upstream bug assigned to mhulan@redhat.com

Comment 8 Marek Hulan 2016-04-12 13:43:28 UTC
After consulting with oVirt developers it turned out that admin-level roles are required. It does not mean that the user account would require superadmin privileges. The set of permission required is documented at http://www.theforeman.org/manuals/1.11/#5.2.7oVirt/RHEVNotes


Note You need to log in before you can comment on or make changes to this bug.