Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1123676 - Unable to use RHEV/ovirt without admin permissions on the rhev cluster
Summary: Unable to use RHEV/ovirt without admin permissions on the rhev cluster
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Compute Resources
Version: 6.0.3
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: Unspecified
Assignee: Marek Hulan
QA Contact: Katello QA List
URL: http://projects.theforeman.org/issues...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-07-27 22:11 UTC by Ivan Necas
Modified: 2021-12-10 14:25 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-04-12 13:43:28 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 1370993 0 None None None Never

Description Ivan Necas 2014-07-27 22:11:45 UTC 
Description of problem:
When trying to create a rhev compute resource with non-admin RHEV user, the following error occurs:

"query execution failed due to insufficient permissions."


The reason for this is the RHEV needs to be called with 'Filter: true' headers
for the api to work correctly with non-admin user.

The rbovirt client library supports to specify the filtered_api option, but fog and foreman don't have a support for that

https://github.com/abenari/rbovirt/blob/a7c277e3fc5698e55e95a9432997b1a9c8d486ae/lib/rbovirt.rb#L54-L55
Comment 1 RHEL Program Management 2014-07-27 22:23:32 UTC 
Since this issue was entered in Red Hat Bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.
Comment 3 Dominic Cleal 2014-07-30 09:47:04 UTC 
Created redmine issue http://projects.theforeman.org/issues/6835 from this bug
Comment 5 Bryan Kearney 2015-08-25 17:59:33 UTC 
Upstream bug component is Compute Resources
Comment 6 Netbulae 2015-11-04 09:59:55 UTC 
Still not working properly in current release. 

foreman-ovirt-1.9.2-1.el6.noarch
ruby193-rubygem-rbovirt-0.0.35-1.el6.noarch

2015-11-02 10:29:17,126 DEBUG [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (ajp--127.0.0.1-8702-9) Found permission fbcb73a0-226e-49d4-9e7a-01c665127a07 for user when running LoginUser, on Bottom with id bbb00000-0000-0000-0000-123456789bbb
    2015-11-02 10:29:17,128 DEBUG [org.ovirt.engine.core.bll.aaa.LoginBaseCommand] (ajp--127.0.0.1-8702-9) Checking if user testuser is an admin, result false
    2015-11-02 10:29:17,129 INFO  [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (ajp--127.0.0.1-8702-9) Running command: LoginUserCommand(LoginName = null, ProfileName = netbulae.test, AuthRecord = {Extkey[name=AAA_AUTHN_AUTH_RECORD_PRINCIPAL;type=class java.lang.String;uuid=AAA_AUTHN_AUTH_RECORD_PRINCIPAL[c3498f07-11fe-464c-958c-8bd7490b119a];]=testuser}, IsAdmin = false, ActionType = LoginUser, AuthType = CREDENTIALS) internal: false.
    2015-11-02 10:29:17,132 TRACE [org.ovirt.engine.core.bll.GetConfigurationValueQuery] (ajp--127.0.0.1-8702-9) START, GetConfigurationValueQuery(version: general, configuration value: ApplicationMode, refresh: false, filtered: false), log id: 438b23b5
    2015-11-02 10:29:17,134 TRACE [org.ovirt.engine.core.bll.GetConfigurationValueQuery] (ajp--127.0.0.1-8702-9) FINISH, GetConfigurationValueQuery, log id: 438b23b5
    2015-11-02 10:29:17,134 TRACE [org.ovirt.engine.core.bll.aaa.GetValueBySessionQuery] (ajp--127.0.0.1-8702-9) START, GetValueBySessionQuery(refresh: false, filtered: false), log id: 63d562b7
    2015-11-02 10:29:17,135 TRACE [org.ovirt.engine.core.bll.aaa.GetValueBySessionQuery] (ajp--127.0.0.1-8702-9) FINISH, GetValueBySessionQuery, log id: 63d562b7
    2015-11-02 10:29:17,136 TRACE [org.ovirt.engine.core.bll.SearchQuery] (ajp--127.0.0.1-8702-9) START, SearchQuery(search type: StoragePool, search pattern: [Datacenter : ], case sensitive: true [from: 0, max: -1] refresh: true, filtered: false), log id: 4e440f95
    2015-11-02 10:29:17,138 ERROR [org.ovirt.engine.core.bll.SearchQuery] (ajp--127.0.0.1-8702-9) Query execution failed due to insufficient permissions.
Comment 7 Bryan Kearney 2016-03-08 13:06:46 UTC 
Upstream bug assigned to mhulan
Comment 8 Marek Hulan 2016-04-12 13:43:28 UTC 
After consulting with oVirt developers it turned out that admin-level roles are required. It does not mean that the user account would require superadmin privileges. The set of permission required is documented at http://www.theforeman.org/manuals/1.11/#5.2.7oVirt/RHEVNotes
Note You need to log in before you can comment on or make changes to this bug.