Bug 1126242 - Inherited permissions on Pools doesn't reflect in Userportal
Summary: Inherited permissions on Pools doesn't reflect in Userportal
Alias: None
Product: ovirt-engine
Classification: oVirt
Component: Frontend.WebAdmin
Version: ---
Hardware: x86_64
OS: Linux
low vote
Target Milestone: ovirt-4.0.0-rc
: ---
Assignee: Michal Skrivanek
QA Contact: Pavel Stehlik
Depends On:
TreeView+ depends on / blocked
Reported: 2014-08-03 23:24 UTC by Ahmed Ossama
Modified: 2016-05-30 12:40 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2016-05-30 12:40:10 UTC
oVirt Team: Virt
ylavi: ovirt-4.0.0?
rule-engine: planning_ack?
rule-engine: devel_ack?
rule-engine: testing_ack?

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1147960 None None None Never

Internal Links: 1147960

Description Ahmed Ossama 2014-08-03 23:24:56 UTC
Description of problem:
On a newly installed rhev-m, I added a new domain, and granted access to two users, first as a SuperUser and the second as a PowerUserRole.

Then I created a new pool, I noticed that both users have inherited permissions on this pool. Also admin@internal (SuperUser and PowerUserRole) had inherited permissions on it as well.

Version-Release number of selected component (if applicable): 3.4

How reproducible:

Steps to Reproduce:
1. Add a domain
2. Create Pool
3. Add a domain user with PowerUserRole
4. The permissions show as inherited in the Pool details
5. The user doesn't see the pool in the Userportal unless he is explicitly granted that permissions on this pool

Actual results:
Upon logging in to the userportal with any of the four users (I tested them all), I don't see the pool anywhere.

Expected results:
If the user role doesn't have permissions on Pools, the it shouldn't show that he have inherited permissions on this pool.

Additional info:
Granting the permission to each user explicitly to the pool fix it. But it's misleading to see that a user (the PowerUserRole in this case) does have inherited permissions to the pool while in fact he doesn't in the user portal.

I am trying to widely test this misleading inherited permission on different objects and will report anything wired.

Comment 1 Itamar Heim 2014-08-08 20:50:17 UTC
michal - is this a bug? iirc, power user role is to create objects (then get permissions on them), not to see existing objects?
(and admin role doesn't is not relevant to user portal which only shows objects based on user role permissions)?

Comment 2 Michal Skrivanek 2014-08-29 08:47:17 UTC
as per documentation you're right
But IMHO it's really not obvious enough. The term "PowerUserRole" is quite misleading in this respect
not sure what to do with it, though:/

Comment 3 Omer Frenkel 2014-10-07 12:26:49 UTC
bug 1147960 has the same issue with powerUserRole not seeing templates

Comment 4 Michal Skrivanek 2015-06-05 13:19:46 UTC
still want to consider this "soon"

Comment 6 Red Hat Bugzilla Rules Engine 2015-11-30 20:45:42 UTC
Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release.

Comment 7 Sandro Bonazzola 2016-05-02 09:50:42 UTC
Moving from 4.0 alpha to 4.0 beta since 4.0 alpha has been already released and bug is not ON_QA.

Comment 8 Yaniv Lavi 2016-05-23 13:14:29 UTC
oVirt 4.0 beta has been released, moving to RC milestone.

Comment 9 Tomas Jelinek 2016-05-30 12:40:10 UTC
The description of the "PowerUserRole" says:
"User Role, allowed to create VMs, Templates and Disks"

The role behaves as documented (e.g. it gives you permissions to create, not to read existing VMs), and the description seems clear to me.

I think this could be closed as "not a bug" - feel free to reopen if something should be done here.

Note You need to log in before you can comment on or make changes to this bug.