Created attachment 930792 [details] engine.log Description of problem: I tried to reproduce this bug https://bugzilla.redhat.com/show_bug.cgi?id=1128430 and got this message when tried to attach a non-existent disk to a VM: <fault> <reason>Operation Failed</reason> <detail>[User is not authorized to perform this action.]</detail> </fault> Version-Release number of selected component (if applicable): ovirt-3.5 RC1.1 ovirt-engine-3.5.0-0.0.master.20140821064931.gitb794d66.el6.noarch How reproducible: Always Steps to Reproduce: 1. Use REST API to attach a non existent disk to a VM Actual results: I got a wrong error message in the CDA: 2014-08-26 11:58:29,221 WARN [org.ovirt.engine.core.bll.AttachDiskToVmCommand] (ajp--127.0.0.1-8702-2) [19e0cd33] CanDoAction of action AttachDiskToVm failed. Reasons:VAR__ACTION__ATTACH_ACTION_TO,VAR__TYPE__VM_D ISK,USER_NOT_AUTHORIZED_TO_PERFORM_ACTION Expected results: User should get an informative error message like "disk doesn't exist in the system" Additional info: engine.log
Not sure this is a bad error - if you don't have permissions for a disk (which no one has, because it doesn't exist), you should not be informed about its existence.
Allon, it is a wrong error message. the disk doesn't exist. Saying "don't have permissions" it is like saying "out of space" for me it is a bug, you can close as wontfix but not as notabug
(In reply to Aharon Canan from comment #2) > Allon, it is a wrong error message. > the disk doesn't exist. > > Saying "don't have permissions" it is like saying "out of space" > for me it is a bug, you can close as wontfix but not as notabug This is just incorrect - it's a basic security concept. You do not disclose even the (non) existence of an object you do not have permission on. Compare, for example, to the treatment of ORA-00942 in Oracle.