Red Hat Bugzilla – Bug 1147960
Templates not listed when creating VM
Last modified: 2015-09-23 21:38:30 EDT
Description of problem: Templates don't get listed in the New VM dialog window unless the user already has an existing VM created from a template. The user is a member of a group with "PowerUserRole" permissions Version-Release number of selected component (if applicable): Version 3.5.0-0.13.beta (vt4) How reproducible: Always Steps to Reproduce: 1. Import a few templates 2. Make sure the user has correct permissions 3. Connect as the user into user portal 4. Try creating a VM from one of the imported templates Actual results: No templates visible Expected results: The templates are listed Additional info: A template gets listed for a user after being used for creating a VM adding the user as manager.
final decision needs to be made, for now won't make 3.5 GA
in short, description of the problem: PowerUserRole is used to allow users to create vms, therefore it is given on cluster/data-center. since we give this to users, and not to admins, we don't want them to see all object (like vms/templates/pools) that belong to this cluster/dc by default, so PowerUserRole on DC is good for creating vms in that dc, but it doesn't allow seeing other vms/templates, this is by design. so if we want this users also to see templates, another 'viewing' permission is needed, like user_role on that dc.
Can you please double check the documentation is clear? We get a lot of confused people so maybe it needs to be stressed out a bit more
(In reply to Omer Frenkel from comment #2) > in short, description of the problem: > PowerUserRole is used to allow users to create vms, therefore it is given on > cluster/data-center. > since we give this to users, and not to admins, we don't want them to see > all object (like vms/templates/pools) that belong to this cluster/dc by > default, so PowerUserRole on DC is good for creating vms in that dc, but it > doesn't allow seeing other vms/templates, this is by design. > so if we want this users also to see templates, another 'viewing' permission > is needed, like user_role on that dc. Tried adding UserRole to the DC as you suggested. It does not do what's expected. Yes, it shows templates, but also grants the user access to all vms in the dc. Permissions related to templates only seem to be: TemplateOwner, TemplateAdmin, TemplateCreator. What combination of permissions allows a user to create vms from templates in dc, without giving him any control over creating/maintaining them and also giving him access exclusively to his vms? Because as of now I have to manually add UserRole to the template, even though PowerUserRole on the template is already inherited by System. This appears to be a bug to me.
Can the user portal team assess if this is a bug? There has been more comments from the bug reporter. If this bug has documentation impact, be specific on what needs to be updated. Documentation can be improved in a more effective way if the engineering team is familiar with the documentation and can tell us what exactly is not clear. Please need_info me if this bug indeed had documentation impact and I can clone the bug. Many thanks, Julie
it was expected that the user will be able to see all the vms in the dc, this is what user-role allow. unfortunately, there is no general way to allow user see all templates but not to see vms. also there is no way to have a "view only" permission.. instead, i can suggest giving permission with UserTemplateBasedVm on the templates you want the user to see (or to everyone, so its public), or you can make templates 'public' when creating the template.. let me know if this helps better
Should have mentioned this concerns mostly import of templates instead of creation... (my bad, sorry). The thing is, we had a bunch of templates, that were stored on a specific storage, which was used for import/export. The templates were created by an earlier version of RHEVM and they were visible to all users (preconfigured systems). Importing these templates no longer results in them being immediately visible to the intended user (adding UserTemplateBasedVm in 3.5?). So, if this is really working as intended the only thing required is documentation.
(In reply to Tomas Jamrisko from comment #8) > So, if this is really working as intended the only thing required is > documentation. anything specific you want to mention? I'm a bit confused here:)
Sorry for the delay, haven't been in the office for a while... Anything specific? -- that comment was written when it seemed it worked as expected. Which it kinda does. At least it works perfectly fine for newly created templates. The issue I have is with templates that were exported to a domain by an older version (not sure about which one) and later imported by 3.5. These old imported templates have their permissions messed up and it results in the described behaviour.
can you specify versions so we can check? if it is a problem of importing templates exported from previous RHEV versions we may have something to fix
I believe the templates were exported by RHEV3.2, and the issue has not been happening before we installed 3.5 (not sure about the exact build (definitely back in September) and tried now on rhevm-3.5.0-0.29, which behaves different from .22. It lists more templates, but still not all, at least not for some users.
3.5.1 is already full with bugs (over 80), and since none of these bugs were added as urgent for 3.5.1 release in the tracker bug, moving to 3.5.2
moving to 3.5.4 due to capacity planning for 3.5.3. if you believe this should remain in 3.5.3, please sync with pm/dev/qe and a full triple ack for it. also - ensure priority is set accordingly to the bug status.
Documentation update needed (looking at [1]): when importing vm or template, no permissions are set on the imported vm/template, user need to manually set the right permissions that suitable to the new setup in order to use the imported vm/template. (as clusters/datacentes/users might be (probably are) different from the source setup the vm/template had been exported from) https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html/Administration_Guide/sect-Exporting_and_Importing_Virtual_Machines_and_Templates.html then, there is no fix needed here. please note i opened Bug 1226968 - [RFE] Allow making templates public on import to allow making template public during the import process instead this manual step for users that use public templates.
Reviewed in cs22765. The content has been updated as requested. I made two minor changes in my QA pass. Updated revision numbers as appropriate. Updated in production spec cs23027: Exporting and Importing Virtual Machines and Templates[8771-760188] Graphical Overview for Exporting and Importing Virtual Machines and Templates [7514-760175] Exporting a Virtual Machine to the Export Domain [7515-760366] Importing a Virtual Machine into the Destination Data Center [7516-760368] Revision History [34613-760376] Moving to VERIFIED.