1210248 – Add 'admin' key to [ovirt] .vv file section

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1210248 - Add 'admin' key to [ovirt] .vv file section

Summary: Add 'admin' key to [ovirt] .vv file section

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	virt-viewer
Sub Component:
Version:	7.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	7.2
Assignee:	Virt Viewer Maint
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1289969
TreeView+	depends on / blocked

Reported:	2015-04-09 09:38 UTC by Christophe Fergeau
Modified:	2016-03-02 16:13 UTC (History)
CC List:	8 users (show)
Fixed In Version:	virt-viewer-2.0-2.el7
Doc Type:	Bug Fix
Doc Text:	No doc needed
Clone Of:
Clones:	1289969 (view as bug list)
Environment:
Last Closed:	2015-11-19 07:36:23 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Screenshot-1 (135.84 KB, image/png) 2015-08-20 01:50 UTC, zhoujunqin	no flags	Details
Screenshot-2 (139.21 KB, image/png) 2015-08-20 01:51 UTC, zhoujunqin	no flags	Details
Screenshot-3 (111.41 KB, image/png) 2015-08-31 10:49 UTC, zhoujunqin	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:2211	0	normal	SHIPPED_LIVE	virt-viewer, spice-gtk, and libgovirt bug fix and enhancement update	2015-11-19 08:27:40 UTC

Description Christophe Fergeau 2015-04-09 09:38:22 UTC

Accessing VMs visible from the admin portal through the REST API is different from accessing the VMs visible from the user portal. A "Filter:" header which value is True/False is needed. libgovirt supports that, but oVirt needs to be able to pass this information through the .vv file.

Patch is upstream:
https://git.fedorahosted.org/cgit/virt-viewer.git/commit/?id=0c8f07e

Comment 3 zhoujunqin 2015-08-19 10:33:33 UTC

Try to verify this bug with new build:
libgovirt-0.3.3-1.el7.x86_64
virt-viewer-2.0-6.el7.x86_64

RHEVM server: 3.6.0 
rhevm-3.6.0-0.11.master.el6.noarch

Steps:
Scenario 1: Using a guest is visible in admin portal but isn't visible in user portal 

1. Prepare a running guest on rhevm server, "Permissions" setting for guest is like "Screenshot-1".
guest name: juzhou-rhel6

2. Download guest file "console.vv" to check 'admin' field in the [ovirt] section of .vv files 

2.1 Right-click on this guest and select "Console Options" item, then select Console Invocation as "Native client".

2.2. Click the guest and select "Console" item, then save the console file "console.vv" to local machine.

2.3. Open file console.vv check the 'admin' field in the [ovirt] section 
# cat console.vv
...

[ovirt]
host=10.66.72.27
vm-guid=38e8d75c-1825-4c7a-b72d-7c9953fd96f4
jsessionid=SXFVYqzEbU4cS+gykDYQCaYX
admin=1----------------------------------------------->>added

3. Connect to this guest:
# remote-viewer --ovirt-ca-file=ca.crt ovirt://$rhevm hostname/juzhou-rhel6
username:admin@internal
password:****

Result: 
After step3: After input user/passwd, a error box pop up:
Couldn't open oVirt session: No virtual machine found
can exit after click "OK" button.
But i can access to guest via #remote-viewer console.vv way.

Q1: Since there is no user list in guest "Permission" menu, so can we connect to this guest using empty user/passwd when using ovirt session?


Scenario 2: Using a guest is visible in admin portal and also visible in user portal 

1. Prepare a running guest on rhevm server, "Permissions" setting for guest is like "Screenshot-2".
guest name: juzhou-rhel6-permission

2. Download guest console.vv file and check:
In admin portal:
# cat console.vv
[ovirt]
host=10.66.72.27
vm-guid=97ca17af-2fd0-44f8-9394-f21f6b37494e
jsessionid=SXFVYqzEbU4cS+gykDYQCaYX
admin=1-------------------------------------------->>added

In user portal:
# cat console.vv
[ovirt]
host=10.66.72.27
vm-guid=97ca17af-2fd0-44f8-9394-f21f6b37494e
jsessionid=5P4J2jtDrp1sw3q6Dq4kiNU9
admin=1-------------------------------------------->>added


3. Connect to this guest:
# remote-viewer --ovirt-ca-file=ca.crt ovirt://$rhevm hostname/juzhou-rhel6-permission
username:admin@internal
password:****

Result: Can access to guest after input username and password.

so Christophe Fergeau, please help me check whether my steps is right or not, and also please help have a look of my question.

Comment 4 David Blechter 2015-08-19 11:36:20 UTC

(In reply to zhoujunqin from comment #3)
> Try to verify this bug with new build:
> libgovirt-0.3.3-1.el7.x86_64
> virt-viewer-2.0-6.el7.x86_64
> 
> RHEVM server: 3.6.0 
> rhevm-3.6.0-0.11.master.el6.noarch
> 
> Steps:
> Scenario 1: Using a guest is visible in admin portal but isn't visible in
> user portal 
> 
> 1. Prepare a running guest on rhevm server, "Permissions" setting for guest
> is like "Screenshot-1".
> guest name: juzhou-rhel6
> 
> 2. Download guest file "console.vv" to check 'admin' field in the [ovirt]
> section of .vv files 
> 
> 2.1 Right-click on this guest and select "Console Options" item, then select
> Console Invocation as "Native client".
> 
> 2.2. Click the guest and select "Console" item, then save the console file
> "console.vv" to local machine.
> 
> 2.3. Open file console.vv check the 'admin' field in the [ovirt] section 
> # cat console.vv
> ...
> 
> [ovirt]
> host=10.66.72.27
> vm-guid=38e8d75c-1825-4c7a-b72d-7c9953fd96f4
> jsessionid=SXFVYqzEbU4cS+gykDYQCaYX
> admin=1----------------------------------------------->>added
> 
> 3. Connect to this guest:
> # remote-viewer --ovirt-ca-file=ca.crt ovirt://$rhevm hostname/juzhou-rhel6
> username:admin@internal
> password:****
> 
> Result: 
> After step3: After input user/passwd, a error box pop up:
> Couldn't open oVirt session: No virtual machine found
> can exit after click "OK" button.
> But i can access to guest via #remote-viewer console.vv way.
> 
> Q1: Since there is no user list in guest "Permission" menu, so can we
> connect to this guest using empty user/passwd when using ovirt session?
> 
> 
> Scenario 2: Using a guest is visible in admin portal and also visible in
> user portal 
> 
> 1. Prepare a running guest on rhevm server, "Permissions" setting for guest
> is like "Screenshot-2".
> guest name: juzhou-rhel6-permission
> 
> 2. Download guest console.vv file and check:
> In admin portal:
> # cat console.vv
> [ovirt]
> host=10.66.72.27
> vm-guid=97ca17af-2fd0-44f8-9394-f21f6b37494e
> jsessionid=SXFVYqzEbU4cS+gykDYQCaYX
> admin=1-------------------------------------------->>added
> 
> In user portal:
> # cat console.vv
> [ovirt]
> host=10.66.72.27
> vm-guid=97ca17af-2fd0-44f8-9394-f21f6b37494e
> jsessionid=5P4J2jtDrp1sw3q6Dq4kiNU9
> admin=1-------------------------------------------->>added
> 
> 
> 3. Connect to this guest:
> # remote-viewer --ovirt-ca-file=ca.crt ovirt://$rhevm
> hostname/juzhou-rhel6-permission
> username:admin@internal
> password:****
> 
> Result: Can access to guest after input username and password.
> 
> so Christophe Fergeau, please help me check whether my steps is right or
> not, and also please help have a look of my question.

Hi,

Christophe is on PTO and will be back next week on Aug,24th. 

Thanks, David

Comment 5 zhoujunqin 2015-08-20 01:49:46 UTC

Hi David,
thanks for your information.

Comment 6 zhoujunqin 2015-08-20 01:50:45 UTC

Created attachment 1065064 [details]
Screenshot-1

Comment 7 zhoujunqin 2015-08-20 01:51:37 UTC

Created attachment 1065065 [details]
Screenshot-2

Comment 8 Christophe Fergeau 2015-08-24 12:40:40 UTC

For scenario #1, I'd compare what happens when admin=1 and admin=0 are used in the .vv file, admin=0 should fail.
For scenario #2, I'd also try both admin=0 and admin=1 (and I guess both would work).
I would also try scenario #2 with a user who cannot connect as an admin.

Comment 9 Christophe Fergeau 2015-08-24 12:41:49 UTC

(In reply to zhoujunqin from comment #3)

> Q1: Since there is no user list in guest "Permission" menu, so can we
> connect to this guest using empty user/passwd when using ovirt session?

If this "permission" menu is an oVirt menu in its web interface, I don't know

Comment 10 zhoujunqin 2015-08-25 09:27:54 UTC

(In reply to Christophe Fergeau from comment #8)
> For scenario #1, I'd compare what happens when admin=1 and admin=0 are used
> in the .vv file, admin=0 should fail.

I tried again, after download .vv file, i change from admin=1 to admin=0, then i can also connect to guest with:
#remote-viewer console.vv
Is this correct?

> For scenario #2, I'd also try both admin=0 and admin=1 (and I guess both
> would work).
Get same result with you.

> I would also try scenario #2 with a user who cannot connect as an admin.

Comment 11 Christophe Fergeau 2015-08-26 07:53:16 UTC

It all depends on how things look in RHEV web UIs.
If a VM can be seen by a given user both in admin portal and in user portal, then admin=0/1 should not make a difference.
If a VM cannot be seen by the user in the user portal and they can log in as an admin, then admin=1 should work, and admin=0 should fail.
If the user cannot login as an admin, and they can see the VM in the user portal, then admin=1 should fail, and admin=0 should work.

Comment 12 Christophe Fergeau 2015-08-27 15:15:44 UTC

As usual I got confused about VM access VS foreign menu.
admin=0/1 should only impact foreign menu in remote-viewer
non-admin user with admin=1 should give no foreign menu
admin user with VM they can't see in the user portal should give no foreign menu with admin=0
non-admin user with admin=0 should give foreign menu with a VM they can see in the user portal
admin user with admin=1 should give foreign menu with VM they can see in the admin portal.

Comment 13 zhoujunqin 2015-08-28 10:28:04 UTC

First thanks for teuf's kind help, i understand this function well know.

And try to verify this bug again with package:
virt-viewer-2.0-6.el7.x86_64
libgovirt-0.3.3-1.el7.x86_64

Steps:
Scenario 1: Using a guest is visible in admin portal but isn't visible in user portal (VM permission setting like screenshot-1)

1. Download ca.crt file and then do "trust anchor ca.crt" as root

# wget -k https://dell-op780-05.qe.lab.eng.nay.redhat.com/ca.crt

# trust anchor ca.crt


2. Download guest file "console.vv" to check 'admin' field in the [ovirt] section of .vv files 

2.1 Login rhevm server with rhevm hostname instead of ip, right-click on this guest and select "Console Options" item, then select Console Invocation as "Native client".

2.2. Click the guest and select "Console" item, then save the console file "console.vv" to local machine.

2.3. Open file console.vv check the 'admin' field in the [ovirt] section 
# cat console.vv
...
[ovirt]
host=dell-op780-05.qe.lab.eng.nay.redhat.com
vm-guid=38e8d75c-1825-4c7a-b72d-7c9953fd96f4
jsessionid=xmhCoeXUUSsQbAuE5D0EHg4B
admin=1--------------------------------------------->added

3. Use remote-viewer launch guest:
# remote-viewer console.vv 

4. Reconnect to guest again with modify admin=0 in .vv file

Result:
Setting admin=1, guest can be launched and can see foreign menu "Change CD".
but while admin=0, guest can be launched but cannot see foreign menu.

And about need trust anchor thing, file a separated bug 1257886 to tracking.

Comment 15 zhoujunqin 2015-08-31 10:49:15 UTC

Created attachment 1068591 [details]
Screenshot-3

Comment 17 errata-xmlrpc 2015-11-19 07:36:23 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2211.html

Note You need to log in before you can comment on or make changes to this bug.