The current implementation of vmconsole violate product permission model, object permissions inheritance, Everyone assignment and group assignment. Implementation should be modified to the following sequence: 1. Resolve internal user id into (authz-name, authz-id (external id), namespace). 2. Search authz principal by id and namespace, with resolve group and resolve group recursively flags. 3. Construct engine session and assign context if implementation requires that in order to lookup objects. 4. Find all VM objects that are running and match this context with specific role ConsoleAccess (or anything we decide). Everyone/User/Group matches based on system roles/data center/cluster/VM hierarchy as usual. Expected Result: 1. Assign Everyone with ConsoleAccess role in System Roles -> all users can access all consoles. 2. Assign user1 with ConsoleAccess role in System Roles -> user1 can access all consoles. 3. Assign group1 with ConsoleAccess role in System Roles -> user1 which is member of group1 can access all consoles. [repeat above with Datacenter] [repeat above with Cluster] [repeat above with VM]
4. item (virt specific) is tracked in bug 1264391
sorry, bug#1264391 is irrelevant for this one, the permission check will use whatever role that is assigned to vmconsole.
Fixed bug tickets must have version flags set prior to fixing them. Please set the correct version flags and move the bugs back to the previous status after this is corrected.
Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release.
In oVirt testing is done on single release by default. Therefore I'm removing the 4.0 flag. If you think this bug must be tested in 4.0 as well, please re-add the flag. Please note we might not have testing resources to handle the 4.0 clone.
Moving back to modified, as the rule changed it for some reason....
Please provide reproduction steps for this bug forverification.
1. Create a user with SUPER_USER / VM_OPERATOR or INSTANCE_OPERATOR permissions on the DC or Cluster. 2. Create a VM in the DC and start the VM 3. List the vm consoles accessible by the user by running ovirt-vmconsole-list.py consoles --entityid @USER_INTERNAL_ID@ where USER_INTERNAL_ID is the id of the user in the users table in database. You should see the running VM listed
Works for me on these components: rhevm-3.6.1.1-0.1.el6.noarch ovirt-host-deploy-java-1.4.1-1.el6ev.noarch ovirt-vmconsole-1.0.0-1.el6ev.noarch ovirt-host-deploy-1.4.1-1.el6ev.noarch ovirt-vmconsole-proxy-1.0.0-1.el6ev.noarch ovirt-engine-extension-aaa-jdbc-1.0.4-1.el6ev.noarch # ovirt-aaa-jdbc-tool user add black \ > --attribute=firstName=Black \ > --attribute=lastName=Blackovich \ > --attribute=email=black adding user black... user added successfully # ovirt-aaa-jdbc-tool user show black -- User black(2fbb2bae-e9b1-450e-ac45-c53e74b388f8) -- Namespace: * Name: black ID: 2fbb2bae-e9b1-450e-ac45-c53e74b388f8 Display Name: Email: black First Name: Black Last Name: Blackovich Department: Title: Description: Account Disabled: false Account Unlocked At: 1970-01-01 00:00:00Z Account Valid From: 2015-12-07 15:40:50Z Account Valid To: 2215-12-07 15:40:50Z Account Without Password: false Last successful Login At: 1970-01-01 00:00:00Z Last unsuccessful Login At: 1970-01-01 00:00:00Z Password Valid To: 1970-01-01 00:00:00Z # ovirt-aaa-jdbc-tool user password-reset black Password: updating user black... user updated successfully # cat /etc/ovirt-engine/engine.conf.d/10-setup-database.conf ENGINE_DB_HOST="localhost" ENGINE_DB_PORT="5432" ENGINE_DB_USER="engine" ENGINE_DB_PASSWORD="8HVeFa9uGGn4CGg7LlOJqe" ENGINE_DB_DATABASE="engine" ENGINE_DB_SECURED="False" ENGINE_DB_SECURED_VALIDATION="False" ENGINE_DB_DRIVER="org.postgresql.Driver" ENGINE_DB_URL="jdbc:postgresql://localhost:5432/engine?sslfactory=org.postgresql.ssl.NonValidatingFactory" # su - postgres -bash-4.1$ psql -d engine psql (8.4.20) engine-# select * from users; ERROR: syntax error at or near "select" LINE 2: select * from users; ^ engine=# select * from users; user_id | name | surname | domain | username | department | email | note | last_admin_check _status | external_id | _create_date | _update_date | namespace --------------------------------------+-------+------------+----------------+----------+------------+--------------------+------+----------------- --------+--------------------------------------+-------------------------------+-------------------------------+----------- 00000018-0018-0018-0018-000000000279 | admin | | internal-authz | admin | | | | t | 8cd95752-63a8-4738-a87d-89fc2617c5af | 2015-11-29 18:33:20.609721+02 | 2015-12-07 16:45:53.442793+02 | * 973131f6-ba7e-4a37-974f-bf7139ee626a | Black | Blackovich | internal-authz | black | | black | | t | 2fbb2bae-e9b1-450e-ac45-c53e74b388f8 | 2015-12-07 17:42:17.968475+02 | 2015-12-07 17:44:37.365973+02 | * (2 rows) engine=# \q -bash-4.1$ exit # /usr/libexec/ovirt-vmconsole-proxy-helper/ovirt-vmconsole-list.py consoles --entityid 00000018-0018-0018-0018-000000000279 {"content": "console_list", "consoles": [{"vmname": "vm1", "vmid": "2feb7c67-0875-4407-a64e-bd3d7a2120bd", "host": "alma04.qa.lab.tlv.redhat.com", "console": "2feb7c67-0875-4407-a64e-bd3d7a2120bd.sock", "vm": "vm1"}], "version": 1} [root@nsednev-he-1 ~]# /usr/libexec/ovirt-vmconsole-proxy-helper/ovirt-vmconsole-list.py consoles --entityid 973131f6-ba7e-4a37-974f-bf7139ee626a {"content": "console_list", "consoles": [{"vmname": "vm1", "vmid": "2feb7c67-0875-4407-a64e-bd3d7a2120bd", "host": "alma04.qa.lab.tlv.redhat.com", "console": "2feb7c67-0875-4407-a64e-bd3d7a2120bd.sock", "vm": "vm1"}], "version": 1}
According to verification status and target milestone this issue should be fixed in oVirt 3.6.1. Closing current release.