Bug 1265278 - User with all permission cannot create VM from scratch when 2 data centers are configured
User with all permission cannot create VM from scratch when 2 data centers ar...
Product: ovirt-engine
Classification: oVirt
Component: BLL.Virt (Show other bugs)
Unspecified Unspecified
high Severity high (vote)
: ovirt-3.6.3
: 3.6.3
Assigned To: Martin Betak
Petr Kubica
Depends On:
  Show dependency treegraph
Reported: 2015-09-22 10:26 EDT by Enrico Tagliavini
Modified: 2016-03-11 02:22 EST (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-03-11 02:22:32 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: Virt
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
rule-engine: ovirt‑3.6.z+
rule-engine: planning_ack+
michal.skrivanek: devel_ack+
pstehlik: testing_ack+

Attachments (Terms of Use)
screenshot of web interface not showing templates (42.23 KB, image/png)
2015-09-24 06:17 EDT, Enrico Tagliavini
no flags Details

External Trackers
Tracker ID Priority Status Summary Last Updated
oVirt gerrit 52449 master MERGED core: Allow GetVmTemplatesByStoragePoolIdQuery in UserPortal 2016-01-20 06:06 EST
oVirt gerrit 52491 ovirt-engine-3.6 MERGED core: Allow GetVmTemplatesByStoragePoolIdQuery in UserPortal 2016-01-26 11:14 EST

  None (edit)
Description Enrico Tagliavini 2015-09-22 10:26:36 EDT
Description of problem:
I recently added a second data centers to our manager and configured a cluster with storage type local (just a workstation for some testing). I tried to configure rights for the users to create the VMs. They cannot, manager says they are not authorized to perform this action, in engine.log I can see:

2015-09-22 16:11:45,361 WARN  [org.ovirt.engine.core.bll.AddVmFromScratchCommand] (ajp-/ [488942f5] CanDoAction of action AddVmFromScratch failed for user <myuser@mydomain>. Reasons: VAR__ACTION__ADD,VAR__TYPE__VM,USER_NOT_AUTHORIZED_TO_PERFORM_ACTION

Nothing else in the logs. So I created a custom role, type set to user and selected all permissions, then assigned this role to my user for one data center. Nothing changed same error message and log entry.

Before creating the second data center (well third if we count the default one which is not used) the PowerUserRole role was sufficient to let users create VMs in the existing data center. Now such role is not sufficient any more. Only admin privileges let the VM creation to happen.

Version-Release number of selected component (if applicable):
Running RHEVM

How reproducible:

Steps to Reproduce:
1. Configure two data center
2. Assign role PowerUserRole (or custom with all privileges) to a test user on one data center. 
3. Login into the user portal with test user and try to create a VM from scratch

Actual results:
VM creation fails saying authorization is missing

Expected results:
Since createvm privilege was enabled in the role assigned to the user VM creation is expected to succeed
Comment 1 Ondra Machacek 2015-09-22 10:58:29 EDT
Are you sure, that you are trying to create that vm in datacenter where you have the permissions assigned? Just assign the permissions for both datacenters to that user.
Comment 2 Enrico Tagliavini 2015-09-22 11:50:13 EDT
(In reply to Ondra Machacek from comment #1)
> Are you sure, that you are trying to create that vm in datacenter where you
> have the permissions assigned? Just assign the permissions for both
> datacenters to that user.

Yes I'm sure. In fact my test user has permission on both. Before adding the second one it was working on the first one. Now it fails on both.
Comment 3 Ondra Machacek 2015-09-22 12:59:34 EDT
I cannot reproduce. Would you please send the whole log of creation of vm? Not only the 'warn'. I think you are missing some permission somewhere (on network, disk profile, storage, ..). Maybe you hit bug 1209505.
Comment 4 Ravi Nori 2015-09-22 14:45:33 EDT
I am unable to reproduce this on current master and specified version.
Comment 5 Enrico Tagliavini 2015-09-23 04:33:52 EDT
I checked out bug bug 1209505 and I'm affected indeed. All storage domains (even the olders) are affected by this. Maybe this happened during the migration from RHEV 3.4 to 3.5? But this happened months ago and with only one data center it was working. That said I applied the fix for this bug.

But let's go back in time to yesterday for a second. The log actually shows something more as you suggested:

2015-09-22 14:52:27,023 ERROR [org.ovirt.engine.core.bll.GetVmTemplatesByStoragePoolIdQuery] (ajp-/ Query execution failed due to insufficient permissions.
2015-09-22 14:52:29,415 ERROR [org.ovirt.engine.core.bll.GetVmTemplatesByStoragePoolIdQuery] (ajp-/ Query execution failed due to insufficient permissions.
2015-09-22 14:52:32,448 WARN  [org.ovirt.engine.core.bll.AddVmFromScratchCommand] (ajp-/ [2f819f2b] CanDoAction of action AddVmFromScratch failed for user zrsta01@uni-tuebingen.de. Reasons: VAR__ACTION__ADD,VAR__TYPE__VM,USER_NOT_AUTHORIZED_TO_PERFORM_ACTION

The error happens when I open the "New VM" page, not when I try to create the VM. I should have give more importance to it, but I was mislead by the web UI, since the template was showing up in the UI. Today it is not more, and this is probably the problem. Maybe some undesired cache effect from the browser? Or maybe because I fixed the problem explained in bug #1209505 ?

Today I cannot see the templates anymore so I cannot reproduce the issue. Now I cannot try to create the VM because I cannot see any template, not even the Blank template. I'm trying to understand why since the Blank template has the permission UserTemplateBasedVm given to Everyone.

When I open the "New VM" page I can see

2015-09-23 10:05:09,580 ERROR [org.ovirt.engine.core.bll.GetVmTemplatesByStoragePoolIdQuery] (ajp-/ Query execution failed due to insufficient permissions.

in the logs. No other lines other than this one.

I found https://access.redhat.com/solutions/1150313 so I triedd to add VMCreator permission on the Blank template to everyone, but still can't aaccess the Blank template with my test user.

For my user I created the following custom role:
 - all permission for network, templates and vmpool are granted
 - all VM permission are granted with the exception of administration stuff
 - all disk profile permission are granted with the exception of live storage migration

I added my user with this permission to the new data center. I checked cluster, network and disk and I can see it. I also tested if I can create disk images for existing vms and I can, so disk permissions should be ok.

I'm trying to figure out why the Blank template seems not to be available anymore
Comment 6 Enrico Tagliavini 2015-09-24 04:12:26 EDT
So I'm at a loss. Even giving my user SuperUser role on an empty template I made, on the storage domain and even on the entire data center to no avail. From the user portal my user cannot create a VM because GetVmTemplatesByStoragePoolIdQuery fails due to insufficient permissions.

What permission is actually required to perform this query?
Comment 7 Ondra Machacek 2015-09-24 05:35:36 EDT
I can see this error message in log as well, but I can see all the temaplates. So for me it doesn't have any impact on functionality. I cannot see this issue in 3.6 anymore(there is similar bug 1241111). You still cannot see your templates, or can you?
Comment 8 Enrico Tagliavini 2015-09-24 06:17 EDT
Created attachment 1076433 [details]
screenshot of web interface not showing templates

Mhm ok.... since nothing else shows in engine.log I though that might have been related.

No I cannot see any templates and thus I cannot create a VM with any user from the user portal. Even adding SuperUser role for my user on the entire data center doesn't help (I know this should affect the admin portal, but I read in the manual admin roles do actually affect the user portal as well, viceversa is not true).

I tried many different permission on the templates and nothing worked. ATM I have PowerUserRole role for my user, VmCreator and UserTemplateBasedVm for Everyone set
Comment 9 Ondra Machacek 2015-09-24 07:50:37 EDT
Ok. So can you please run following command to see if your user can see any templates:

$ curl -k -X GET -H "Accept: application/xml" -H "Content-Type: application/xml" -H "Filter: true" -u user_name@domain:password https://$engine_url/ovirt-engine/api/templates

If yes can you please see if there is no frontend exception in firefox opening new vm dialog(in console of firebug or firefox inspector)?
Comment 10 Enrico Tagliavini 2015-09-24 07:58:44 EDT
I can see the templates I'm expecting to see with the command you mentioned. And I can see exceptions in the firefox web console. I tried it the first day, but maybe I missed it or there was some caching effect hiding it.

What I see in Firefox web console:

Thu Sep 24 13:55:58 GMT+200 2015 org.ovirt.engine.ui.frontend.Frontend
WARNING: Failure while invoking runQuery [Query execution failed due to insufficient permissions.] 4069F98484FEF4C070076EF705F82915.cache.html:10370:17385
Thu Sep 24 13:55:58 GMT+200 2015 com.google.gwt.logging.client.LogConfiguration
SEVERE: (TypeError) : b is null
com.google.gwt.core.client.JavaScriptException: (TypeError) : b is null
	at Unknown.G5i(Unknown Source)
	at Unknown.I5i(Unknown Source)
	at Unknown.s3i(Unknown Source)
	at Unknown.z8j(Unknown Source)
	at Unknown.D8j(Unknown Source)
	at Unknown.OZi(Unknown Source)
	at Unknown.RZi(Unknown Source)
	at Unknown.S0i(Unknown Source)
	at Unknown.V0i(Unknown Source)
	at Unknown.V_i(Unknown Source)
	at Unknown.Y_i(Unknown Source)
	at Unknown.src(Unknown Source)
	at Unknown.LLg(Unknown Source)
	at Unknown.tP(Unknown Source)
	at Unknown.NP(Unknown Source)
	at Unknown.S7c/c.onreadystatechange<(Unknown Source)
	at Unknown.up(Unknown Source)
	at Unknown.xp(Unknown Source)
	at Unknown.wp/<(Unknown Source)
	at Unknown.anonymous(Unknown Source) 4069F98484FEF4C070076EF705F82915.cache.html:10370:17385
Comment 11 Enrico Tagliavini 2015-09-29 07:42:37 EDT
FYI this happens with Firefox 40, 41 and qupzilla (webkit based) from Fedora 22, Firefox 38.3.0 from centos 7. Cloning of VMs is also affected. To date I'm still without a workaround
Comment 12 Enrico Tagliavini 2015-11-10 09:55:24 EST
Still present in 3.5.5
Comment 13 Alon Bar-Lev 2015-11-10 10:15:30 EST
(In reply to Enrico Tagliavini from comment #12)
> Still present in 3.5.5
> Version: → 3.5.5

version should be the oldest version that is effected.
Comment 14 Tomas Jelinek 2015-12-17 07:53:20 EST
I'd say the problem is that the GetVmTemplatesByStoragePoolIdQuery is not configured as UserQuery in VdcQueryType so regardless of the permissions of the particular user, from user portal this query will fail on permission check. This also seems as the root cause of the stack shown in Comment 10.
Comment 15 Martin Betak 2016-01-19 10:32:16 EST
@Tomas you are right. Patch for the GetVmTemplatesByStoragePoolIdQuery posted u/s
Comment 16 Petr Kubica 2016-02-25 10:54:33 EST
Verified in rhevm-

There is a problem with adding disk to VM when VM is created by user with role PowerUserRole: "Cannot add Virtual Machine Disk. The user doesn't have permissions to attach Disk Profile to the Disk."

This issue is tracked: bug 1311052

Note You need to log in before you can comment on or make changes to this bug.