Red Hat Bugzilla – Bug 1265278
User with all permission cannot create VM from scratch when 2 data centers are configured
Last modified: 2016-03-11 02:22:32 EST
Description of problem:
I recently added a second data centers to our manager and configured a cluster with storage type local (just a workstation for some testing). I tried to configure rights for the users to create the VMs. They cannot, manager says they are not authorized to perform this action, in engine.log I can see:
2015-09-22 16:11:45,361 WARN [org.ovirt.engine.core.bll.AddVmFromScratchCommand] (ajp-/127.0.0.1:8702-11) [488942f5] CanDoAction of action AddVmFromScratch failed for user <myuser@mydomain>. Reasons: VAR__ACTION__ADD,VAR__TYPE__VM,USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
Nothing else in the logs. So I created a custom role, type set to user and selected all permissions, then assigned this role to my user for one data center. Nothing changed same error message and log entry.
Before creating the second data center (well third if we count the default one which is not used) the PowerUserRole role was sufficient to let users create VMs in the existing data center. Now such role is not sufficient any more. Only admin privileges let the VM creation to happen.
Version-Release number of selected component (if applicable):
Running RHEVM 18.104.22.168
Steps to Reproduce:
1. Configure two data center
2. Assign role PowerUserRole (or custom with all privileges) to a test user on one data center.
3. Login into the user portal with test user and try to create a VM from scratch
VM creation fails saying authorization is missing
Since createvm privilege was enabled in the role assigned to the user VM creation is expected to succeed
Are you sure, that you are trying to create that vm in datacenter where you have the permissions assigned? Just assign the permissions for both datacenters to that user.
(In reply to Ondra Machacek from comment #1)
> Are you sure, that you are trying to create that vm in datacenter where you
> have the permissions assigned? Just assign the permissions for both
> datacenters to that user.
Yes I'm sure. In fact my test user has permission on both. Before adding the second one it was working on the first one. Now it fails on both.
I cannot reproduce. Would you please send the whole log of creation of vm? Not only the 'warn'. I think you are missing some permission somewhere (on network, disk profile, storage, ..). Maybe you hit bug 1209505.
I am unable to reproduce this on current master and specified version.
I checked out bug bug 1209505 and I'm affected indeed. All storage domains (even the olders) are affected by this. Maybe this happened during the migration from RHEV 3.4 to 3.5? But this happened months ago and with only one data center it was working. That said I applied the fix for this bug.
But let's go back in time to yesterday for a second. The log actually shows something more as you suggested:
2015-09-22 14:52:27,023 ERROR [org.ovirt.engine.core.bll.GetVmTemplatesByStoragePoolIdQuery] (ajp-/127.0.0.1:8702-15) Query execution failed due to insufficient permissions.
2015-09-22 14:52:29,415 ERROR [org.ovirt.engine.core.bll.GetVmTemplatesByStoragePoolIdQuery] (ajp-/127.0.0.1:8702-15) Query execution failed due to insufficient permissions.
2015-09-22 14:52:32,448 WARN [org.ovirt.engine.core.bll.AddVmFromScratchCommand] (ajp-/127.0.0.1:8702-15) [2f819f2b] CanDoAction of action AddVmFromScratch failed for user email@example.com. Reasons: VAR__ACTION__ADD,VAR__TYPE__VM,USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
The error happens when I open the "New VM" page, not when I try to create the VM. I should have give more importance to it, but I was mislead by the web UI, since the template was showing up in the UI. Today it is not more, and this is probably the problem. Maybe some undesired cache effect from the browser? Or maybe because I fixed the problem explained in bug #1209505 ?
Today I cannot see the templates anymore so I cannot reproduce the issue. Now I cannot try to create the VM because I cannot see any template, not even the Blank template. I'm trying to understand why since the Blank template has the permission UserTemplateBasedVm given to Everyone.
When I open the "New VM" page I can see
2015-09-23 10:05:09,580 ERROR [org.ovirt.engine.core.bll.GetVmTemplatesByStoragePoolIdQuery] (ajp-/127.0.0.1:8702-7) Query execution failed due to insufficient permissions.
in the logs. No other lines other than this one.
I found https://access.redhat.com/solutions/1150313 so I triedd to add VMCreator permission on the Blank template to everyone, but still can't aaccess the Blank template with my test user.
For my user I created the following custom role:
- all permission for network, templates and vmpool are granted
- all VM permission are granted with the exception of administration stuff
- all disk profile permission are granted with the exception of live storage migration
I added my user with this permission to the new data center. I checked cluster, network and disk and I can see it. I also tested if I can create disk images for existing vms and I can, so disk permissions should be ok.
I'm trying to figure out why the Blank template seems not to be available anymore
So I'm at a loss. Even giving my user SuperUser role on an empty template I made, on the storage domain and even on the entire data center to no avail. From the user portal my user cannot create a VM because GetVmTemplatesByStoragePoolIdQuery fails due to insufficient permissions.
What permission is actually required to perform this query?
I can see this error message in log as well, but I can see all the temaplates. So for me it doesn't have any impact on functionality. I cannot see this issue in 3.6 anymore(there is similar bug 1241111). You still cannot see your templates, or can you?
Created attachment 1076433 [details]
screenshot of web interface not showing templates
Mhm ok.... since nothing else shows in engine.log I though that might have been related.
No I cannot see any templates and thus I cannot create a VM with any user from the user portal. Even adding SuperUser role for my user on the entire data center doesn't help (I know this should affect the admin portal, but I read in the manual admin roles do actually affect the user portal as well, viceversa is not true).
I tried many different permission on the templates and nothing worked. ATM I have PowerUserRole role for my user, VmCreator and UserTemplateBasedVm for Everyone set
Ok. So can you please run following command to see if your user can see any templates:
$ curl -k -X GET -H "Accept: application/xml" -H "Content-Type: application/xml" -H "Filter: true" -u user_name@domain:password https://$engine_url/ovirt-engine/api/templates
If yes can you please see if there is no frontend exception in firefox opening new vm dialog(in console of firebug or firefox inspector)?
I can see the templates I'm expecting to see with the command you mentioned. And I can see exceptions in the firefox web console. I tried it the first day, but maybe I missed it or there was some caching effect hiding it.
What I see in Firefox web console:
Thu Sep 24 13:55:58 GMT+200 2015 org.ovirt.engine.ui.frontend.Frontend
WARNING: Failure while invoking runQuery [Query execution failed due to insufficient permissions.] 4069F98484FEF4C070076EF705F82915.cache.html:10370:17385
Thu Sep 24 13:55:58 GMT+200 2015 com.google.gwt.logging.client.LogConfiguration
SEVERE: (TypeError) : b is null
at Unknown.G5i(Unknown Source)
at Unknown.I5i(Unknown Source)
at Unknown.s3i(Unknown Source)
at Unknown.z8j(Unknown Source)
at Unknown.D8j(Unknown Source)
at Unknown.OZi(Unknown Source)
at Unknown.RZi(Unknown Source)
at Unknown.S0i(Unknown Source)
at Unknown.V0i(Unknown Source)
at Unknown.V_i(Unknown Source)
at Unknown.Y_i(Unknown Source)
at Unknown.src(Unknown Source)
at Unknown.LLg(Unknown Source)
at Unknown.tP(Unknown Source)
at Unknown.NP(Unknown Source)
at Unknown.S7c/c.onreadystatechange<(Unknown Source)
at Unknown.up(Unknown Source)
at Unknown.xp(Unknown Source)
at Unknown.wp/<(Unknown Source)
at Unknown.anonymous(Unknown Source) 4069F98484FEF4C070076EF705F82915.cache.html:10370:17385
FYI this happens with Firefox 40, 41 and qupzilla (webkit based) from Fedora 22, Firefox 38.3.0 from centos 7. Cloning of VMs is also affected. To date I'm still without a workaround
Still present in 3.5.5
(In reply to Enrico Tagliavini from comment #12)
> Still present in 3.5.5
> Version: 22.214.171.124 → 3.5.5
version should be the oldest version that is effected.
I'd say the problem is that the GetVmTemplatesByStoragePoolIdQuery is not configured as UserQuery in VdcQueryType so regardless of the permissions of the particular user, from user portal this query will fail on permission check. This also seems as the root cause of the stack shown in Comment 10.
@Tomas you are right. Patch for the GetVmTemplatesByStoragePoolIdQuery posted u/s
Verified in rhevm-126.96.36.199-0.1.el6.noarch
There is a problem with adding disk to VM when VM is created by user with role PowerUserRole: "Cannot add Virtual Machine Disk. The user doesn't have permissions to attach Disk Profile to the Disk."
This issue is tracked: bug 1311052