Bug 1284472 - User can't create a VM. No permission for EDIT_ADMIN_VM_PROPERTIES
Summary: User can't create a VM. No permission for EDIT_ADMIN_VM_PROPERTIES
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: ovirt-engine
Classification: oVirt
Component: Frontend.UserPortal
Version: 3.6.0.3
Hardware: Unspecified
OS: Unspecified
medium
high
Target Milestone: ovirt-4.0.4
: 4.0.4
Assignee: Jenny Tokar
QA Contact: Aleksei Slaikovskii
URL:
Whiteboard:
Depends On:
Blocks: 1350223
TreeView+ depends on / blocked
 
Reported: 2015-11-23 12:29 UTC by maksim.naumov
Modified: 2016-09-26 12:40 UTC (History)
17 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: Admin permissions were required in order to create a VM from template that includes custom properties or dedicated hosts. Consequence: Users with no Admin permissions were not able to create VMs from template that includes custom properties or dedicated hosts. Fix: If the VM is not set with different custom properties or dedicated hosts than these in the template, no Admin permissions are required. Result: Users with no Admin permissions are able to create VMs from template that includes custom properties or dedicated hosts.
Clone Of:
: 1350223 (view as bug list)
Environment:
Last Closed: 2016-09-26 12:40:31 UTC
oVirt Team: SLA
Embargoed:
rule-engine: ovirt-4.0.z+
ykaul: exception+
rule-engine: planning_ack+
rule-engine: devel_ack+
pstehlik: testing_ack+


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
oVirt gerrit 51105 0 master MERGED core: compare dedicated hosts against template on add vm 2020-04-26 10:04:13 UTC
oVirt gerrit 51121 0 master MERGED core: compare custom properties against template on add vm 2020-04-26 10:04:14 UTC
oVirt gerrit 51136 0 ovirt-engine-3.6 MERGED core: compare dedicated hosts against template on add vm 2020-04-26 10:04:14 UTC
oVirt gerrit 51137 0 ovirt-engine-3.6 MERGED core: compare custom properties against template on add vm 2020-04-26 10:04:14 UTC
oVirt gerrit 55911 0 master MERGED userportal: use the default host that was set in template in a vm 2020-04-26 10:04:14 UTC
oVirt gerrit 55934 0 ovirt-engine-3.6 MERGED userportal: use the default host that was set in template in a vm 2020-04-26 10:04:14 UTC
oVirt gerrit 55956 0 master MERGED userportal: use the default host that was set in vm in template 2020-04-26 10:04:15 UTC
oVirt gerrit 56250 0 ovirt-engine-3.6 MERGED userportal: use the default host that was set in vm in template 2020-04-26 10:04:15 UTC
oVirt gerrit 59434 0 master MERGED core: Allow user to create a vm from blank template on local storage 2020-04-26 10:04:15 UTC
oVirt gerrit 59709 0 ovirt-engine-3.6 MERGED core: Allow user to create a vm from blank template on local storage 2020-04-26 10:04:16 UTC
oVirt gerrit 59786 0 ovirt-engine-4.0 MERGED core: Allow user to create a vm from blank template on local storage 2020-04-26 10:04:15 UTC
oVirt gerrit 61934 0 master MERGED webadmin: userportal: Fix first vm creation in session 2020-04-26 10:04:16 UTC
oVirt gerrit 62033 0 ovirt-engine-4.0 MERGED webadmin: userportal: Fix first vm creation in session 2020-04-26 10:04:16 UTC

Comment 1 Red Hat Bugzilla Rules Engine 2015-12-29 13:18:39 UTC
Fixed bug tickets must have version flags set prior to fixing them. Please set the correct version flags and move the bugs back to the previous status after this is corrected.

Comment 2 Arik 2015-12-29 14:25:35 UTC
Our automation tests should have catch this one.
@Ilanit - can you please check if we have the following tests , and if not then to consider adding them:
1. Add VM as a user who is not admin and doesn't have edit-admin (EDIT_ADMIN_VM_PROPERTIES) permissions from a template that is configured with dedicated hosts.
2. Add VM as a user who is not admin and doesn't have change vm-custom-properties (CHANGE_VM_CUSTOM_PROPERTIES) permissions from a template that is configured with VM custom properties

Comment 3 Ilanit Stein 2016-01-05 15:07:05 UTC
Ondra,

Would you please address Arik's question in comment 2?

Comment 4 Ondra Machacek 2016-01-05 20:49:53 UTC
We do not test those specific cases. I added them. (Just a note - non-admin user can't have EDIT_ADMIN_VM_PROPERTIES nor CHANGE_VM_CUSTOM_PROPERTIES, it would have to become admin user.)

Comment 5 Arik 2016-01-06 07:42:34 UTC
(In reply to Ondra Machacek from comment #4)
> We do not test those specific cases. I added them. (Just a note - non-admin
> user can't have EDIT_ADMIN_VM_PROPERTIES nor CHANGE_VM_CUSTOM_PROPERTIES, it
> would have to become admin user.)

That's true. The thing is that if none of the fields that require these permissions was changed, the user doesn't need to have these permissions in order to create a VM from the template (even if these settings are defined in the template, i.e there are custom properties or specific-host that is defined for the VM and so on). The best test IMO is to create a template that contains all the properties that can be set on a template and then to try to create a VM from that template (without any change of the template settings) as a user - it should not fail on permissions (assuming that the user has permission on the template).

Comment 6 Ondra Machacek 2016-02-22 14:39:41 UTC
When I select 'Run on specific host' within template, then I can't still create vm from that template.
rhevm-3.6.3.2-0.1.el6.noarch

Comment 7 Red Hat Bugzilla Rules Engine 2016-02-22 14:39:46 UTC
Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release.

Comment 8 Michal Skrivanek 2016-02-23 07:00:52 UTC
(In reply to Ondra Machacek from comment #6)
> When I select 'Run on specific host' within template, then I can't still
> create vm from that template.
> rhevm-3.6.3.2-0.1.el6.noarch

logs?

Comment 9 Ondra Machacek 2016-02-23 09:06:47 UTC
2016-02-23 11:05:50,385 DEBUG [org.ovirt.engine.core.bll.AddVmCommand] (ajp-/127.0.0.1:8702-7) [9baf8e3] Checking whether user 'aada7776-5792-443c-a6d3-492f6bbedda5' or one of the groups he is member of, have the following permissions:  ID: d116ae7a-5f79-469a-910c-996789f4bd0a Type: VdsGroupsAction group CREATE_VM with role type USER,  ID: 49ba2126-71be-4704-921f-9f2bf60747c2 Type: VmTemplateAction group CREATE_VM with role type USER,  ID: 6f7e89fd-8ee7-43d5-808e-0b9f4bb5f339 Type: StorageAction group CREATE_DISK with role type USER,  ID: d116ae7a-5f79-469a-910c-996789f4bd0a Type: VdsGroupsAction group EDIT_ADMIN_VM_PROPERTIES with role type ADMIN
2016-02-23 11:05:50,389 DEBUG [org.ovirt.engine.core.bll.AddVmCommand] (ajp-/127.0.0.1:8702-7) [9baf8e3] Found permission '8a6762a3-531f-4b6a-b72d-fe0ce301b9eb' for user when running 'AddVm', on 'Cluster' with id 'd116ae7a-5f79-469a-910c-996789f4bd0a'
2016-02-23 11:05:50,391 DEBUG [org.ovirt.engine.core.bll.AddVmCommand] (ajp-/127.0.0.1:8702-7) [9baf8e3] Found permission '8a6762a3-531f-4b6a-b72d-fe0ce301b9eb' for user when running 'AddVm', on 'Template' with id '49ba2126-71be-4704-921f-9f2bf60747c2'
2016-02-23 11:05:50,393 DEBUG [org.ovirt.engine.core.bll.AddVmCommand] (ajp-/127.0.0.1:8702-7) [9baf8e3] Found permission '8a6762a3-531f-4b6a-b72d-fe0ce301b9eb' for user when running 'AddVm', on 'Storage' with id '6f7e89fd-8ee7-43d5-808e-0b9f4bb5f339'
2016-02-23 11:05:50,395 DEBUG [org.ovirt.engine.core.bll.AddVmCommand] (ajp-/127.0.0.1:8702-7) [9baf8e3] No permission found for user when running action 'AddVm', on object 'Cluster' for action group 'EDIT_ADMIN_VM_PROPERTIES' with id 'd116ae7a-5f79-469a-910c-996789f4bd0a'.
2016-02-23 11:05:50,395 WARN  [org.ovirt.engine.core.bll.AddVmCommand] (ajp-/127.0.0.1:8702-7) [9baf8e3] CanDoAction of action 'AddVm' failed for user user1@internal. Reasons: VAR__ACTION__ADD,VAR__TYPE__VM,USER_NOT_AUTHORIZED_TO_PERFORM_ACTION

Comment 10 Arik 2016-02-23 11:26:09 UTC
from virt point-of-view, everything is correct -
the template is set with list of hosts the VM should work on
the VM to add is set with empty list of hosts the VM should work on
that's why there is a different and since the user doesn't have the permission to do such a change, we block it.
now the UI should be fixed so the list of hosts in the VM will be set to that list from the template.

Comment 11 Roy Golan 2016-02-24 15:27:02 UTC
A user can't create a VM on cluster. How is that related to the host list?

Comment 12 Arik 2016-02-24 16:03:00 UTC
(In reply to Roy Golan from comment #11)
In AddVmCommand we require EDIT_ADMIN_VM_PROPERTIES if the list of hosts for the VM is different than the list of hosts in the template the VM is based on.
Lets say that you have a template with a dedicated host.
When you try to add a VM from that template as a user from the user-portal, the backend receives a VM with no dedicated hosts so from the engine's point of view - the user modified the dedicated hosts for this particular VM and therefore requires EDIT_ADMIN_VM_PROPERTIES and since the user doesn't have these permissions, the add-vm fails.
The problem is that the user didn't clear the dedicated hosts. In the user portal this tab is not even shown. So IMO, the solution should be to pass the dedicated hosts that are set in the template - otherwise the engine must assume that the user changed it.

Comment 13 Arik 2016-02-24 16:37:25 UTC
(In reply to Arik from comment #12)
Roy, there's no host tab in the new-VM dialog in the user portal. So users can't change the dedicated hosts.

Comment 14 maksim.naumov 2016-02-25 10:00:23 UTC
Hello guys. May I ask you to edit description and remove the email address from it. Sorry it was my fault to post it ;)

Comment 15 Yaniv Lavi 2016-02-25 12:56:07 UTC
(In reply to maksim.naumov from comment #14)
> Hello guys. May I ask you to edit description and remove the email address
> from it. Sorry it was my fault to post it ;)

We can't edit the description, we can make it private, would you like us to do that?

Comment 16 maksim.naumov 2016-02-25 15:21:37 UTC
Yes, please.

Comment 17 Roy Golan 2016-02-29 13:22:48 UTC
Summing up:
In user portal, add a VM, on save, we don't send the list of hosts. If we created that vm from a template and the list of hosts was non empty, then the backend failed the request. The validation is requesting for permissions to change that value.


The host list isn't really visible in user portal. So a user can't possibly change that. And we just don't copy over the template host list.

The impact is solely on user portal users for trying to create a vm from template with non-empty host lists.

Fix should be easy, to populate the list of hosts from the template while adding vm.

Comment 18 Michal Skrivanek 2016-03-14 07:57:11 UTC
(In reply to maksim.naumov from comment #16)
repeating the original bug description without private data:

Description of problem:

User can't create any VM using User Portal. It is not possible using a basic template and/or self-created template. 

While creating the VM user is not able to assign this VM to the specific host or change CPU pinning (there is no such functionality in the user interface). Self-created template has no information/settings about CPU pinning or host assignment.

Version-Release number of selected component (if applicable):
Version     : 3.6.0.3
Release     : 1.el7.centos

How reproducible:
100%

Steps to Reproduce:
1. Log in to the User Portal with non-admin user (user has to have PowerUserRole)
2. Click create new VM
3. Enter any name, choose a basic template, do not change anything else.
4. Click OK
5. See "User is not authorized to perform this action"

Actual results:
User is not able to create new VM.

Expected results:
User is able to create new VM.

Comment 19 Gonza 2016-05-10 09:31:40 UTC
Verified with:
rhevm-3.6.6.2-0.1.el6.noarch

2016-05-08 13:05:21,112 INFO  [org.ovirt.engine.core.bll.AddVmCommand] (ajp-/127.0.0.1:8702-1) [36096227] Running command: AddVmCommand internal: false. Entities affected :  ID: 00000002-0002-0002-0002-000000000014 Type: VdsGroupsAction group CREATE_VM with role type USER,  ID: 9198e38f-cac3-4a71-b22e-38dd266e1e02 Type: VmTemplateAction group CREATE_VM with role type USER,  ID: 7641f2a1-0baa-43b2-a2d6-02f69d74c8b9 Type: StorageAction group CREATE_DISK with role type USER

...

2016-05-08 13:05:22,855 INFO  [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-1) [6d6e94bb] Correlation ID: 36096227, Job ID: b1e74911-34f8-4214-9cd6-3c870c0fdd43, Call Stack: null, Custom Event ID: -1, Message: VM 123 creation was initiated by user1.xxx.xxx.xxx.xxxxxx.com@ad.

...

2016-05-08 13:05:29,971 INFO  [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (DefaultQuartzScheduler_Worker-13) [] Correlation ID: 36096227, Job ID: b1e74911-34f8-4214-9cd6-3c870c0fdd43, Call Stack: null, Custom Event ID: -1, Message: VM 123 creation has been completed.

Comment 20 Michal Skrivanek 2016-06-08 14:21:26 UTC
This seem to still reproduce in 3.6.6 on Edit VM action. Was it tested?

Comment 21 Michal Skrivanek 2016-06-10 15:23:04 UTC
reopening since it indeed doesn't work in rhevm-3.6.6.2-0.1, at least in a case of local storage when there is only one host available so on VM creating there gets the "list of hosts" automatically different from the template.
For the first time when the VM is created from e.g. a blank template the user (with UserVmManager) cannot update the VM and it is failing the same way as described above. Once someone with admin permissions opens and saves the VM (hence sets the specific host) then things start to work from that time on for the user

Comment 22 Red Hat Bugzilla Rules Engine 2016-06-10 15:23:12 UTC
Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release.

Comment 26 Doron Fediuck 2016-06-14 06:36:15 UTC
A temporary workaround is to get an Admin assistance and to open and save the VM.
Once done by Admin, the original user can edit the VM.
Targeting to 3.6.8.

Comment 27 Jenny Tokar 2016-06-14 09:00:33 UTC
(In reply to Michal Skrivanek from comment #21)
> reopening since it indeed doesn't work in rhevm-3.6.6.2-0.1, at least in a
> case of local storage when there is only one host available so on VM
> creating there gets the "list of hosts" automatically different from the
> template.
> For the first time when the VM is created from e.g. a blank template the
> user (with UserVmManager) cannot update the VM and it is failing the same
> way as described above. Once someone with admin permissions opens and saves
> the VM (hence sets the specific host) then things start to work from that
> time on for the user

Can you please describe the exact scenario? I'm trying to reproduce this. 
From what I understand user can't edit vm that is pinned to a specific host after creation from template, but that seems to work (3.6.7 and master).

Comment 28 Michal Skrivanek 2016-06-14 10:34:23 UTC
As a PowerUser create a VM from Blank template in a ppc64le datacenter from Blank template. VM can be created but followup edits are not possible, until an admin updates the VM (presumably setting the admin property of dedicated hosts). 
I reopened it on 3.6.6 as unfortunately I only have a 3.6.6 system, I don't know whether it works in 3.6.7 or not.

Comment 29 Michal Skrivanek 2016-06-14 10:35:23 UTC
(In reply to Doron Fediuck from comment #26)
> A temporary workaround is to get an Admin assistance and to open and save
> the VM.
> Once done by Admin, the original user can edit the VM.
> Targeting to 3.6.8.

Which effectively invalidates self provisioning by users. Adding Moran as FYI

Comment 30 Michal Skrivanek 2016-06-16 19:03:38 UTC
I would appreciate feedback from QE as my testing was very specific and there is a risk of wider impact. Pavel, can you please check?

Comment 32 Gonza 2016-06-20 11:14:27 UTC
Just verified on 3.6.6 with PPC and local storage.
PowerUser was not able to create VM from blank template.
Created a new template with selected host and PowerUser was able to create VM from that template.

Comment 33 Gonza 2016-07-27 10:03:23 UTC
Tried with:
rhevm-4.0.2-0.1.rc.el7ev.noarch
PPC and local storage

User with PowerUserRole is able to create VM but still not able to edit it.

2016-07-27 09:54:33,240 INFO  [org.ovirt.engine.core.bll.UpdateVmCommand] (default task-13) [3a4c1f38] No permission found for user '59bb3ad9-9bfa-42de-87fc-01bc6a2263e5' or one of the groups he is member of, when running action 'UpdateVm', Required permissions are: Action type: 'ADMIN' Action group: 'EDIT_ADMIN_VM_PROPERTIES' Object type: 'VM'  Object ID: '529965cb-3fe0-4d6e-aabb-242f08df415d'.
2016-07-27 09:54:33,253 WARN  [org.ovirt.engine.core.bll.UpdateVmCommand] (default task-13) [3a4c1f38] Validation of action 'UpdateVm' failed for user my_user@internal-authz. Reasons: VAR__ACTION__UPDATE,VAR__TYPE__VM,USER_NOT_AUTHORIZED_TO_PERFORM_ACTION

Comment 34 Red Hat Bugzilla Rules Engine 2016-07-27 10:03:31 UTC
Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release.

Comment 35 Jenny Tokar 2016-08-04 12:31:40 UTC
To clarify: this bug is not related to PPC, only to local storage.
The bug is reproducible only for the first vm creation on local storage for the session. After that the vms can be created and edited successfully. 

The first time the vm is created on local storage it is created without a pinned host (even though it should be pinned to the only available host). After that when a user tries to edit it he fails, since the ui sends a dedicated host for the vm but in the db it was saved with none. So it appears like the user is editing the dedicated host. 
This stems from a piece of async code that queries the db the first time it is executed (when the add vm dialog is first opened).  
The next time when the add vm dialog is opened the code doesn't need to query the db (the info is cached), so it is executed in the correct order and the vm is saved with the correct dedicated host and the user is able to edit it. 

The decision whether or not the vm is pinned to a specific host depends on two things: 
1. the vm is created from a template that is pinned to host.
2. the vm is created on local storage (in that case there is only one host, and the vm is pinned to it).

To ensure the correct behavior the code first sets the pinning behavior according to the template and then according to the local storage. 
However, since the code is async and the first vm creation queries the db for information, the code that queries the template hosts is executed after the code that queries the local storage which causes the values to be overridden and the vm to be saved without the pinned host. 

The same thing happens in admin portal as well. The first vm created on local storage was not saved with a dedicated host. 

The fix is to move the querying of the local storage to the same block of code that is called after the db query is completed thus ensuring the correct execution order in all times.

Comment 36 Aleksei Slaikovskii 2016-09-13 09:00:43 UTC
3.6.8.1-0.1.el6 - could create/edit VMs as user (PowerUser role).

4.0.4.1-0.1.el7ev is also works.


Note You need to log in before you can comment on or make changes to this bug.