Fixed bug tickets must have version flags set prior to fixing them. Please set the correct version flags and move the bugs back to the previous status after this is corrected.
Our automation tests should have catch this one. @Ilanit - can you please check if we have the following tests , and if not then to consider adding them: 1. Add VM as a user who is not admin and doesn't have edit-admin (EDIT_ADMIN_VM_PROPERTIES) permissions from a template that is configured with dedicated hosts. 2. Add VM as a user who is not admin and doesn't have change vm-custom-properties (CHANGE_VM_CUSTOM_PROPERTIES) permissions from a template that is configured with VM custom properties
Ondra, Would you please address Arik's question in comment 2?
We do not test those specific cases. I added them. (Just a note - non-admin user can't have EDIT_ADMIN_VM_PROPERTIES nor CHANGE_VM_CUSTOM_PROPERTIES, it would have to become admin user.)
(In reply to Ondra Machacek from comment #4) > We do not test those specific cases. I added them. (Just a note - non-admin > user can't have EDIT_ADMIN_VM_PROPERTIES nor CHANGE_VM_CUSTOM_PROPERTIES, it > would have to become admin user.) That's true. The thing is that if none of the fields that require these permissions was changed, the user doesn't need to have these permissions in order to create a VM from the template (even if these settings are defined in the template, i.e there are custom properties or specific-host that is defined for the VM and so on). The best test IMO is to create a template that contains all the properties that can be set on a template and then to try to create a VM from that template (without any change of the template settings) as a user - it should not fail on permissions (assuming that the user has permission on the template).
When I select 'Run on specific host' within template, then I can't still create vm from that template. rhevm-3.6.3.2-0.1.el6.noarch
Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release.
(In reply to Ondra Machacek from comment #6) > When I select 'Run on specific host' within template, then I can't still > create vm from that template. > rhevm-3.6.3.2-0.1.el6.noarch logs?
2016-02-23 11:05:50,385 DEBUG [org.ovirt.engine.core.bll.AddVmCommand] (ajp-/127.0.0.1:8702-7) [9baf8e3] Checking whether user 'aada7776-5792-443c-a6d3-492f6bbedda5' or one of the groups he is member of, have the following permissions: ID: d116ae7a-5f79-469a-910c-996789f4bd0a Type: VdsGroupsAction group CREATE_VM with role type USER, ID: 49ba2126-71be-4704-921f-9f2bf60747c2 Type: VmTemplateAction group CREATE_VM with role type USER, ID: 6f7e89fd-8ee7-43d5-808e-0b9f4bb5f339 Type: StorageAction group CREATE_DISK with role type USER, ID: d116ae7a-5f79-469a-910c-996789f4bd0a Type: VdsGroupsAction group EDIT_ADMIN_VM_PROPERTIES with role type ADMIN 2016-02-23 11:05:50,389 DEBUG [org.ovirt.engine.core.bll.AddVmCommand] (ajp-/127.0.0.1:8702-7) [9baf8e3] Found permission '8a6762a3-531f-4b6a-b72d-fe0ce301b9eb' for user when running 'AddVm', on 'Cluster' with id 'd116ae7a-5f79-469a-910c-996789f4bd0a' 2016-02-23 11:05:50,391 DEBUG [org.ovirt.engine.core.bll.AddVmCommand] (ajp-/127.0.0.1:8702-7) [9baf8e3] Found permission '8a6762a3-531f-4b6a-b72d-fe0ce301b9eb' for user when running 'AddVm', on 'Template' with id '49ba2126-71be-4704-921f-9f2bf60747c2' 2016-02-23 11:05:50,393 DEBUG [org.ovirt.engine.core.bll.AddVmCommand] (ajp-/127.0.0.1:8702-7) [9baf8e3] Found permission '8a6762a3-531f-4b6a-b72d-fe0ce301b9eb' for user when running 'AddVm', on 'Storage' with id '6f7e89fd-8ee7-43d5-808e-0b9f4bb5f339' 2016-02-23 11:05:50,395 DEBUG [org.ovirt.engine.core.bll.AddVmCommand] (ajp-/127.0.0.1:8702-7) [9baf8e3] No permission found for user when running action 'AddVm', on object 'Cluster' for action group 'EDIT_ADMIN_VM_PROPERTIES' with id 'd116ae7a-5f79-469a-910c-996789f4bd0a'. 2016-02-23 11:05:50,395 WARN [org.ovirt.engine.core.bll.AddVmCommand] (ajp-/127.0.0.1:8702-7) [9baf8e3] CanDoAction of action 'AddVm' failed for user user1@internal. Reasons: VAR__ACTION__ADD,VAR__TYPE__VM,USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
from virt point-of-view, everything is correct - the template is set with list of hosts the VM should work on the VM to add is set with empty list of hosts the VM should work on that's why there is a different and since the user doesn't have the permission to do such a change, we block it. now the UI should be fixed so the list of hosts in the VM will be set to that list from the template.
A user can't create a VM on cluster. How is that related to the host list?
(In reply to Roy Golan from comment #11) In AddVmCommand we require EDIT_ADMIN_VM_PROPERTIES if the list of hosts for the VM is different than the list of hosts in the template the VM is based on. Lets say that you have a template with a dedicated host. When you try to add a VM from that template as a user from the user-portal, the backend receives a VM with no dedicated hosts so from the engine's point of view - the user modified the dedicated hosts for this particular VM and therefore requires EDIT_ADMIN_VM_PROPERTIES and since the user doesn't have these permissions, the add-vm fails. The problem is that the user didn't clear the dedicated hosts. In the user portal this tab is not even shown. So IMO, the solution should be to pass the dedicated hosts that are set in the template - otherwise the engine must assume that the user changed it.
(In reply to Arik from comment #12) Roy, there's no host tab in the new-VM dialog in the user portal. So users can't change the dedicated hosts.
Hello guys. May I ask you to edit description and remove the email address from it. Sorry it was my fault to post it ;)
(In reply to maksim.naumov from comment #14) > Hello guys. May I ask you to edit description and remove the email address > from it. Sorry it was my fault to post it ;) We can't edit the description, we can make it private, would you like us to do that?
Yes, please.
Summing up: In user portal, add a VM, on save, we don't send the list of hosts. If we created that vm from a template and the list of hosts was non empty, then the backend failed the request. The validation is requesting for permissions to change that value. The host list isn't really visible in user portal. So a user can't possibly change that. And we just don't copy over the template host list. The impact is solely on user portal users for trying to create a vm from template with non-empty host lists. Fix should be easy, to populate the list of hosts from the template while adding vm.
(In reply to maksim.naumov from comment #16) repeating the original bug description without private data: Description of problem: User can't create any VM using User Portal. It is not possible using a basic template and/or self-created template. While creating the VM user is not able to assign this VM to the specific host or change CPU pinning (there is no such functionality in the user interface). Self-created template has no information/settings about CPU pinning or host assignment. Version-Release number of selected component (if applicable): Version : 3.6.0.3 Release : 1.el7.centos How reproducible: 100% Steps to Reproduce: 1. Log in to the User Portal with non-admin user (user has to have PowerUserRole) 2. Click create new VM 3. Enter any name, choose a basic template, do not change anything else. 4. Click OK 5. See "User is not authorized to perform this action" Actual results: User is not able to create new VM. Expected results: User is able to create new VM.
Verified with: rhevm-3.6.6.2-0.1.el6.noarch 2016-05-08 13:05:21,112 INFO [org.ovirt.engine.core.bll.AddVmCommand] (ajp-/127.0.0.1:8702-1) [36096227] Running command: AddVmCommand internal: false. Entities affected : ID: 00000002-0002-0002-0002-000000000014 Type: VdsGroupsAction group CREATE_VM with role type USER, ID: 9198e38f-cac3-4a71-b22e-38dd266e1e02 Type: VmTemplateAction group CREATE_VM with role type USER, ID: 7641f2a1-0baa-43b2-a2d6-02f69d74c8b9 Type: StorageAction group CREATE_DISK with role type USER ... 2016-05-08 13:05:22,855 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-1) [6d6e94bb] Correlation ID: 36096227, Job ID: b1e74911-34f8-4214-9cd6-3c870c0fdd43, Call Stack: null, Custom Event ID: -1, Message: VM 123 creation was initiated by user1.xxx.xxx.xxx.xxxxxx.com@ad. ... 2016-05-08 13:05:29,971 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (DefaultQuartzScheduler_Worker-13) [] Correlation ID: 36096227, Job ID: b1e74911-34f8-4214-9cd6-3c870c0fdd43, Call Stack: null, Custom Event ID: -1, Message: VM 123 creation has been completed.
This seem to still reproduce in 3.6.6 on Edit VM action. Was it tested?
reopening since it indeed doesn't work in rhevm-3.6.6.2-0.1, at least in a case of local storage when there is only one host available so on VM creating there gets the "list of hosts" automatically different from the template. For the first time when the VM is created from e.g. a blank template the user (with UserVmManager) cannot update the VM and it is failing the same way as described above. Once someone with admin permissions opens and saves the VM (hence sets the specific host) then things start to work from that time on for the user
A temporary workaround is to get an Admin assistance and to open and save the VM. Once done by Admin, the original user can edit the VM. Targeting to 3.6.8.
(In reply to Michal Skrivanek from comment #21) > reopening since it indeed doesn't work in rhevm-3.6.6.2-0.1, at least in a > case of local storage when there is only one host available so on VM > creating there gets the "list of hosts" automatically different from the > template. > For the first time when the VM is created from e.g. a blank template the > user (with UserVmManager) cannot update the VM and it is failing the same > way as described above. Once someone with admin permissions opens and saves > the VM (hence sets the specific host) then things start to work from that > time on for the user Can you please describe the exact scenario? I'm trying to reproduce this. From what I understand user can't edit vm that is pinned to a specific host after creation from template, but that seems to work (3.6.7 and master).
As a PowerUser create a VM from Blank template in a ppc64le datacenter from Blank template. VM can be created but followup edits are not possible, until an admin updates the VM (presumably setting the admin property of dedicated hosts). I reopened it on 3.6.6 as unfortunately I only have a 3.6.6 system, I don't know whether it works in 3.6.7 or not.
(In reply to Doron Fediuck from comment #26) > A temporary workaround is to get an Admin assistance and to open and save > the VM. > Once done by Admin, the original user can edit the VM. > Targeting to 3.6.8. Which effectively invalidates self provisioning by users. Adding Moran as FYI
I would appreciate feedback from QE as my testing was very specific and there is a risk of wider impact. Pavel, can you please check?
Just verified on 3.6.6 with PPC and local storage. PowerUser was not able to create VM from blank template. Created a new template with selected host and PowerUser was able to create VM from that template.
Tried with: rhevm-4.0.2-0.1.rc.el7ev.noarch PPC and local storage User with PowerUserRole is able to create VM but still not able to edit it. 2016-07-27 09:54:33,240 INFO [org.ovirt.engine.core.bll.UpdateVmCommand] (default task-13) [3a4c1f38] No permission found for user '59bb3ad9-9bfa-42de-87fc-01bc6a2263e5' or one of the groups he is member of, when running action 'UpdateVm', Required permissions are: Action type: 'ADMIN' Action group: 'EDIT_ADMIN_VM_PROPERTIES' Object type: 'VM' Object ID: '529965cb-3fe0-4d6e-aabb-242f08df415d'. 2016-07-27 09:54:33,253 WARN [org.ovirt.engine.core.bll.UpdateVmCommand] (default task-13) [3a4c1f38] Validation of action 'UpdateVm' failed for user my_user@internal-authz. Reasons: VAR__ACTION__UPDATE,VAR__TYPE__VM,USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
To clarify: this bug is not related to PPC, only to local storage. The bug is reproducible only for the first vm creation on local storage for the session. After that the vms can be created and edited successfully. The first time the vm is created on local storage it is created without a pinned host (even though it should be pinned to the only available host). After that when a user tries to edit it he fails, since the ui sends a dedicated host for the vm but in the db it was saved with none. So it appears like the user is editing the dedicated host. This stems from a piece of async code that queries the db the first time it is executed (when the add vm dialog is first opened). The next time when the add vm dialog is opened the code doesn't need to query the db (the info is cached), so it is executed in the correct order and the vm is saved with the correct dedicated host and the user is able to edit it. The decision whether or not the vm is pinned to a specific host depends on two things: 1. the vm is created from a template that is pinned to host. 2. the vm is created on local storage (in that case there is only one host, and the vm is pinned to it). To ensure the correct behavior the code first sets the pinning behavior according to the template and then according to the local storage. However, since the code is async and the first vm creation queries the db for information, the code that queries the template hosts is executed after the code that queries the local storage which causes the values to be overridden and the vm to be saved without the pinned host. The same thing happens in admin portal as well. The first vm created on local storage was not saved with a dedicated host. The fix is to move the querying of the local storage to the same block of code that is called after the db query is completed thus ensuring the correct execution order in all times.
3.6.8.1-0.1.el6 - could create/edit VMs as user (PowerUser role). 4.0.4.1-0.1.el7ev is also works.