Bug 1287808 - [RFE] Add a new permission for managing all the machines from the User interface
[RFE] Add a new permission for managing all the machines from the User interface
Status: NEW
Product: ovirt-engine
Classification: oVirt
Component: RFEs (Show other bugs)
future
Unspecified Unspecified
low Severity medium (vote)
: ---
: ---
Assigned To: bugs@ovirt.org
Gil Klein
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-12-02 13:06 EST by nicolas
Modified: 2018-02-23 07:35 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: Virt
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
michal.skrivanek: ovirt‑future?
rule-engine: planning_ack?
rule-engine: devel_ack?
rule-engine: testing_ack?


Attachments (Terms of Use)

  None (edit)
Description nicolas 2015-12-02 13:06:55 EST
Description of problem:

We've deployed oVirt for granting our teachers a platform for their students. Usually we deploy a Pool and manually add the list of users (students) which should have access to the machines of the Pool (by granting them the UserRole permission), but most teachers also ask for access to ALL the machines of their pool, even to those that already are attached to a student (most of them want to check/evaluate the work of their students by accessing their machines).

I've been testing with the VmPoolAdmin permission, but that one only allows handling the machines from the Admin interface. We'd like to avoid granting access to the Admin interface to non-technical staff (therefore we don't want teachers to access it).

Currently we're doing a workaround to achieve this: We just detach all the machines from the Pool and then we add the 'UserRole' to the teacher on each machine, which is a tedious task when the number of machines is bigger than 15.

Would it be very hard to create a role/permission that would also grant the UserRole permission to all the machines of the Pool to the user it is granted?

At least in our case this would be very useful because we're an educational entity.
Comment 1 Michal Skrivanek 2016-02-22 07:37:52 EST
we can perhaps just redefine the scope of what VmPoolAdmin can do in User Portal. That would be simple.
It would still allow them to log in webadmin, but is that a problem if they don't really have any other permission so can't do much in there other than see stuff?
Comment 2 nicolas 2016-02-22 08:17:09 EST
Well, not an actual problem in terms of breaking something, but rather a possible security issue (for instance, they could leave the admin open when someone is in their office (like a thrill seeker student) and they might see VM IPs, host IPs, storage topology...).

They shouldn't be entering the webadmin more than for a curiosity reason, though, so the above would be a very unlikely casuistry, thus I think this could be a valid implementation if it's easy for you.
Comment 3 Michal Skrivanek 2016-09-07 07:38:13 EDT
another option is to write your own simple user portal with the exact functionality you need. Anything is possible with API. Some inspiration - https://www.ovirt.org/develop/developer-guide/sample-user-portals/
Comment 4 nicolas 2016-09-30 16:50:05 EDT
The problem here is that (AFAIK) a VM inside a pool cannot be granted additional permissions other than the user that currently has the VM.

So if user assigned machine 'foo-1', the 'UserRole' is granted to him and if an additional permission is to be granted manually, oVirt won't allow it, so the own user portal wouldn't fix the problem here.
Comment 5 Martin Tessun 2017-11-17 05:58:22 EST
Michal,

does the new VM-Portal still work the same way? Can we (maybe) easier solve this issue in the new VM-Portal?

Any thoughts on this?
Comment 6 Michal Skrivanek 2017-11-17 12:17:42 EST
there's no change in permission handling.
All the VMs in pool need to be the same...but I'm not sure I understand how this should work exactly. A special user with permission to all the VMs in pool? Can you describe it in more detail?
Comment 7 nicolas 2017-11-27 14:09:13 EST
Sorry for the delay in my response.

I meant a permission so everyone that is granted with it on a VmPool can access all the VMs in the pool from within the User Portal.

That's especially useful in our case because teachers requests us for VmPools whose templates already have a username for the teacher (in the guest os), so they can access them by SSH for example. The problem is that they don't know the IP address of each of their students' attached VMs, so they have to go one by one asking them for their IP address and connect that way so they can review their work.

It would be nice to have a permission that would allow them see all the Vms of the pool in the User Portal, just like they had the machine attached, but actually they are attached to a different user (student in our case) and they can do any operation on them just like they had the VM attached (start, shutdown, etc).
Comment 8 Michal Skrivanek 2017-11-27 16:54:22 EST
can you try to change it at https://github.com/oVirt/ovirt-web-ui/blob/tree/master/src/saga/login.js#L201 to not set the filter for a particular user - then they should see all vms
Comment 9 nicolas 2018-02-05 12:41:52 EST
Sorry for the delay.

I'm trying to access the link you provided but it returns a 404 error. Could you describe what that change makes? If it allows adding a user so he sees all the VMs in the pool as a UserRole then it's more than enough.
Comment 10 Michal Skrivanek 2018-02-06 02:45:07 EST
Not sure why the link doesn't work, this one should - https://github.com/oVirt/ovirt-web-ui/blob/14358031656a950c6c87dda998cfce193ee4b46a/src/saga/login.js#L201

the test was to try setting setUserFilterPermission(false) for your special users - then they should see everything.
If that works we can see what permission to use or find some way how to differentiate these special users
Comment 11 nicolas 2018-02-23 07:35:04 EST
I'd say it's what the way it should work. I was able to reproduce it and I see all machines.

Note You need to log in before you can comment on or make changes to this bug.