Description of problem: As part of the serial console login flow, the ovirt-vmconsole-proxy service asks Engine for the list of the available console for a given user. This happens only after the user is succesfully authenticathed, so there is no risk of information leak. With ovirt-engine 3.6.2, the permission handling of the serial-console related queries was reworked, and the query started to fail for non-admin users, with errors like 2016-02-08 14:28:42,533 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery] (ajp--127.0.0.1-8702-17) Query execution failed due to insufficient permissions. 2016-02-08 14:28:42,605 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery] (ajp--127.0.0.1-8702-17) Query execution failed due to insufficient permissions. 2016-02-08 14:28:47,551 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery] (ajp--127.0.0.1-8702-3) Query execution failed due to insufficient permissions. 2016-02-08 14:28:47,561 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery] (ajp--127.0.0.1-8702-3) Query execution failed due to insufficient permissions. 2016-02-08 14:28:52,511 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery] (ajp--127.0.0.1-8702-18) Query execution failed due to insufficient permissions. 2016-02-08 14:28:52,524 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery] (ajp--127.0.0.1-8702-18) Query execution failed due to insufficient permissions. 2016-02-08 14:28:57,597 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery] (ajp--127.0.0.1-8702-12) Query execution failed due to insufficient permissions. 2016-02-08 14:28:57,608 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery] (ajp--127.0.0.1-8702-12) Query execution failed due to insufficient permissions. 2016-02-08 14:29:02,510 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery] (ajp--127.0.0.1-8702-17) Query execution failed due to insufficient permissions. 2016-02-08 14:29:02,520 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery] (ajp--127.0.0.1-8702-17) Query execution failed due to insufficient permissions. 2016-02-08 14:29:07,539 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery] (ajp--127.0.0.1-8702-16) Query execution failed due to insufficient permissions. 2016-02-08 14:29:07,576 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery] (ajp--127.0.0.1-8702-16) Query execution failed due to insufficient permissions. 2016-02-08 14:29:12,538 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery] (ajp--127.0.0.1-8702-11) Query execution failed due to insufficient permissions. 2016-02-08 14:29:12,548 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery] (ajp--127.0.0.1-8702-11) Query execution failed due to insufficient permissions. Version-Release number of selected component (if applicable): 3.6.2 How reproducible: 100% (claimed, yet to be verified) Steps to Reproduce: 1. configure serial console proxy 2. configure ssh keys for non-admin user 3. try to log in with non-admin users Actual results: Query fails, thus no available VM returned Expected results: Query should succeed NOTE: since reproduction is still not complete, we don't know about possible workarounds. Additional info:
Built and configured Engine 3.6.5, added aaa-jdbc package, created "John Doe" unprivileged (aka not-admin) user, added these roles UserRole (on test VM) UserVmManager (on test VM) Those were present by default: VnicProfileUser UserTemplateBasedVm UserProfileEditor CpuProfileOperator Can't reproduce, I see no errors in the logs. I guess we can still have http://gerrit.ovirt.org/53341 in master because makes the code more correct, but perhaps not worth backport.
Asked on ovirt-users for more details, this issue seems not trivial to reproduce.
I think the original "2016-02-08 14:28:42,533 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery]" was not related to opening the console. The attached patch (53341) is not correct - it would break the opening of the console for non-admin users which don't have rights on the host itself. Since looking at the code and doing lots of experiments the problem does not reproduce, closing this bug as not a bug since it seems there is no bug in this flow. In case someone will actually hit this issue, please feel free to reopen.