Bug 1307048 - "Available consoles" query fails for insufficient permissions
"Available consoles" query fails for insufficient permissions
Status: CLOSED NOTABUG
Product: ovirt-engine
Classification: oVirt
Component: Backend.Core (Show other bugs)
3.6.2.6
Unspecified Unspecified
unspecified Severity unspecified (vote)
: ovirt-3.6.5
: ---
Assigned To: Francesco Romani
meital avital
Virt
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-02-12 09:55 EST by Francesco Romani
Modified: 2017-02-03 15:04 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-03-14 04:26:14 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: Virt
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
tjelinek: ovirt‑3.6.z?
rule-engine: planning_ack?
michal.skrivanek: devel_ack+
mavital: testing_ack+


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
oVirt gerrit 53341 None None None 2016-02-12 09:55 EST

  None (edit)
Description Francesco Romani 2016-02-12 09:55:57 EST
Description of problem:
As part of the serial console login flow, the ovirt-vmconsole-proxy service asks Engine for the list of the available console for a given user.
This happens only after the user is succesfully authenticathed, so there is no risk of information leak.

With ovirt-engine 3.6.2, the permission handling of the serial-console related queries was reworked, and the query started to fail for non-admin users, with errors like

2016-02-08 14:28:42,533 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery] (ajp--127.0.0.1-8702-17) Query execution failed due to insufficient permissions.
2016-02-08 14:28:42,605 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery] (ajp--127.0.0.1-8702-17) Query execution failed due to insufficient permissions.
2016-02-08 14:28:47,551 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery] (ajp--127.0.0.1-8702-3) Query execution failed due to insufficient permissions.
2016-02-08 14:28:47,561 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery] (ajp--127.0.0.1-8702-3) Query execution failed due to insufficient permissions.
2016-02-08 14:28:52,511 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery] (ajp--127.0.0.1-8702-18) Query execution failed due to insufficient permissions.
2016-02-08 14:28:52,524 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery] (ajp--127.0.0.1-8702-18) Query execution failed due to insufficient permissions.
2016-02-08 14:28:57,597 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery] (ajp--127.0.0.1-8702-12) Query execution failed due to insufficient permissions.
2016-02-08 14:28:57,608 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery] (ajp--127.0.0.1-8702-12) Query execution failed due to insufficient permissions.
2016-02-08 14:29:02,510 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery] (ajp--127.0.0.1-8702-17) Query execution failed due to insufficient permissions.
2016-02-08 14:29:02,520 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery] (ajp--127.0.0.1-8702-17) Query execution failed due to insufficient permissions.
2016-02-08 14:29:07,539 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery] (ajp--127.0.0.1-8702-16) Query execution failed due to insufficient permissions.
2016-02-08 14:29:07,576 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery] (ajp--127.0.0.1-8702-16) Query execution failed due to insufficient permissions.
2016-02-08 14:29:12,538 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery] (ajp--127.0.0.1-8702-11) Query execution failed due to insufficient permissions.
2016-02-08 14:29:12,548 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery] (ajp--127.0.0.1-8702-11) Query execution failed due to insufficient permissions.


Version-Release number of selected component (if applicable):
3.6.2


How reproducible:
100% (claimed, yet to be verified)

Steps to Reproduce:
1. configure serial console proxy
2. configure ssh keys for non-admin user
3. try to log in with non-admin users

Actual results:
Query fails, thus no available VM returned

Expected results:
Query should succeed

NOTE: since reproduction is still not complete, we don't know about possible workarounds.

Additional info:
Comment 1 Francesco Romani 2016-03-09 09:29:22 EST
Built and configured Engine 3.6.5, added aaa-jdbc package, created "John Doe" unprivileged (aka not-admin) user, added these roles

UserRole (on test VM)
UserVmManager  (on test VM)

Those were present by default:
VnicProfileUser
UserTemplateBasedVm
UserProfileEditor
CpuProfileOperator


Can't reproduce, I see no errors in the logs.

I guess we can still have http://gerrit.ovirt.org/53341 in master because makes the code more correct, but perhaps not worth backport.
Comment 2 Francesco Romani 2016-03-09 09:34:14 EST
Asked on ovirt-users for more details, this issue seems not trivial to reproduce.
Comment 3 Tomas Jelinek 2016-03-14 04:26:14 EDT
I think the original "2016-02-08 14:28:42,533 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery]" was not related to opening the console. The attached patch (53341) is not correct - it would break the opening of the console for non-admin users which don't have rights on the host itself.

Since looking at the code and doing lots of experiments the problem does not reproduce, closing this bug as not a bug since it seems there is no bug in this flow.

In case someone will actually hit this issue, please feel free to reopen.

Note You need to log in before you can comment on or make changes to this bug.