1307048 – "Available consoles" query fails for insufficient permissions

Bug 1307048 - "Available consoles" query fails for insufficient permissions

Summary: "Available consoles" query fails for insufficient permissions

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	ovirt-engine
Classification:	oVirt
Component:	Backend.Core
Sub Component:
Version:	3.6.2.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	ovirt-3.6.5
Target Release:	---
Assignee:	Francesco Romani
QA Contact:	meital avital
Docs Contact:
URL:
Whiteboard:	Virt
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-02-12 14:55 UTC by Francesco Romani
Modified:	2017-02-03 20:04 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-03-14 08:26:14 UTC
oVirt Team:	Virt
Embargoed:
Dependent Products:
Flags:	tjelinek: ovirt-3.6.z? rule-engine: planning_ack? michal.skrivanek: devel_ack+ mavital: testing_ack+

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
oVirt gerrit	53341	0	None	None	None	2016-02-12 14:55:57 UTC

Description Francesco Romani 2016-02-12 14:55:57 UTC

Description of problem:
As part of the serial console login flow, the ovirt-vmconsole-proxy service asks Engine for the list of the available console for a given user.
This happens only after the user is succesfully authenticathed, so there is no risk of information leak.

With ovirt-engine 3.6.2, the permission handling of the serial-console related queries was reworked, and the query started to fail for non-admin users, with errors like

2016-02-08 14:28:42,533 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery] (ajp--127.0.0.1-8702-17) Query execution failed due to insufficient permissions.
2016-02-08 14:28:42,605 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery] (ajp--127.0.0.1-8702-17) Query execution failed due to insufficient permissions.
2016-02-08 14:28:47,551 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery] (ajp--127.0.0.1-8702-3) Query execution failed due to insufficient permissions.
2016-02-08 14:28:47,561 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery] (ajp--127.0.0.1-8702-3) Query execution failed due to insufficient permissions.
2016-02-08 14:28:52,511 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery] (ajp--127.0.0.1-8702-18) Query execution failed due to insufficient permissions.
2016-02-08 14:28:52,524 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery] (ajp--127.0.0.1-8702-18) Query execution failed due to insufficient permissions.
2016-02-08 14:28:57,597 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery] (ajp--127.0.0.1-8702-12) Query execution failed due to insufficient permissions.
2016-02-08 14:28:57,608 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery] (ajp--127.0.0.1-8702-12) Query execution failed due to insufficient permissions.
2016-02-08 14:29:02,510 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery] (ajp--127.0.0.1-8702-17) Query execution failed due to insufficient permissions.
2016-02-08 14:29:02,520 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery] (ajp--127.0.0.1-8702-17) Query execution failed due to insufficient permissions.
2016-02-08 14:29:07,539 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery] (ajp--127.0.0.1-8702-16) Query execution failed due to insufficient permissions.
2016-02-08 14:29:07,576 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery] (ajp--127.0.0.1-8702-16) Query execution failed due to insufficient permissions.
2016-02-08 14:29:12,538 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery] (ajp--127.0.0.1-8702-11) Query execution failed due to insufficient permissions.
2016-02-08 14:29:12,548 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery] (ajp--127.0.0.1-8702-11) Query execution failed due to insufficient permissions.


Version-Release number of selected component (if applicable):
3.6.2


How reproducible:
100% (claimed, yet to be verified)

Steps to Reproduce:
1. configure serial console proxy
2. configure ssh keys for non-admin user
3. try to log in with non-admin users

Actual results:
Query fails, thus no available VM returned

Expected results:
Query should succeed

NOTE: since reproduction is still not complete, we don't know about possible workarounds.

Additional info:

Comment 1 Francesco Romani 2016-03-09 14:29:22 UTC

Built and configured Engine 3.6.5, added aaa-jdbc package, created "John Doe" unprivileged (aka not-admin) user, added these roles

UserRole (on test VM)
UserVmManager  (on test VM)

Those were present by default:
VnicProfileUser
UserTemplateBasedVm
UserProfileEditor
CpuProfileOperator


Can't reproduce, I see no errors in the logs.

I guess we can still have http://gerrit.ovirt.org/53341 in master because makes the code more correct, but perhaps not worth backport.

Comment 2 Francesco Romani 2016-03-09 14:34:14 UTC

Asked on ovirt-users for more details, this issue seems not trivial to reproduce.

Comment 3 Tomas Jelinek 2016-03-14 08:26:14 UTC

I think the original "2016-02-08 14:28:42,533 ERROR [org.ovirt.engine.core.bll.GetVdsByVdsIdQuery]" was not related to opening the console. The attached patch (53341) is not correct - it would break the opening of the console for non-admin users which don't have rights on the host itself.

Since looking at the code and doing lots of experiments the problem does not reproduce, closing this bug as not a bug since it seems there is no bug in this flow.

In case someone will actually hit this issue, please feel free to reopen.

Note You need to log in before you can comment on or make changes to this bug.