Bug 1310541 - SuperUser permit returns 'operation failed'
Summary: SuperUser permit returns 'operation failed'
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: ovirt-engine
Classification: oVirt
Component: Backend.Core
Version: 3.6.3.2
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ovirt-3.6.3
: 3.6.3.3
Assignee: Martin Sivák
QA Contact: Nelly Credi
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-02-22 08:07 UTC by Nelly Credi
Modified: 2016-03-11 07:24 UTC (History)
5 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2016-03-11 07:24:02 UTC
oVirt Team: SLA
Embargoed:
rule-engine: ovirt-3.6.z+
rule-engine: blocker+
mgoldboi: planning_ack+
dfediuck: devel_ack+
rule-engine: testing_ack+


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
oVirt gerrit 53885 0 ovirt-engine-3.6 MERGED core: Added Roles and groups for cpu profiling 2016-02-23 13:13:35 UTC
oVirt gerrit 53910 0 refs/tags/ovirt-engine-3.6.3 ABANDONED core: Added Roles and groups for cpu profiling 2016-02-23 13:43:59 UTC
oVirt gerrit 53912 0 ovirt-engine-3.6.3 MERGED core: Added Roles and groups for cpu profiling 2016-02-23 18:13:07 UTC

Description Nelly Credi 2016-02-22 08:07:58 UTC
Description of problem:

SuperUser - when accessing the permit href we get operation failed 


Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1./api/roles/
2.returns: <roles>
<role href="/api/roles/00000000-0000-0000-0000-000000000001" id="00000000-0000-0000-0000-000000000001">
<name>SuperUser</name>
<description>Roles management administrator</description>
<link href="/api/roles/00000000-0000-0000-0000-000000000001/permits" rel="permits"/>
<mutable>false</mutable>
<administrative>true</administrative>
</role> ...... other roles....
3./api/roles/00000000-0000-0000-0000-000000000001/permits

Actual results:
<fault>
<reason>Operation Failed</reason>
</fault>

Expected results:
The operation should succeed 

Additional info:

Comment 1 Juan Hernández 2016-02-22 10:39:06 UTC
This regression was introduced by the fix for bug 1255405. The patch to fix that bug introduced a new action group id with numeric value 1668:

  Add Attach Disk/Cpu profile permissions to all Import/Export capable roles
  https://gerrit.ovirt.org/52692

But there is no value in the "ActionGroup" enum corresponding to that value. As a result the "ActionGroupDaoImpl.getAllForRole" method returns an list containing one element whose value is "null". When the API tries to map this list it generates a NPE.

The workaround to the problem is to remove the offending rows from the database:

  delete from roles_groups where action_group_id=1668

However this would re-introduce bug 1255405.

I think that the right solution is to add the missing value to the "ActionGroup" enum, and also to the peer in the API, the "PermitType" enum.

It would also be nice send a clear error message to the log from the "ActionGroup.forValue" method, and maybe throw a run time exception instead of just returning "null".

Comment 2 Red Hat Bugzilla Rules Engine 2016-02-22 10:39:54 UTC
This bug report has Keywords: Regression or TestBlocker.
Since no regressions or test blockers are allowed between releases, it is also being identified as a blocker for this release. Please resolve ASAP.

Comment 3 Martin Sivák 2016-02-23 13:58:36 UTC
Waiting for the correct branch.


Note You need to log in before you can comment on or make changes to this bug.