Red Hat Bugzilla – Bug 1325785
permissions on Database Object don't allow "add direct LUN" to virtual machine.
Last modified: 2017-03-21 17:06:32 EDT
Description of problem: permissions started and propagated on Database Object can't provide permissions to add direct LUN to virtual machine. Version-Release number of selected component (if applicable): RHEL 6.6 with rhevm-3.5.1-0.4.el6ev.noarch How reproducible: Example settings using AD: User record: cc5490f5-e3c4-4d49-b35b-6d0702c1c06f | Luis | Docampo Gutierrez | xunta.local | ldocampo permission record: 207f376b-a8b1-4a71-bdb0-b13b33b05497 | 00000000-0000-0000-0000-000000000001 | cc5490f5-e3c4-4d49-b35b-6d0702c1c06f | 7eb08a94-6a36-46c8-846f-7857c9f6bdda | 14 What means SuperUser (00000000-0000-0000-0000-000000000001 and Database object affected by permissions (object_type_id 14) I have performed exactly the same test on my environment with IdM (both test: users and groups). The result is the same, permissions started and propagated on Database Object can't provide permissions to add direct LUN to virtual machine. Workaround is to put user as Superuser at the top - System (object_type_id 1) - confirmed. Actual results: user doesn't have permission to 'add direct LUN' to VMs Expected results: user is able to 'add direct LUN' Additional info: Workaround is to put user as Superuser at the top - System (object_type_id 1)
Hi Olimp, A few questions for further investigation: 1. Are there any specific reproducing steps for the issue? 2. Have you encountered it only on a specific flow? 3. Is it reproduced consistently? 4. What is the error message you get from the UI/rest? 5. Which role is used by the user? 6. Which permissions are granted to the VM (VMs -> Permissions sub-tab). 7. Can you please attach the relevant engine logs.
1. Are there any specific reproducing steps for the issue? just selecting 'Datacenter' tab, pick up one of Datacenters, then tab at the bottom 'Permissions' and add any user with SuperUser role. 2. Have you encountered it only on a specific flow? I think it is only related to hierarchy of permissions. When SuperUser role is applied not at the top (applied through Configure/System Permissions) 3. Is it reproduced consistently? Yes 4. What is the error message you get from the UI/rest? The error is "User is not authorized to perform this action". 5. Which role is used by the user? SuperUser, PowerUser (but the second one, I don't expect it will work) 6. Which permissions are granted to the VM (VMs -> Permissions sub-tab). VM weren't set, we expected that SuperUser role for Datacenter will allow to add new LUN to VM 7. Can you please attach the relevant engine logs. I am to attach olimpb
attachment added as private due to restrictions related to customer's policy olimpb
Verified with the following code: -------------------------------------- rhevm-4.0.0.4-0.1.el7ev.noarch vdsm-4.18.2-0.el7ev.x86_64 Verified using the following scenario: -------------------------------------- 1. DC Tab -> Select a domain -> Permissions Tab 2. Press the Add Tab in the User Pane 3. Search for the User in the database, select the user and assign the Super User permissions to the user and press OK 4. Log into the Webadmin with the newly created user and select a VM in the VM Tab 5. Add a new direct LUN >>>>> direct LUN is added successfully 6. Create a new VM and add a direct LUN >>>>> direct LUN is added successfully Moving to VERIFIIED!
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2016-1743.html