Bug 1368552 - User unable to query disks of assigned VM
Summary: User unable to query disks of assigned VM
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: ovirt-engine
Classification: oVirt
Component: RestAPI
Version: 4.0.2.7
Hardware: All
OS: All
medium
medium vote
Target Milestone: ovirt-4.0.4
: 4.0.4
Assignee: Juan Hernández
QA Contact: Lucie Leistnerova
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-08-19 17:30 UTC by Lukas Svaty
Modified: 2016-09-26 12:32 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-09-26 12:32:21 UTC
oVirt Team: Infra
rule-engine: ovirt-4.0.z+
rule-engine: ovirt-4.1+
rule-engine: blocker+
mgoldboi: planning_ack+
mperina: devel_ack+
lsvaty: testing_ack+

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
oVirt gerrit 62760 0 ovirt-engine-4.0 MERGED restapi: Ignore failures fetching additional disk data 2016-08-31 13:26:19 UTC
oVirt gerrit 63076 0 ovirt-engine-4.0 MERGED restapi: Ignore failures fetching additional disk data 2016-08-31 16:29:02 UTC
oVirt gerrit 63123 0 ovirt-engine-4.0 MERGED restapi: Don't add V3 guest IP to links 2016-09-02 18:39:48 UTC
oVirt gerrit 63124 0 ovirt-engine-4.0 MERGED restapi: Don't add V3 disk attachment details to links 2016-09-02 18:39:43 UTC
oVirt gerrit 63321 0 ovirt-engine-4.0.4 MERGED restapi: Ignore failures fetching additional disk data 2016-09-05 16:26:16 UTC
oVirt gerrit 63322 0 ovirt-engine-4.0.4 MERGED restapi: Don't add V3 guest IP to links 2016-09-05 16:26:06 UTC
oVirt gerrit 63323 0 ovirt-engine-4.0.4 MERGED restapi: Don't add V3 disk attachment details to links 2016-09-05 16:26:21 UTC

Description Lukas Svaty 2016-08-19 17:30:00 UTC 
Description of problem:
If uset has user permissions on VM he should be able to list disks via api as it was available in the older versions.

Version-Release number of selected component (if applicable):
ovirt-engine-4.0.2.7-0.1.el7ev.noarch

How reproducible:
100%

Steps to Reproduce:
1. Add user permissions to vm for user test
2. try to query disks of vm on version 4 api 
  curl -X get --insecure -H "Accept: application/xml" -H "Content-Type: application/xml" -H "Filter: true" -u test@internal:$PWD https://my.engine.com/ovirt-engine/api/vms/$VM_ID/diskattachments

3. try on version 3 api
  curl -X get --insecure -H "Accept: application/xml" -H "Version: 3" -H "Content-Type: application/xml" -H "Filter: true" -u test@internal:$PWD https://my.engine.com/ovirt-engine/api/vms/$VM_ID/disks

Actual results:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<fault>
    <detail>query execution failed due to insufficient permissions.</detail>
    <reason>Operation Failed</reason>
</fault>

Expected results:
query disks of vm
Comment 1 Martin Perina 2016-08-24 04:59:41 UTC 
Targeting 4.0.4 for now. Juan if the cause is not in RESTAPI but Engine, please move to storage team.
Comment 2 Red Hat Bugzilla Rules Engine 2016-08-24 04:59:48 UTC 
This bug report has Keywords: Regression or TestBlocker.
Since no regressions or test blockers are allowed between releases, it is also being identified as a blocker for this release. Please resolve ASAP.
Comment 3 Moran Goldboim 2016-08-24 08:24:39 UTC 
changing back priority and severity since it applies only to user level and not admin.
Comment 4 Juan Hernández 2016-08-24 10:53:56 UTC 
The reason for this is that in order to retrieve the disks it is necessary to also retrieve additional information, in particular it is necessary to retrieve the disk attachments, as that is where the "bootable" and "interface" attributes are in version 4 of the API. Apparently the user that has permissions to see the disks doesn't have permission to see the disk attachments, so retrieving that additional data fails, and as a result the complete operation fails. The proposed patch changes the API so that it ignores the failures to retrieve that additional data, but the result will be that the disks won't contain the "bootable" and "interface" attributes. We will probably need additional backend changes to make sure that the user that has permission to see the disks has also permission to see the disk attachments.
Comment 5 Lucie Leistnerova 2016-09-14 08:14:54 UTC 
/vms/$VM_ID/disks version 3 returns disk informations for test user
/vms/$VM_ID/diskattachments version 4 returns disk attachment informations for test user

without header "Filter: true" returns error 'query execution failed due to insufficient permissions.'

verified in ovirt-engine-restapi-4.0.4.2-0.1.el7ev.noarch
Note You need to log in before you can comment on or make changes to this bug.