1368565 – ClusterAdmin is unable to add network interface to template

Bug 1368565 - ClusterAdmin is unable to add network interface to template

Summary: ClusterAdmin is unable to add network interface to template

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	ovirt-engine
Classification:	oVirt
Component:	Backend.Core
Sub Component:
Version:	4.0.2.7
Hardware:	All
OS:	All
Priority:	unspecified
Severity:	medium vote
Target Milestone:	---
Target Release:	---
Assignee:	Nobody
QA Contact:	meital avital
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-08-19 18:52 UTC by Lukas Svaty
Modified:	2016-08-24 08:21 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-08-24 08:21:15 UTC
oVirt Team:	Network
Dependent Products:
Flags:	rule-engine: planning_ack? rule-engine: devel_ack? rule-engine: testing_ack?

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Lukas Svaty 2016-08-19 18:52:18 UTC

Description of problem:
User with clusterAdmin permissions on DC are not able to add nic to template

Version-Release number of selected component (if applicable):
ovirt-engine-4.0.2.7-0.1.el7ev.noarch

How reproducible:
100%

Steps to Reproduce:
1. to dc add user with ClusterAdmin permissions
2. login as user
3. try to add nic to template within mentioned dc

Actual results:
Error while executing action:

template:
    User is not authorized to perform this action.

Expected results:
Success

Comment 1 Tomas Jelinek 2016-08-24 06:28:14 UTC

Could you please provide the engine logs? They should contain a message about the particular permission needed.

Comment 2 Lukas Svaty 2016-08-24 07:24:20 UTC

2016-08-24 07:23:52,032 INFO  [org.ovirt.engine.core.bll.network.template.AddVmTemplateInterfaceCommand] (default task-14) [5ed10d4e] No permission found for user 'c4f22c4e-c66a-4fe3-9992-3a5797d4aa5d' or one of the groups he is member of, when running action 'AddVmTemplateInterface', Required permissions are: Action type: 'USER' Action group: 'CONFIGURE_TEMPLATE_NETWORK' Object type: 'Template'  Object ID: '53ef39b0-be45-495b-9b76-7d8f598f476f'.
2016-08-24 07:23:52,033 WARN  [org.ovirt.engine.core.bll.network.template.AddVmTemplateInterfaceCommand] (default task-14) [5ed10d4e] Validation of action 'AddVmTemplateInterface' failed for user user1@internal-authz. Reasons: VAR__TYPE__INTERFACE,VAR__ACTION__ADD,USER_NOT_AUTHORIZED_TO_PERFORM_ACTION

Comment 3 Tomas Jelinek 2016-08-24 07:47:52 UTC

OK, it seems the ClusterAdmin has the CONFIGURE_VM_NETWORK (e.g. Assign vNIC Profile to VM) but is missing the CONFIGURE_TEMPLATE_NETWORK (e.g. Assign vNIC Profile to Template)

Moving to network for further investigation.

Comment 4 Dan Kenigsberg 2016-08-24 08:21:15 UTC

Templates sit in the DC and shared among all clusters. A cluster admin should not modify a DC entity.

Note You need to log in before you can comment on or make changes to this bug.