Bug 1369046 - User can't assign CPU profile after upgrade from 3.6 to 4.0
Summary: User can't assign CPU profile after upgrade from 3.6 to 4.0
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine
Version: 4.0.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ovirt-4.1.0-alpha
: ---
Assignee: Andrej Krejcir
QA Contact: Shira Maximov
URL:
Whiteboard:
: 1357995 (view as bug list)
Depends On:
Blocks: 1213937 1371888 1386289
TreeView+ depends on / blocked
 
Reported: 2016-08-22 11:35 UTC by Michal Skrivanek
Modified: 2020-06-11 12:57 UTC (History)
21 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Previously, when checking permissions for a CPU profile, group permissions were not considered. Users that were part of a group could not assign a CPU profile and so could not start a virtual machine. This was fixed by using PermissionDao and correct SQL functions when checking permissions, so group permissions are now considered.
Clone Of:
: 1371888 1386289 (view as bug list)
Environment:
Last Closed: 2017-04-25 00:51:05 UTC
oVirt Team: SLA
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 2451221 0 None None None 2020-06-11 12:55:13 UTC
Red Hat Product Errata RHEA-2017:0997 0 normal SHIPPED_LIVE Red Hat Virtualization Manager (ovirt-engine) 4.1 GA 2017-04-18 20:11:26 UTC
oVirt gerrit 62822 0 master MERGED core: Fix cpu profile group permissions 2020-10-20 19:51:40 UTC
oVirt gerrit 63021 0 master MERGED core: Add CDI and unit tests for CpuProfileHelper 2020-10-20 19:51:48 UTC

Description Michal Skrivanek 2016-08-22 11:35:32 UTC 
User can no longer create a VM due to "User doesn't have permissions to assign the cpu profile". Template has that profile, likely. 
There is PowerUser permission inherited on the profile (it's the only one in the cluster). 
This was working in 3.6.8

If an additional permission is needed it should be added automatically
Comment 3 Michal Skrivanek 2016-08-22 11:46:11 UTC 
adding CpuProfileOperator permission on Cluster didn't help
Comment 5 Doron Fediuck 2016-08-22 12:48:50 UTC 
Please see bug 1357995 as this may be dup or related. Are you using IPA?
Comment 6 Michal Skrivanek 2016-08-23 11:05:00 UTC 
(In reply to Doron Fediuck from comment #5)
> Please see bug 1357995 as this may be dup or related. Are you using IPA?

it very well might be related, hard to say, it's not causing an exception, just fails permission check gracefully
Comment 10 Roy Golan 2016-08-28 07:46:05 UTC 
Probably the same goes for 3.6?
Comment 11 Andrej Krejcir 2016-08-29 08:28:38 UTC 
Yes, the bug is in 3.6 and the same fix would work.
Comment 12 Andrej Krejcir 2016-08-30 13:03:41 UTC 
*** Bug 1357995 has been marked as a duplicate of this bug. ***
Comment 22 Shira Maximov 2016-12-26 13:55:47 UTC 
try to verify on : 
ovirt-engine-4.2.0-0.0.master.20161219225535.git893d571.el7.centos.noarch

verification steps:
1) Create a user X, a group  Y , and add the user  to the group
ovirt-aaa-jdbc-tool group-manage show y
Group: y(5bc122fa-e278-4bb0-b0ea-b73435ec6241) members:
  User: x
2) Remove the permissions CpuProfileOperator for 'Everyone' on a CPU profile
3) Add VmCreator permission for the user X on the cluster
4) Try to create a VM with the CPU profile in the userportal - WORK
5) Remove the permissions for the user 'X' and add the same permission for the group 'Y' (in the webadmin)
6) Create VM in the userportal - FAILED
Comment 23 Doron Fediuck 2016-12-26 14:38:23 UTC 
(In reply to Shira Maximov from comment #22)
> try to verify on : 
> ovirt-engine-4.2.0-0.0.master.20161219225535.git893d571.el7.centos.noarch
> 
> verification steps:
> 1) Create a user X, a group  Y , and add the user  to the group
> ovirt-aaa-jdbc-tool group-manage show y
> Group: y(5bc122fa-e278-4bb0-b0ea-b73435ec6241) members:
>   User: x
> 2) Remove the permissions CpuProfileOperator for 'Everyone' on a CPU profile
> 3) Add VmCreator permission for the user X on the cluster
> 4) Try to create a VM with the CPU profile in the userportal - WORK
> 5) Remove the permissions for the user 'X' and add the same permission for
> the group 'Y' (in the webadmin)
> 6) Create VM in the userportal - FAILED

If I understand correctly the original issue was about VMs created from templates, which is not the case here, right?
Also, why are you removing the permissions of X and not trying as a different user from the same group? The point is that removing the permissions as you did it may have removed the permissions for the group as well.
Comment 24 Shira Maximov 2016-12-26 15:04:08 UTC 
The bug can be found when creating VM or creating template,
the problem is that when adding a permission to group the users doesn't inherit the permissions too. 

you can see in this bug : https://bugzilla.redhat.com/show_bug.cgi?id=1371888
in comment 5, the steps for verification that Andrej posted.
Comment 25 Doron Fediuck 2016-12-27 09:17:06 UTC 
(In reply to Shira Maximov from comment #24)
> The bug can be found when creating VM or creating template,
> the problem is that when adding a permission to group the users doesn't
> inherit the permissions too. 
> 
> you can see in this bug : https://bugzilla.redhat.com/show_bug.cgi?id=1371888
> in comment 5, the steps for verification that Andrej posted.

1. Does the group have a CpuProfileOperator permission?
2. Please add the engine log.
Comment 26 Shira Maximov 2016-12-27 16:11:21 UTC 
I'v tested it again on downstream : Red Hat Virtualization Manager Version: 4.1.0-0.3.beta2.el7

and it worked, moving to verified.
Note You need to log in before you can comment on or make changes to this bug.