User can no longer create a VM due to "User doesn't have permissions to assign the cpu profile". Template has that profile, likely. There is PowerUser permission inherited on the profile (it's the only one in the cluster). This was working in 3.6.8 If an additional permission is needed it should be added automatically
adding CpuProfileOperator permission on Cluster didn't help
Please see bug 1357995 as this may be dup or related. Are you using IPA?
(In reply to Doron Fediuck from comment #5) > Please see bug 1357995 as this may be dup or related. Are you using IPA? it very well might be related, hard to say, it's not causing an exception, just fails permission check gracefully
Probably the same goes for 3.6?
Yes, the bug is in 3.6 and the same fix would work.
*** Bug 1357995 has been marked as a duplicate of this bug. ***
try to verify on : ovirt-engine-4.2.0-0.0.master.20161219225535.git893d571.el7.centos.noarch verification steps: 1) Create a user X, a group Y , and add the user to the group ovirt-aaa-jdbc-tool group-manage show y Group: y(5bc122fa-e278-4bb0-b0ea-b73435ec6241) members: User: x 2) Remove the permissions CpuProfileOperator for 'Everyone' on a CPU profile 3) Add VmCreator permission for the user X on the cluster 4) Try to create a VM with the CPU profile in the userportal - WORK 5) Remove the permissions for the user 'X' and add the same permission for the group 'Y' (in the webadmin) 6) Create VM in the userportal - FAILED
(In reply to Shira Maximov from comment #22) > try to verify on : > ovirt-engine-4.2.0-0.0.master.20161219225535.git893d571.el7.centos.noarch > > verification steps: > 1) Create a user X, a group Y , and add the user to the group > ovirt-aaa-jdbc-tool group-manage show y > Group: y(5bc122fa-e278-4bb0-b0ea-b73435ec6241) members: > User: x > 2) Remove the permissions CpuProfileOperator for 'Everyone' on a CPU profile > 3) Add VmCreator permission for the user X on the cluster > 4) Try to create a VM with the CPU profile in the userportal - WORK > 5) Remove the permissions for the user 'X' and add the same permission for > the group 'Y' (in the webadmin) > 6) Create VM in the userportal - FAILED If I understand correctly the original issue was about VMs created from templates, which is not the case here, right? Also, why are you removing the permissions of X and not trying as a different user from the same group? The point is that removing the permissions as you did it may have removed the permissions for the group as well.
The bug can be found when creating VM or creating template, the problem is that when adding a permission to group the users doesn't inherit the permissions too. you can see in this bug : https://bugzilla.redhat.com/show_bug.cgi?id=1371888 in comment 5, the steps for verification that Andrej posted.
(In reply to Shira Maximov from comment #24) > The bug can be found when creating VM or creating template, > the problem is that when adding a permission to group the users doesn't > inherit the permissions too. > > you can see in this bug : https://bugzilla.redhat.com/show_bug.cgi?id=1371888 > in comment 5, the steps for verification that Andrej posted. 1. Does the group have a CpuProfileOperator permission? 2. Please add the engine log.
I'v tested it again on downstream : Red Hat Virtualization Manager Version: 4.1.0-0.3.beta2.el7 and it worked, moving to verified.