1373546 – explicit required permissions for the RHEV provider user

Bug 1373546 - explicit required permissions for the RHEV provider user

Summary: explicit required permissions for the RHEV provider user

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat CloudForms Management Engine
Classification:	Red Hat
Component:	Documentation
Sub Component:
Version:	5.6.0
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	GA
Target Release:	5.7.0
Assignee:	Red Hat CloudForms Documentation
QA Contact:	Red Hat CloudForms Documentation
Docs Contact:
URL:
Whiteboard:	doc
Duplicates (1):	1430683 (view as bug list)
Depends On:
Blocks:	1480288 1511957
TreeView+	depends on / blocked

Reported:	2016-09-06 14:46 UTC by Colin Arnott
Modified:	2022-03-13 14:06 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-04-04 04:42:51 UTC
Category:	---
Cloudforms Team:	---
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Colin Arnott 2016-09-06 14:46:44 UTC

Document URL: 
https://access.redhat.com/documentation/en/red-hat-cloudforms/4.1/managing-providers/#adding_a_red_hat_enterprise_virtualization_manager_provider

Section Number and Name: 
1.2.1.8 Adding a Red Hat Enterprise Virtualization Manager Provider: Credentials

Describe the issue: 
The RHEV provider currently requires the admin@internal account, my security standards prevent me from giving cart blanch access to my RHEV environment. Can you please enumerate the permissions required by CFME so that I can use least privileged when creating the CFME user for RHEV.

Suggestions for improvement: 
Add a section indicating required permissions for the RHEV provider.

Additional information:

Comment 2 Oved Ourfali 2016-09-20 19:06:21 UTC

Marianne - I'll be happy to help, but can you elaborate on what information is missing?

Comment 4 Andrew Dahms 2017-03-13 22:40:52 UTC

*** Bug 1430683 has been marked as a duplicate of this bug. ***

Comment 5 Andrew Dahms 2017-03-13 22:43:11 UTC

Hi Oved,

Just to follow up on this request, my understanding of what is required is as follows -

If a user wants to use an account other than 'admin@internal' to authenticate a RHV provider in CloudForms, what permissions or roles in the RHV environment are required so that the RHV provider can do everything it needs to in CloudForms?

Does that make sense?

Let us know if you have any details, or if you need any extra clarification.

Kind regards,

Andrew

Comment 7 Marianne Feifer 2017-10-03 18:56:17 UTC

Andrew, can you take a look and see what needs to be done, if anything?

Comment 8 Andrew Dahms 2017-10-04 23:10:07 UTC

Hi Marianne,

Thank you for the needinfo request.

This bug falls under the larger umbrella of the service accounts discussion we held earlier in the year, and I have just written a response to that to see if there is anything we can do across the board in 4.6.

If it looks like we cannot address this question for all providers, we will look at RHV specifically and see what we can do to resolve this bug during the 4.6 time frame.

Kind regards,

Andrew

Comment 9 Marianne Feifer 2017-10-27 18:51:34 UTC

Any updates?

Comment 13 Andrew Dahms 2018-04-04 04:42:51 UTC

Thank you for raising this bug.

After further discussion with the program team, we have been given the advice not to document specific permissions for service accounts at this time based on the following article -

http://cloudformsblog.redhat.com/2017/08/16/security-management-operations/

As such, I will be closing this bug for now, but we can re-investigate this request again in the future if required.

Note You need to log in before you can comment on or make changes to this bug.