Bug 1379356 - NetworkAdmin is unable to add network interface to template
Summary: NetworkAdmin is unable to add network interface to template
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: ovirt-engine
Classification: oVirt
Component: Backend.Core
Version: 4.0.4.3
Hardware: All
OS: Linux
medium
medium vote
Target Milestone: ---
: ---
Assignee: Nobody
QA Contact: meital avital
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-09-26 12:53 UTC by Aleksei Slaikovskii
Modified: 2016-10-09 08:24 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-10-09 08:24:37 UTC
oVirt Team: Network
rule-engine: planning_ack?
rule-engine: devel_ack?
rule-engine: testing_ack?

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Aleksei Slaikovskii 2016-09-26 12:53:51 UTC 
Hello!
Related to this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1368565 I guess NetworkAdmin now have no permissions to modify a DC entity, right?

Steps to reproduce: same as in bug above but instead of ClusterAdmin role you need to use NetworkAdmin role.

Thank you!
Comment 1 Dan Kenigsberg 2016-09-29 10:34:07 UTC 
Moti, what is your opinion? Should a mere NetworkAdmin be allowed to modify the networking facets of a DC-level template?
Comment 2 Moti Asayag 2016-09-29 18:35:46 UTC 
Some preview:

Currently, adding network interface to a Template is allowed for role which contains the 'CONFIGURE_TEMPLATE_NETWORK' action group on both the template and the vnic profile.

NetworkAdmin already contains the CONFIGURE_TEMPLATE_NETWORK action group. If the 'NetworkAdmin' role is granted on the DC, it should be allowed to add vnic to the template.

However, it means that with current implementation, NetworkAdmin on the network won't be allowed to add vnic to a template without adding permission either on the template or on the DC.

This behavior is aligned with our MLA model. So if a user which isn't the admin was granted with NetworkAdmin role, he should also be granted with permissions for the template or the DC which the template belongs to.

As for the specific question:
It sounds Okay to me to allow NetworkAdmin to modify DC level entity (template), BUT it doesn't aligned with the demand for VM admin (i.e. ClusterAdmin) to require additional permission on the VM entity on top of the vnic profile/network. This creates some inconsistency in the system.

In addition, such engine upgrade will lead to a situation where users that were granted as NetworkAdmin only will be allowed to modify template's network configuration. So if admin wanted to restrict the NetworkAdmin in the system to deal only with Networks and Vnic Profile administration, and to grant the TemplateAdmin role to other users, the user will become more privileged than designed.

The admin of the specific case can grant NetworkAdmin on the DC for the user, and it will allow the user to add vnics to the template, or to use the custom roles to create a role with the exact permitted roles and to assign it to the user for the DC to support both network management and template network management.
Comment 3 Dan Kenigsberg 2016-10-09 08:24:37 UTC 
Aleksei, please reopen the bug if defining a custom role of NetworkAdmin+CONFIGURE_TEMPLATE_NETWORK does not satisfy your needs (and explain why).
Note You need to log in before you can comment on or make changes to this bug.