Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1389158 - [VM Pool] Group permission UserRole is broken
[VM Pool] Group permission UserRole is broken
Status: CLOSED ERRATA
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine (Show other bugs)
4.0.3
x86_64 Linux
high Severity high
: ovirt-4.0.6
: ---
Assigned To: Shmuel Melamud
sefi litmanovich
: ZStream
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-10-26 23:18 EDT by Germano Veit Michel
Modified: 2017-04-03 06:30 EDT (History)
15 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-01-10 12:00:20 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: Virt
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 2745941 None None None 2016-11-03 04:43 EDT
Red Hat Product Errata RHBA-2017:0043 normal SHIPPED_LIVE Red Hat Virtualization Manager 4.0.6 2017-01-10 16:52:43 EST

  None (edit)
Description Germano Veit Michel 2016-10-26 23:18:07 EDT 
Description of problem:

- There is a Pool of VMs
- A permission (UserRole) is added to a group (LDAP)

Users from group can login, but cannot not attach to VMs. 

Version-Release number of selected component (if applicable):
ovirt-engine-4.0.4.4-0.1.el7ev.noarch

How reproducible:
100%

Steps to Reproduce:
1. Create a Pool of VMs
2. Permissions -> Add - > Group -> GO -> Select -> OK
3. Use a user from the Group to login to User Portal (fine)
4. User sees the VM
5. User fails to start the VM (AttachUserToVmFromPoolAndRunCommand fails because user is missing from 'users' table)

Actual results:
User fails to start VM

Expected results:
User is able to start VM

Additional info:

2016-10-26 23:02:26,767 INFO  [org.ovirt.engine.core.sso.utils.AuthenticationUtils] (default task-15) [] User XXX@ipa.rhevlab successfully logged in with scopes: ovirt-app-admin ovirt-app-api ovirt-app-portal ovirt-ext=auth:sequence-priority=~ ovirt-ext=revoke:revoke-all ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate ovirt-ext=token:password-access
2016-10-26 23:02:26,872 INFO  [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default task-24) [2912b9e9] Running command: CreateUserSessionCommand internal: false.
2016-10-26 23:02:27,927 INFO  [org.ovirt.engine.docs.utils.servlet.ContextSensitiveHelpMappingServlet] (default task-25) [] Successfully read CSH mapping file '/usr/share/doc/rhevm-doc/manual/en-US/csh.conf.d/userportal/10-userportal-en-US.json'
2016-10-26 23:02:30,481 INFO  [org.ovirt.engine.core.bll.AttachUserToVmFromPoolAndRunCommand] (default task-21) [79c686db] Lock Acquired to object 'EngineLock:{exclusiveLocks='[00000000-0000-0000-0000-000000000000=<USER_VM_POOL, ACTION_TYPE_FAILED_OBJECT_LOCKED>]', sharedLocks='null'}'
2016-10-26 23:02:30,698 INFO  [org.ovirt.engine.core.bll.AttachUserToVmFromPoolAndRunCommand] (default task-21) [79c686db] Running command: AttachUserToVmFromPoolAndRunCommand internal: false. Entities affected :  ID: ff07cd4c-ffef-45f3-8915-e41ae54f76c5 Type: VmPoolAction group VM_POOL_BASIC_OPERATIONS with role type USER
2016-10-26 23:02:30,749 WARN  [org.ovirt.engine.core.bll.AddPermissionCommand] (default task-21) [73c20662] Validation of action 'AddPermission' failed for user XXX@ipa.rhevlab-authz. Reasons: USER_MUST_EXIST_IN_DB
2016-10-26 23:02:30,905 INFO  [org.ovirt.engine.core.bll.AttachUserToVmFromPoolAndRunCommand] (default task-21) [73c20662] Failed to give user '00000000-0000-0000-0000-000000000000' permission to Vm 'cd267c39-8cd1-444b-9ddb-563e4b20e8b1'
2016-10-26 23:02:31,214 ERROR [org.ovirt.engine.core.bll.AttachUserToVmFromPoolAndRunCommand] (default task-21) [73c20662] Transaction rolled-back for command 'org.ovirt.engine.core.bll.AttachUserToVmFromPoolAndRunCommand'.
2016-10-26 23:02:31,295 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-21) [73c20662] Correlation ID: 79c686db, Job ID: b8ab2982-d3e7-41af-9c1d-59b23ecc190f, Call Stack: null, Custom Event ID: -1, Message: Failed to attach User <UNKNOWN> to VM from VM Pool CentOS6-Pool (User: XXX@ipa.rhevlab-authz).
2016-10-26 23:02:31,362 INFO  [org.ovirt.engine.core.bll.AttachUserToVmFromPoolAndRunCommand] (default task-21) [73c20662] Lock freed to object 'EngineLock:{exclusiveLocks='[00000000-0000-0000-0000-000000000000=<USER_VM_POOL, ACTION_TYPE_FAILED_OBJECT_LOCKED>]', sharedLocks='null'}'

User XXX belongs to group ipausers, which has UserRole permissions in this Pool.

From what I can see, when that XXX users logs in for the first time, it's not added to the 'users' table.
Comment 3 Marina 2016-10-31 09:34:02 EDT 
Wondering if this bug and this: bz#1369046 have some root cause.
Comment 11 sefi litmanovich 2016-11-21 10:01:00 EST 
Verified according to the steps in description on rhevm-4.0.6-0.1.el7ev.noarch
Comment 15 errata-xmlrpc 2017-01-10 12:00:20 EST 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0043.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.