Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1389158

Summary: [VM Pool] Group permission UserRole is broken
Product: Red Hat Enterprise Virtualization Manager Reporter: Germano Veit Michel <gveitmic>
Component: ovirt-engineAssignee: Shmuel Melamud <smelamud>
Status: CLOSED ERRATA QA Contact: sefi litmanovich <slitmano>
Severity: high Docs Contact:
Priority: high    
Version: 4.0.3CC: audgiri, baptiste.agasse, eedri, gklein, lsurette, mgoldboi, michal.skrivanek, mkalinin, oourfali, rbalakri, Rhev-m-bugs, smelamud, srevivo, tjelinek, ykaul
Target Milestone: ovirt-4.0.6Keywords: ZStream
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-01-10 17:00:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Virt RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Germano Veit Michel 2016-10-27 03:18:07 UTC 
Description of problem:

- There is a Pool of VMs
- A permission (UserRole) is added to a group (LDAP)

Users from group can login, but cannot not attach to VMs. 

Version-Release number of selected component (if applicable):
ovirt-engine-4.0.4.4-0.1.el7ev.noarch

How reproducible:
100%

Steps to Reproduce:
1. Create a Pool of VMs
2. Permissions -> Add - > Group -> GO -> Select -> OK
3. Use a user from the Group to login to User Portal (fine)
4. User sees the VM
5. User fails to start the VM (AttachUserToVmFromPoolAndRunCommand fails because user is missing from 'users' table)

Actual results:
User fails to start VM

Expected results:
User is able to start VM

Additional info:

2016-10-26 23:02:26,767 INFO  [org.ovirt.engine.core.sso.utils.AuthenticationUtils] (default task-15) [] User XXX successfully logged in with scopes: ovirt-app-admin ovirt-app-api ovirt-app-portal ovirt-ext=auth:sequence-priority=~ ovirt-ext=revoke:revoke-all ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate ovirt-ext=token:password-access
2016-10-26 23:02:26,872 INFO  [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default task-24) [2912b9e9] Running command: CreateUserSessionCommand internal: false.
2016-10-26 23:02:27,927 INFO  [org.ovirt.engine.docs.utils.servlet.ContextSensitiveHelpMappingServlet] (default task-25) [] Successfully read CSH mapping file '/usr/share/doc/rhevm-doc/manual/en-US/csh.conf.d/userportal/10-userportal-en-US.json'
2016-10-26 23:02:30,481 INFO  [org.ovirt.engine.core.bll.AttachUserToVmFromPoolAndRunCommand] (default task-21) [79c686db] Lock Acquired to object 'EngineLock:{exclusiveLocks='[00000000-0000-0000-0000-000000000000=<USER_VM_POOL, ACTION_TYPE_FAILED_OBJECT_LOCKED>]', sharedLocks='null'}'
2016-10-26 23:02:30,698 INFO  [org.ovirt.engine.core.bll.AttachUserToVmFromPoolAndRunCommand] (default task-21) [79c686db] Running command: AttachUserToVmFromPoolAndRunCommand internal: false. Entities affected :  ID: ff07cd4c-ffef-45f3-8915-e41ae54f76c5 Type: VmPoolAction group VM_POOL_BASIC_OPERATIONS with role type USER
2016-10-26 23:02:30,749 WARN  [org.ovirt.engine.core.bll.AddPermissionCommand] (default task-21) [73c20662] Validation of action 'AddPermission' failed for user XXX. Reasons: USER_MUST_EXIST_IN_DB
2016-10-26 23:02:30,905 INFO  [org.ovirt.engine.core.bll.AttachUserToVmFromPoolAndRunCommand] (default task-21) [73c20662] Failed to give user '00000000-0000-0000-0000-000000000000' permission to Vm 'cd267c39-8cd1-444b-9ddb-563e4b20e8b1'
2016-10-26 23:02:31,214 ERROR [org.ovirt.engine.core.bll.AttachUserToVmFromPoolAndRunCommand] (default task-21) [73c20662] Transaction rolled-back for command 'org.ovirt.engine.core.bll.AttachUserToVmFromPoolAndRunCommand'.
2016-10-26 23:02:31,295 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-21) [73c20662] Correlation ID: 79c686db, Job ID: b8ab2982-d3e7-41af-9c1d-59b23ecc190f, Call Stack: null, Custom Event ID: -1, Message: Failed to attach User <UNKNOWN> to VM from VM Pool CentOS6-Pool (User: XXX).
2016-10-26 23:02:31,362 INFO  [org.ovirt.engine.core.bll.AttachUserToVmFromPoolAndRunCommand] (default task-21) [73c20662] Lock freed to object 'EngineLock:{exclusiveLocks='[00000000-0000-0000-0000-000000000000=<USER_VM_POOL, ACTION_TYPE_FAILED_OBJECT_LOCKED>]', sharedLocks='null'}'

User XXX belongs to group ipausers, which has UserRole permissions in this Pool.

From what I can see, when that XXX users logs in for the first time, it's not added to the 'users' table.
Comment 3 Marina Kalinin 2016-10-31 13:34:02 UTC 
Wondering if this bug and this: bz#1369046 have some root cause.
Comment 11 sefi litmanovich 2016-11-21 15:01:00 UTC 
Verified according to the steps in description on rhevm-4.0.6-0.1.el7ev.noarch
Comment 15 errata-xmlrpc 2017-01-10 17:00:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0043.html