Bug 1391092 - [User Portal] not authorized popup when changing cluster with UserVmManager role
Summary: [User Portal] not authorized popup when changing cluster with UserVmManager role
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: ovirt-engine
Classification: oVirt
Component: Frontend.UserPortal
Version: 4.0.5.5
Hardware: Unspecified
OS: Unspecified
unspecified
low vote
Target Milestone: ---
: ---
Assignee: bugs@ovirt.org
QA Contact: Pavel Stehlik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-11-02 14:28 UTC by Jiri Belka
Modified: 2016-11-03 13:26 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-03 13:26:42 UTC
oVirt Team: Virt
rule-engine: planning_ack?
rule-engine: devel_ack?
rule-engine: testing_ack?

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Jiri Belka 2016-11-02 14:28:39 UTC 
Description of problem:

Even an user has UserVmManager and can practically change the cluster (ie. it does have effect), there's still a popup windows with:

~~~
Operation Canceled

Error while executing action: 

jb-w7-x64:•User is not authorized to perform this action
~~~


~~~
...2016-11-02 13:15:13,899 DEBUG [org.ovirt.engine.core.bll.UpdateVmCommand] (default task-15) [f2a37a1] Checking whether user '49f5f326-5c61-436f-801c-e35b32a778df' or one of the groups he is member of, have the fo
llowing permissions:  ID: cb8b1462-3cb6-4bf0-b7e4-28be5702b6ac Type: VMAction group EDIT_VM_PROPERTIES with role type USER,  ID: cb8b1462-3cb6-4bf0-b7e4-28be5702b6ac Type: VMAction group EDIT_ADMIN_VM_PROPERTIES 
with role type ADMIN
2016-11-02 13:15:13,902 DEBUG [org.ovirt.engine.core.bll.UpdateVmCommand] (default task-15) [f2a37a1] Found permission '41dad25d-8ad0-4fb5-ba50-994ad3411e4d' for user when running 'UpdateVm', on 'VM' with id 'cb8
b1462-3cb6-4bf0-b7e4-28be5702b6ac'
2016-11-02 13:15:13,904 DEBUG [org.ovirt.engine.core.bll.UpdateVmCommand] (default task-15) [f2a37a1] No permission found for user when running action 'UpdateVm', on object 'VM' for action group 'EDIT_ADMIN_VM_PR
OPERTIES' with id 'cb8b1462-3cb6-4bf0-b7e4-28be5702b6ac'.
2016-11-02 13:15:13,904 INFO  [org.ovirt.engine.core.bll.UpdateVmCommand] (default task-15) [f2a37a1] No permission found for user '49f5f326-5c61-436f-801c-e35b32a778df' or one of the groups he is member of, when
 running action 'UpdateVm', Required permissions are: Action type: 'ADMIN' Action group: 'EDIT_ADMIN_VM_PROPERTIES' Object type: 'VM'  Object ID: 'cb8b1462-3cb6-4bf0-b7e4-28be5702b6ac'.
2016-11-02 13:15:13,904 WARN  [org.ovirt.engine.core.bll.UpdateVmCommand] (default task-15) [f2a37a1] Validation of action 'UpdateVm' failed for user user1.com.com. Reasons: VAR__ACTION__UPDATE,VAR__TYPE__VM,USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
~~~

Version-Release number of selected component (if applicable):
ovirt-engine-userportal-4.0.5.5-0.1.el7ev.noarch

How reproducible:
100%

Steps to Reproduce:
1. have an user with UserVmManager role and an assigned VM
2. edit VM
3. change cluster (you have to have at least 2 clusters in same DC)

Actual results:
auth popup

Expected results:
either there should be no popup as the change did have the effect or the change should not be done at all and popup should have senseful message

Additional info:
Comment 2 Tomas Jelinek 2016-11-03 12:20:25 UTC 
The operation of changing the cluster has 2 steps:
1: calling the ChangeCluster command - this one passed for you, this is why you see it as the change did have effect.
2: calling the UpdateVm - this did not pass because you missed the EDIT_ADMIN_VM_PROPERTIES. This permission is checked only if the host or the CPU pinning is changed.

Could you please make sure the change of the cluster did not cause changes in the host/cpu pinning?
Comment 3 Jiri Belka 2016-11-03 13:26:42 UTC 
No idea why but I cannot reproduce, but I updated hosts. Anyway I can't reproduce today on 4.0.5-6 with hosts which up-to-date vdsm etc.
Note You need to log in before you can comment on or make changes to this bug.