Bug 1392857 - RFE: provide an admin with a tool for query roles for specific commands
Summary: RFE: provide an admin with a tool for query roles for specific commands
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: ovirt-engine
Classification: oVirt
Component: RFEs
Version: 4.0.5.5
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified vote
Target Milestone: ---
: ---
Assignee: Scott Herold
QA Contact: Gil Klein
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-11-08 11:22 UTC by Andrei Stepanov
Modified: 2016-11-17 13:15 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-17 13:15:20 UTC
oVirt Team: Infra
rule-engine: planning_ack?
rule-engine: devel_ack?
rule-engine: testing_ack?


Attachments (Terms of Use)

Description Andrei Stepanov 2016-11-08 11:22:20 UTC
As you know, access control in RHV is based on assigning specific roles for certain groups/users.

However, in case of insufficiency permissions, log shows us some like: 

2016-11-08 11:58:35,040 INFO  [org.ovirt.engine.core.bll.AttachUserToVmFromPoolAndRunCommand] (ajp-/127.0.0.1:8702-4) [350cfcd5] No permission found for user '73a99b02-04b5-4d8d-b94e-5b97fb25e0f4' or one of the groups he is member of, when running action 'AttachUserToVmFromPoolAndRun', Required permissions are: Action type: 'USER' Action group: 'VM_POOL_BASIC_OPERATIONS' Object type: 'VM Pool'  Object ID: 'b3130286-f30c-437e-9aea-71160807ba3b'.

After this admin should guess a role(s) that allows run certain command. (There are can be many of them, as default as well as created by admin.) 

I propose to write a tool that would simplify such guessing.

By providing a list of available roles that grant execution of specific command.

It could be a cmdline tool or a part of adminportal.

Comment 1 Oved Ourfali 2016-11-17 13:15:20 UTC
You can take a look at the roles either in the UI or the API, and find the action group. I don't see us adding and maintaining a utility for that use.
Closing as WONTFIX.


Note You need to log in before you can comment on or make changes to this bug.