1420310 – User actions should succeed regardless of 'filter' parameter

Bug 1420310 - User actions should succeed regardless of 'filter' parameter

Summary: User actions should succeed regardless of 'filter' parameter

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	ovirt-engine
Classification:	oVirt
Component:	RestAPI
Sub Component:
Version:	4.1.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	ovirt-4.2.0
Target Release:	4.2.0
Assignee:	Juan Hernández
QA Contact:	Radim Hrazdil
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1427987
TreeView+	depends on / blocked

Reported:	2017-02-08 12:29 UTC by Daniel Erez
Modified:	2018-04-11 14:56 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Release Note
Doc Text:	With this update, an issue with the the way that the API supports the 'filter' parameter to indicate if results should be filtered according to the permissions of the user has been corrected. Previously, due to the way this was implemented, non-admin users needed to set this parameter for almost all operations, as the default value was 'false'. Now, to simplify the task for non-admin users, this patch changes the default value to 'true', but only for non-admin users. If the value is explicitly given in a request it will be honored.This is a backwards compatibility breaking change, as clients that used non-admin users and did not explicitly provide the 'filter' parameter will start to behave differently. However, this is unlikely, as calls from non-admin users without the 'filter=true' are almost useless. For those unlikely cases where this may be a problem, the patch also introduces a new 'ENGINE_API_FILTER_BY_DEFAULT' configuration parameter: # # This flags indicates if 'filtering' should be enabled by default for # users that aren't administrators. # ENGINE_API_FILTER_BY_DEFAULT="true" If it is necessary to revert to the behavior of previous versions of the engine, it can be achieved by changing this parameter in a configuration file inside the '/etc/ovirt-engine/engine.conf.d' directory. For example: # echo 'ENGINE_API_FILTER_BY_DEFAULT="false"' > \ /etc/ovirt-engine/engine.conf.d/99-filter-by-default.conf # systemctl restart ovirt-engine
Clone Of:
Clones:	1427987 (view as bug list)
Environment:
Last Closed:	2017-12-20 11:24:36 UTC
oVirt Team:	Infra
Embargoed:
Dependent Products:
Flags:	rule-engine: ovirt-4.2+ lsvaty: testing_ack+

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
oVirt gerrit	73039	master	MERGED	restapi: Set 'filter=true' by default for non admins	2020-12-09 21:26:08 UTC
oVirt gerrit	73396	ovirt-engine-4.1	MERGED	restapi: Set 'filter=true' by default for non admins	2020-12-09 21:26:09 UTC
oVirt gerrit	74173	ovirt-engine-4.1.1.z	MERGED	restapi: Set 'filter=true' by default for non admins	2020-12-09 21:26:08 UTC

Description Daniel Erez 2017-02-08 12:29:03 UTC

Description of problem:
When a rest-api action is invoked by a user without providing 'filter' parameter, it may fail due to insufficient permissions for the internal queries.
This is problematic for the python sdk which supports 'filter' argument only for service listing (and not for actions).

E.g.
Creating a disk using sdk-python fails due to insufficient permissions for GetStorageDomainListByIdQuery / GetStorageDomainByIdQuery:

disk = disks_service.add(
    disk=types.Disk(
        name='mydisk',
        description='My disk',
        format=types.DiskFormat.RAW,
        provisioned_size=2 * 2**30,
        storage_domains=[
            types.StorageDomain(
                id='43b457ae-e3b6-434d-8a9f-b234b1976e5f',
            ),
        ],
    )
)

Version-Release number of selected component (if applicable):
4.1

How reproducible:
100%

Actual results:
Fails on 'Query execution failed due to insufficient permissions.'

Expected results:
Should succeed if the user has sufficient permissions to perform the action.

Comment 1 Martin Perina 2017-02-22 12:33:20 UTC

Juan is trying to find a definitive solution for that, so targetting now to 4.2 and we can decide to retarget when we have solution ready

Comment 2 Juan Hernández 2017-02-24 11:44:12 UTC

There are many possible solutions to this, all of them quite complicated. The long term solution should be to remove the 'filter' concept and just make all queries filter the results according to the permissions of the user, by default. But doing that is a very large task, far beyond what can be done in the API. The only reasonable solution to this that I see is to make set 'filter=true' the default for non admin users. That is what the proposed patch does. As that is a backwards compatibility breaking change, it also introduces a configuration parameter to revert to the old behavior, for the few cases where the old behavior will actually be needed.

Comment 3 Juan Hernández 2017-02-24 11:51:08 UTC

This could also be back-ported, changing the default value of the parameter to 'false'.

Comment 5 Radim Hrazdil 2017-09-04 13:38:30 UTC

Verified in Version 4.2.0-0.0.master.20170903205106.gitb17261a.el7.centos.

Comment 6 Sandro Bonazzola 2017-12-20 11:24:36 UTC

This bugzilla is included in oVirt 4.2.0 release, published on Dec 20th 2017.

Since the problem described in this bug report should be
resolved in oVirt 4.2.0 release, published on Dec 20th 2017, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.

Note You need to log in before you can comment on or make changes to this bug.