+++ This bug is an upstream to downstream clone. The original bug is: +++ +++ bug 1420310 +++ ====================================================================== Description of problem: When a rest-api action is invoked by a user without providing 'filter' parameter, it may fail due to insufficient permissions for the internal queries. This is problematic for the python sdk which supports 'filter' argument only for service listing (and not for actions). E.g. Creating a disk using sdk-python fails due to insufficient permissions for GetStorageDomainListByIdQuery / GetStorageDomainByIdQuery: disk = disks_service.add( disk=types.Disk( name='mydisk', description='My disk', format=types.DiskFormat.RAW, provisioned_size=2 * 2**30, storage_domains=[ types.StorageDomain( id='43b457ae-e3b6-434d-8a9f-b234b1976e5f', ), ], ) ) Version-Release number of selected component (if applicable): 4.1 How reproducible: 100% Actual results: Fails on 'Query execution failed due to insufficient permissions.' Expected results: Should succeed if the user has sufficient permissions to perform the action. (Originally by Daniel Erez)
Juan is trying to find a definitive solution for that, so targetting now to 4.2 and we can decide to retarget when we have solution ready (Originally by Martin Perina)
There are many possible solutions to this, all of them quite complicated. The long term solution should be to remove the 'filter' concept and just make all queries filter the results according to the permissions of the user, by default. But doing that is a very large task, far beyond what can be done in the API. The only reasonable solution to this that I see is to make set 'filter=true' the default for non admin users. That is what the proposed patch does. As that is a backwards compatibility breaking change, it also introduces a configuration parameter to revert to the old behavior, for the few cases where the old behavior will actually be needed. (Originally by juan.hernandez)
This could also be back-ported, changing the default value of the parameter to 'false'. (Originally by juan.hernandez)
It missed 4.1.1.5 build
Created attachment 1270457 [details] Python SDK StorageAdmin disk creation Verified on ovirt-engine-4.1.1.8-0.1.el7.noarch, python-ovirt-engine-sdk4-4.1.3-1.el7ev.x86_64
Byron, I did an small edit to the doc text to remove the "this patch ..." words, as that make sense in the description of the patch, but not in the release note. I'd appreciate if you can review the text again.