Bug 1449845
| Summary: | Domain user cannot get vv file via restapi | ||
|---|---|---|---|
| Product: | [oVirt] ovirt-engine | Reporter: | Jiri Belka <jbelka> |
| Component: | AAA | Assignee: | Ravi Nori <rnori> |
| Status: | CLOSED WORKSFORME | QA Contact: | Gonza <grafuls> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 4.1.2 | CC: | bugs, jbelka, mperina |
| Target Milestone: | ovirt-4.1.3 | Flags: | rule-engine:
ovirt-4.1+
|
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-05-15 14:27:34 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | Infra | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Jiri Belka
2017-05-10 21:33:03 UTC
ovirt-engine-4.1.2.1-0.1.el7.noarch (In reply to Jiri Belka from comment #0) > Description of problem: > > While verifying BZ1439611 I tried to logon and get > remoteviewerconnectionfile as a domain user, the result was 'Unathorized'. > The above sequence worked for admin@internal, so I gave my domain user > UserVmManager (again Unauthorized) and SuperUser role and still same failure. > > ... > 2017-05-10 23:24:41,398+02 INFO > [org.ovirt.engine.core.sso.utils.AuthenticationUtils] (default task-4) [] > User vdcadmin successfully logged in with scopes: ovirt-app-api > ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search > ovirt-ext=token-info:validate ovirt-ext=token:password-access > ... > 2017-05-10 23:24:41,437+02 DEBUG [org.ovirt.engine.core.bll.Backend] > (default task-30) [] Executing command CreateUserSession. > 2017-05-10 23:24:41,486+02 ERROR > [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] > (default task-30) [403c8928] EVENT_ID: USER_VDC_LOGIN_FAILED(114), > Correlation ID: 403c8928, Call Stack: null, Custom Event ID: -1, Message: > User SYSTEM failed to log in. > 2017-05-10 23:24:41,499+02 ERROR [org.ovirt.engine.core.aaa.SsoUtils] > (default task-30) [] User 'vdcadmin' login failed: WFLYEJB0442: > Unexpected Error > 2017-05-10 23:24:41,499+02 DEBUG [org.ovirt.engine.core.aaa.SsoUtils] > (default task-30) [] User 'vdcadmin' login failed: > javax.ejb.EJBException: WFLYEJB0442: Unexpected Error > at > org.jboss.as.ejb3.tx.CMTTxInterceptor.handleExceptionInNoTx(CMTTxInterceptor. > java:210) [wildfly-ejb3-7.0.5.GA-redhat-2.jar:7.0.5.GA-redhat-2] > at > org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInNoTx(CMTTxInterceptor.java: > 265) [wildfly-ejb3-7.0.5.GA-redhat-2.jar:7.0.5.GA-redhat-2] > at > org.jboss.as.ejb3.tx.CMTTxInterceptor.supports(CMTTxInterceptor.java:374) > [wildfly-ejb3-7.0.5.GA-redhat-2.jar:7.0.5.GA-redhat-2] > at > org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor. > java:243) [wildfly-ejb3-7.0.5.GA-redhat-2.jar:7.0.5.GA-redhat-2] > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340) > ... > > I suppose it should work. > > Version-Release number of selected component (if applicable): > > > How reproducible: > > > Steps to Reproduce: > 1. have a running vm and assign UserRole for a domain user > 2. get 'logon' via restapi > 3. post 'remoteviewerconnectionfile' via restapi > 4. try to add UserVmManager and SuperUser role for the domain user > > Actual results: > unauthorized for step '3.' and '4.' > > Expected results: > UserRole should get vv file via restapi > > Additional info: > curl -k -X POST -H 'Version: 4' -H 'Accept: application/xml' \ > -H 'Content-Type: application/xml' -H 'Accept: > application/x-virt-viewer' \ > -u ${USERCRED} -d '<action />' \ > https://${ENGINE}/ovirt-engine/api/vms/${VMID}/logon > > curl -k -X POST -H 'Version: 4' -H 'Accept: application/xml' \ > -H 'Content-Type: application/xml' -H 'Accept: > application/x-virt-viewer' \ > -u ${USERCRED} -d '<action />' \ > > https://${ENGINE}/ovirt-engine/api/vms/${VMID}/graphicsconsoles/${CONSOLEID}/ > remoteviewerconnectionfile > > save output starting with '[virt-viewer]' and ending with '\n' into a file > and run remote-viewer $file (this worked only when i tried with > admin@internal) If you are accessing RESTAPI with non-admin user, you need to pass "filter=true" option to get objects by user permissions (otherwise you will receive no objects). Could you please retest? curl -k -X POST -H 'Version: 4' -H 'Accept: application/xml' -H 'Filter: true' \ -H 'Content-Type: application/xml' -H 'Accept: application/x-virt-viewer' \ -u ${USERCRED} -d '<action />' \ https://${ENGINE}/ovirt-engine/api/vms/${VMID}/logon curl -k -X POST -H 'Version: 4' -H 'Accept: application/xml' \ -H 'Content-Type: application/xml' -H 'Accept: application/x-virt-viewer' \ -H 'Filter: true' -u ${USERCRED} -d '<action />' \ https://${ENGINE}/ovirt-engine/api/vms/${VMID}/graphicsconsoles/${CONSOLEID}/remoteviewerconnectionfile I am unable to reproduce this on master with a user who has UserRole system permissions. I can't reproduce this with a user who has UserRole on the VM and no other permissions. (In reply to Ravi Nori from comment #6) > I can't reproduce this with a user who has UserRole on the VM and no other > permissions. I can't reproduce on latest env - ovirt-engine-4.1.2.2-0.1.el7.noarch - as well. Feel free to close this BZ. |