Description of problem: Users don't get set with UserVmManager role on the VMs they have imported. How reproducible: Always Steps to Reproduce: 1. Create a VM and export it 2. Import back the VM 3. The imported VM has no UserVmManager role Actual results: The imported VM has no UserVmManager role Expected results: The user that ran the import is set with UserVmManager role on the imported VM. Additional info:
You have imported it as an admin, correct? If that is the case than this is by design as admins do not get UserVmManager on VMs automatically. Users do.
I used a local user to do the imports. Step-by-step: - Create a local user - Grant permissions to create VMs in DEV1 cluster: LocalUserA -> [PowerUserRole] -> DEV1 (Cluster) LocalUserA -> [PowerUserRole] -> SAN (Storage) - Login to the user portal and create a small VM (vm-bug1451501-01) UserVmManager role is granted to LocalUserA on vm-bug1451501-01. - Grant permissions to import/export VMs LocalUserA -> [VmImporterExporter] -> DEV1 (Cluster) LocalUserA -> [VmImporterExporter] -> SAN (Storage) LocalUserA -> [VmImporterExporter] -> SAN-Export (Storage) - Login to the Admin Portal and export vm-bug1451501-01 - Import back the vm-bug1451501-01 Import options: Collapse Snapshots, Clone, Change name to vm-bug1451501-01_Import Role UserVmManager is not set for vm-bug1451501-01_Import I was expecting UserVmManager to be granted for LocalUserA on vm-bug1451501-01_Import.
While I agree it is confusing it is actually right. Comments inline (In reply to Peter Blajev from comment #2) > I used a local user to do the imports. > > Step-by-step: > > - Create a local user > > - Grant permissions to create VMs in DEV1 cluster: > > LocalUserA -> [PowerUserRole] -> DEV1 (Cluster) > LocalUserA -> [PowerUserRole] -> SAN (Storage) > > - Login to the user portal and create a small VM (vm-bug1451501-01) > UserVmManager role is granted to LocalUserA on vm-bug1451501-01. yes, because when you login to user portal you act as a "user" so if you create a VM, this permission is granted on all VMs you create. If it was not, you would create a VM you would not be able to see/use. > > - Grant permissions to import/export VMs > > LocalUserA -> [VmImporterExporter] -> DEV1 (Cluster) > LocalUserA -> [VmImporterExporter] -> SAN (Storage) > LocalUserA -> [VmImporterExporter] -> SAN-Export (Storage) > > - Login to the Admin Portal and export vm-bug1451501-01 > > - Import back the vm-bug1451501-01 > Import options: Collapse Snapshots, Clone, Change name to > vm-bug1451501-01_Import yes, but you are now in admin portal and you are an admin. So if you create/import a VM from webadmin, this permission is not granted. You can still operate this VM since you are an admin. > > Role UserVmManager is not set for vm-bug1451501-01_Import > > I was expecting UserVmManager to be granted for LocalUserA on > vm-bug1451501-01_Import. To fix this I see two options: 1: add an option to import the VM from userportal (and implement the backend part to actually grant the permission) 2: add some checkbox to import VM dialog that "grant me the UserVmManager" similar to "copy template permissions" in create VM from template. But while I see the point in having this "copy template permissions", this "grant me the UserVmManager" seems strange to me. Long story short, since this is exposed only in webadmin, if you import the VM, it is easy to add the permission at the imported VM manually. So, Im closing this as wont fix. If this is really important for you, please feel free to reopen with an explanation why is it important for you and we well scrub and prioritize it as a feature request. Thank you.
OK, I guess the extra steps made it confusing, my fault. In summary: THERE IS NO WAY AN USER TO IMPORT A VM AND HAVE FULL PERMISSIONS TO WORK WITH THIS VM. Here is a simplified step-by-step way to reproduce the problem. Try it or ignore it, I don't really care anymore. At the end I put a response to your answer. - Create a local user called LocalUserA - Grant permissions to create VMs in DEV1 cluster and Import/Export VMs: LocalUserA -> [PowerUserRole] -> DEV1 (Cluster) LocalUserA -> [PowerUserRole] -> SAN (Storage Data Master) LocalUserA -> [VmImporterExporter] -> DEV1 (Cluster) LocalUserA -> [VmImporterExporter] -> SAN (Storage Data Master) LocalUserA -> [VmImporterExporter] -> SD-Export (Storage Export type) - Login to the Administration Portal as LocalUserA@internal - Create a VM, Export the VM, Import the VM Role UserVmManager is not set for the imported VM. User LocalUserA can not even boot up the VM due to insufficient permissions. How do I setup LocalUserA so it can import VMs and work with them? The only portal that can be used to Export/Import is the Administration Portal. With that said, I don't understand this answer: "yes, but you are now in admin portal and you are an admin. So if you create/import a VM from webadmin, this permission is not granted. You can still operate this VM since you are an admin." The Administration Portal is the only portal where I can import VMs. Saying that UserVmManager is not set because I'm using the Admin Portal to import the VM means that UserVmManager is never going be set on imported VMs. When I login to the Administration Portal as LocalUserA@internal I AM NOT AN ADMIN (whatever that means). I'm an ADMIN type user who has ADMIN role assigned to him on some objects but this can be just "Login Permissions" and nothing else. After importing the VM I can NOT "operate" it. I can not even power it up. I can not change permissions on the VM. The UserVmManager is not set on the VM for anyone.
Seems like we encounter the problematic scenario that was discussed in bz 1121144 (comments 66-70), but for users with VmImporterExporter role rather than ReadOnlyAdmin role (in both cases the user is not assigned with MANIPULATE_PERMISSIONS). I propose to apply the same solution we applied to Add VM also to Import VM, they should be the same in that regards.
> After importing the VM I can NOT "operate" it. I can not even power it up. I > can > not change permissions on the VM. The UserVmManager is not set on the VM for > anyone. Im sorry, you are completely right. Targeting the fix to 4.1.4.
*** Bug 1452361 has been marked as a duplicate of this bug. ***
hey, try to verify on : Red Hat Virtualization Manager Version: 4.1.5.2-0.1.el7 verification steps: 1.Create a local 2.Grant permissions to create VMs in DEV1 cluster and Import/Export VMs: [PowerUserRole] -> (Cluster) [PowerUserRole] -> (Storage Data Master) [VmImporterExporter] -> (Cluster) [VmImporterExporter] -> (Storage Data Master) [VmImporterExporter] -> SD-Export (Storage Export type) 3. Login to the Administration Portal as the local user created in step 1. 4. Create a VM, Export the VM, Import the VM Result : Failed to import VM. error : 2017-08-29 17:52:27,144+03 WARN [org.ovirt.engine.core.bll.exportimport.ImportVmCommand] (default task-8) [d9de9869-e514-499a-8c89-42f5e7b2d635] Validation of action 'ImportVm' failed for user shira@internal-authz. Reasons: VAR__ACTION__IMPORT,VAR__TYPE__VM,USER_NOT_AUTHORIZED_TO_PERFORM_ACTION Arik, this time the import doesn't work at all, am i missing somthing?
hey, try to verify on : Red Hat Virtualization Manager Version: 4.1.5.2-0.1.el7 verification steps: 1.Create a local 2.Grant permissions to create VMs in DEV1 cluster and Import/Export VMs: [PowerUserRole] -> (Cluster) [PowerUserRole] -> (Storage Data Master) [VmImporterExporter] -> (Cluster) [VmImporterExporter] -> (Storage Data Master) [VmImporterExporter] -> SD-Export (Storage Export type) 3. Login to the Administration Portal as the local user created in step 1. 4. Create a VM, Export the VM, Import the VM Result : Failed to import VM. error : 2017-08-29 17:52:27,144+03 WARN [org.ovirt.engine.core.bll.exportimport.ImportVmCommand] (default task-8) [d9de9869-e514-499a-8c89-42f5e7b2d635] Validation of action 'ImportVm' failed for user shira@internal-authz. Reasons: VAR__ACTION__IMPORT,VAR__TYPE__VM,USER_NOT_AUTHORIZED_TO_PERFORM_ACTION Arik, this time the import doesn't work at all, am i missing something?
(In reply to Shira Maximov from comment #9) > Arik, this time the import doesn't work at all, am i missing something? Is it possible that the VM is set with custom properties?
hey, try to verify again, (Version: 4.1.5.2-0.1.el7) This time the import worked OK, but the the user still can't run the VM due to insufficient permissions. Moving this bug to assigned.
Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release.
The fix didn't reach 4.1.5 and also missed 4.1.6. Changing the target milestone accordingly.
Verified on : Red Hat Virtualization Manager Version: 4.1.7.1-0.1.el7 Verification steps: 1.Create a local user 2.Grant permissions to create VMs in a cluster and Import/Export VMs: [PowerUserRole] -> (Cluster) [PowerUserRole] -> (Storage Data Master) [VmImporterExporter] -> (Cluster) [VmImporterExporter] -> (Storage Data Master) [VmImporterExporter] -> SD-Export (Storage Export type) 3. Login to the Administration Portal as the local user created in step 1. 4. Create a VM, Export the VM, Import the VM Result : The VM is imported to the cluster. The local user can power up the VM. The local user permissions are accordingly on the imported VM.