Description of problem: I have role: EvmGroup-super-admin-psachin(copied from EvmGroup-super-admin) where "Everything" -> "Access Rules for all Virtual Machines" -> "VM Access Rules/Instance Access Rules" -> "Operate" -> "Set Ownership" & "Set Retirement Date" is checked. If I try to retire VM via API it gets retired ~~~ curl -k -l --user psachin:psachin \ -H "Content-Type: application/json" \ -i -X POST -H "Accept: application/json" \ -d { "action": "retire"} \ https://cfme.com/api/vms/21000000000145 HTTP/1.1 200 OK Date: Thu, 22 Jun 2017 12:08:05 GMT Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_kerb/5.4 Access-Control-Allow-Origin: * Access-Control-Allow-Headers: origin, content-type, authorization, x-auth-token Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS Content-Type: application/json; charset=utf-8 Content-Security-Policy: default-src 'self'; connect-src 'self'; frame-src 'self'; script-src 'unsafe-eval' 'unsafe-inline' 'self'; style-src 'unsafe-inline' 'self'; report-uri /dashboard/csp_report Strict-Transport-Security: max-age=631152000 X-Content-Type-Options: nosniff X-Download-Options: noopen X-Frame-Options: SAMEORIGIN X-Permitted-Cross-Domain-Policies: none X-XSS-Protection: 1; mode=block ETag: W/"76590b8bba8d9e8d4afaf2b054cebcd6" Cache-Control: max-age=0, private, must-revalidate X-Request-Id: 9b911396-c726-441c-b5ea-50c759628d8f X-Runtime: 0.408045 Transfer-Encoding: chunked {"success":true,"message":"VM id:21000000000145 name:'psachin-vm-with-2-nics-from-template' retiring","href":"https://10.74.130.155/api/vms/21000000000145"} ~~~ Whereas if "Set Retirement Date" is un-checked, the request is forbidden. ~~~ curl -k -l --user psachin:psachin \ -H "Content-Type: application/json" \ -i -X POST -H "Accept: application/json" \ -d { "action": "retire"} \ https://cfme.com/api/vms/21000000000145 HTTP/1.1 403 Forbidden Date: Thu, 22 Jun 2017 11:59:10 GMT Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_kerb/5.4 Access-Control-Allow-Origin: * Access-Control-Allow-Headers: origin, content-type, authorization, x-auth-token Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS Content-Type: application/json; charset=utf-8 Content-Security-Policy: default-src 'self'; connect-src 'self'; frame-src 'self'; script-src 'unsafe-eval' 'unsafe-inline' 'self'; style-src 'unsafe-inline' 'self'; report-uri /dashboard/csp_report Strict-Transport-Security: max-age=631152000 X-Content-Type-Options: nosniff X-Download-Options: noopen X-Frame-Options: SAMEORIGIN X-Permitted-Cross-Domain-Policies: none X-XSS-Protection: 1; mode=block Cache-Control: no-cache X-Request-Id: 7e05393d-98bc-4fa3-b63b-ef0ed5b74d9a X-Runtime: 0.123695 Transfer-Encoding: chunked {"error":{"kind":"forbidden","message":"Use of Action retire is forbidden","klass":"Api::ForbiddenError"}} ~~~ Version-Release number of selected component (if applicable): 5.7.2.1 How reproducible: Always Steps to Reproduce: 1. Please see description 2. 3. Actual results: Expected results: Additional info:
PR: https://github.com/ManageIQ/manageiq/pull/15509
Verified on 5.9.0.3 that it's possible to retire a VM using the REST API when "Set Retirement Date" is unchecked.