Bug 1482365 - User cannot use non Public vNIC Profiles
Summary: User cannot use non Public vNIC Profiles
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine
Version: 4.1.4
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ovirt-4.2.0
: ---
Assignee: Alona Kaplan
QA Contact: Gonza
URL:
Whiteboard:
Depends On:
Blocks: 1496681
TreeView+ depends on / blocked
 
Reported: 2017-08-17 05:49 UTC by Germano Veit Michel
Modified: 2020-09-10 11:15 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1496681 (view as bug list)
Environment:
Last Closed: 2018-05-15 17:43:37 UTC
oVirt Team: UX
Target Upstream Version:
lsvaty: testing_plan_complete-


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 1482365 0 None None None 2017-09-08 04:27:12 UTC
Red Hat Product Errata RHEA-2018:1488 0 None None None 2018-05-15 17:45:35 UTC
oVirt gerrit 82218 0 'None' 'MERGED' 'engine: VnicProfileUser user role cannot be viewed by children' 2019-11-13 13:15:12 UTC
oVirt gerrit 82338 0 'None' 'MERGED' 'engine: VnicProfileUser user role cannot be viewed by children' 2019-11-13 13:15:12 UTC

Description Germano Veit Michel 2017-08-17 05:49:26 UTC
Description of problem:

I have a few doubts on how this is supposed to work, but AFAIK this is a bug.

Users cannot use non Public vNIC Profiles even if permission explicitly added.

1. Create internal user and set password:
2. Create Network (GermanoNet) with two profiles:
   * GNet (Public)
   * GNetNotPublic (Not Public)
3. Assign VmCreator role to user (germano)
4. User tries to create VM, only sees GNet(GNet) Network/vNIC profile. This is expected, all good.

Currently the permissions view look like this:

     object_name      |   owner_name   | object_type  |    role_name    
----------------------+----------------+--------------+-----------------
 GermanoNet           | admin  (admin) | Network      | NetworkAdmin
 GNetNotPublic        | admin  (admin) | vNIC Profile | NetworkAdmin
 GNet                 | admin  (admin) | vNIC Profile | NetworkAdmin
 GNet                 | Everyone       | vNIC Profile | VnicProfileUser

5. Go to the networks tab and add the following permission on the GermanoNet network:
   User: germano
   Role: VnicProfileUser

This is the result:


     object_name      |        owner_name        | object_type  |    role_name    
----------------------+--------------------------+--------------+-----------------
 GermanoNet           | admin  (admin)           | Network      | NetworkAdmin
 GermanoNet           | Germano Michel (germano) | Network      | VnicProfileUser
 GNetNotPublic        | admin  (admin)           | vNIC Profile | NetworkAdmin
 GNet                 | admin  (admin)           | vNIC Profile | NetworkAdmin
 GNet                 | Everyone                 | vNIC Profile | VnicProfileUser

Shouldn't it also create a object_type_id 27 (vNIC profile) permission for the Germano user? It's just creating id 20 (network) on step 5.

What happens now is that if I login with user germano, I cannot see the GNetNotPublic profile when creating a VM. I only see GNet(GNet).

Now I do step 5 again and use the NetworkAdmin role. This is added

     object_name      |        owner_name        | object_type  |    role_name    
----------------------+--------------------------+--------------+-----------------
 GermanoNet           | admin  (admin)           | Network      | NetworkAdmin
 GermanoNet           | Germano Michel (germano) | Network      | NetworkAdmin
 GermanoNet           | Germano Michel (germano) | Network      | VnicProfileUser
 GNetNotPublic        | admin  (admin)           | vNIC Profile | NetworkAdmin
 GNet                 | admin  (admin)           | vNIC Profile | NetworkAdmin
 GNet                 | Everyone                 | vNIC Profile | VnicProfileUser

So still no change in the vNIC profiles (id 27). User can't use or see them in the User Portal.

Version-Release number of selected component (if applicable):
ovirt-engine-4.1.4

How reproducible:
100%

Steps to Reproduce:
As above

Comment 1 Dan Kenigsberg 2017-08-17 20:00:20 UTC
Motty, would you be kind to review this?

Comment 2 Moti Asayag 2017-08-20 09:22:36 UTC
(In reply to Germano Veit Michel from comment #0)
> Description of problem:
> 
> I have a few doubts on how this is supposed to work, but AFAIK this is a bug.
> 
> Users cannot use non Public vNIC Profiles even if permission explicitly
> added.
> 
> 1. Create internal user and set password:
> 2. Create Network (GermanoNet) with two profiles:
>    * GNet (Public)
>    * GNetNotPublic (Not Public)
> 3. Assign VmCreator role to user (germano)
> 4. User tries to create VM, only sees GNet(GNet) Network/vNIC profile. This
> is expected, all good.
> 
> Currently the permissions view look like this:
> 
>      object_name      |   owner_name   | object_type  |    role_name    
> ----------------------+----------------+--------------+-----------------
>  GermanoNet           | admin  (admin) | Network      | NetworkAdmin
>  GNetNotPublic        | admin  (admin) | vNIC Profile | NetworkAdmin
>  GNet                 | admin  (admin) | vNIC Profile | NetworkAdmin
>  GNet                 | Everyone       | vNIC Profile | VnicProfileUser
> 
> 5. Go to the networks tab and add the following permission on the GermanoNet
> network:
>    User: germano
>    Role: VnicProfileUser
> 
> This is the result:
> 
> 
>      object_name      |        owner_name        | object_type  |   
> role_name    
> ----------------------+--------------------------+--------------+------------
> -----
>  GermanoNet           | admin  (admin)           | Network      |
> NetworkAdmin
>  GermanoNet           | Germano Michel (germano) | Network      |
> VnicProfileUser
>  GNetNotPublic        | admin  (admin)           | vNIC Profile |
> NetworkAdmin
>  GNet                 | admin  (admin)           | vNIC Profile |
> NetworkAdmin
>  GNet                 | Everyone                 | vNIC Profile |
> VnicProfileUser
> 
> Shouldn't it also create a object_type_id 27 (vNIC profile) permission for
> the Germano user? It's just creating id 20 (network) on step 5.

No, it shouldn't. It creates the exact permission you've asked for:
VnicProfileUser role for user 'germano' on network 'GermanoNet'.

The reason it shouldn't create additional permission entry for each of the network's vnic profiles is due to the multi-level-administration.
If another profile will be added for that network, user 'germano' will have the 'VnicProfileUser' for it due to the hierarchical structure of the permissions model. 

In addition, all of the permissions of vnic profiles are listed in the following view: user_vnic_profile_permissions_view_base which should contain also permissions the user has on the vnic profile's network.

> 
> What happens now is that if I login with user germano, I cannot see the
> GNetNotPublic profile when creating a VM. I only see GNet(GNet).
> 
> Now I do step 5 again and use the NetworkAdmin role. This is added
> 
>      object_name      |        owner_name        | object_type  |   
> role_name    
> ----------------------+--------------------------+--------------+------------
> -----
>  GermanoNet           | admin  (admin)           | Network      |
> NetworkAdmin
>  GermanoNet           | Germano Michel (germano) | Network      |
> NetworkAdmin
>  GermanoNet           | Germano Michel (germano) | Network      |
> VnicProfileUser
>  GNetNotPublic        | admin  (admin)           | vNIC Profile |
> NetworkAdmin
>  GNet                 | admin  (admin)           | vNIC Profile |
> NetworkAdmin
>  GNet                 | Everyone                 | vNIC Profile |
> VnicProfileUser
> 
> So still no change in the vNIC profiles (id 27). User can't use or see them
> in the User Portal.
> 

The following entry:
     object_name      |        owner_name        | object_type  |    role_name    
----------------------+--------------------------+--------------+----------------
 GermanoNet           | Germano Michel (germano) | Network      | VnicProfileUser

means that user 'germano' should be able to view and use all of the profiles of network 'GermanoNet'.

This is also part of the design [1]:
"User (as opposed to an administrator), will be limited to the networks and VNIC profiles he can see. ===== VNIC Profiles ===== NOTE: the permissions used below besides the direct one, and the VM/Template one, must allow the user to view the child objects

The user has direct user permissions on the VNIC profile
The user has user permissions on the VNIC profile's network"

[1] http://www.ovirt.org/develop/release-management/features/sla/vnic-profiles/

> Version-Release number of selected component (if applicable):
> ovirt-engine-4.1.4
> 
> How reproducible:
> 100%
> 
> Steps to Reproduce:
> As above

Dan, it seems like a regression.

Comment 3 Dan Kenigsberg 2017-08-20 11:52:27 UTC
(In reply to Moti Asayag from comment #2)
> 
> Dan, it seems like a regression.

Pavel, is this tested? Can you tell which version has introduced this regression?

Comment 4 Germano Veit Michel 2017-08-21 05:37:26 UTC
(In reply to Moti Asayag from comment #2)
> The reason it shouldn't create additional permission entry for each of the
> network's vnic profiles is due to the multi-level-administration.
> If another profile will be added for that network, user 'germano' will have
> the 'VnicProfileUser' for it due to the hierarchical structure of the
> permissions model. 
> 
> In addition, all of the permissions of vnic profiles are listed in the
> following view: user_vnic_profile_permissions_view_base which should contain
> also permissions the user has on the vnic profile's network.

Understood. Thanks.

Is there any other data I can provide that would help clearing why the profiles are not shown even if the user has permission to the network?

Comment 5 Gonza 2017-08-21 16:03:41 UTC
(In reply to Dan Kenigsberg from comment #3)
> (In reply to Moti Asayag from comment #2)
> > 
> > Dan, it seems like a regression.
> 
> Pavel, is this tested? Can you tell which version has introduced this
> regression?

This particular test case is not part of our automation at the moment but we'll be working to include this in the near future. 
I'm afraid that in order to find out on which version this regression was introduced, we would have to try and reproduce this on previous versions.

Comment 8 Gonza 2017-10-03 13:27:38 UTC
Verified on:
ovirt-engine-4.1.7.3-0.0.master.20171001124835.git8d9e821.el7.centos.noarch

User is able to see both public and non public vnic profiles at VM creation.

Comment 13 errata-xmlrpc 2018-05-15 17:43:37 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:1488

Comment 14 Franta Kust 2019-05-16 13:03:13 UTC
BZ<2>Jira Resync

Comment 17 Daniel Gur 2019-08-28 12:57:42 UTC
sync2jira

Comment 18 Daniel Gur 2019-08-28 13:02:17 UTC
sync2jira

Comment 19 Daniel Gur 2019-08-28 13:11:37 UTC
sync2jira

Comment 20 Daniel Gur 2019-08-28 13:15:49 UTC
sync2jira


Note You need to log in before you can comment on or make changes to this bug.