Bug 1496681 - [downstream clone - 4.1.7] User cannot use non Public vNIC Profiles
Summary: [downstream clone - 4.1.7] User cannot use non Public vNIC Profiles
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine
Version: 4.1.4
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ovirt-4.1.7
: ---
Assignee: Alona Kaplan
QA Contact: Gonza
URL:
Whiteboard:
Depends On: 1482365
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-09-28 06:32 UTC by rhev-integ
Modified: 2020-09-10 11:25 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1482365
Environment:
Last Closed: 2017-11-07 17:27:54 UTC
oVirt Team: Network
Target Upstream Version:
pbrilla: testing_plan_complete-


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 1482365 0 None None None 2017-09-28 06:33:16 UTC
Red Hat Product Errata RHEA-2017:3138 0 normal SHIPPED_LIVE Red Hat Virtualization Manager (ovirt-engine) 4.1.7 2017-11-07 22:22:33 UTC
oVirt gerrit 82218 0 master MERGED engine: VnicProfileUser user role cannot be viewed by children 2017-09-28 06:33:16 UTC
oVirt gerrit 82338 0 ovirt-engine-4.1 MERGED engine: VnicProfileUser user role cannot be viewed by children 2017-09-29 09:26:36 UTC

Description rhev-integ 2017-09-28 06:32:29 UTC
+++ This bug is a downstream clone. The original bug is: +++
+++   bug 1482365 +++
======================================================================

Description of problem:

I have a few doubts on how this is supposed to work, but AFAIK this is a bug.

Users cannot use non Public vNIC Profiles even if permission explicitly added.

1. Create internal user and set password:
2. Create Network (GermanoNet) with two profiles:
   * GNet (Public)
   * GNetNotPublic (Not Public)
3. Assign VmCreator role to user (germano)
4. User tries to create VM, only sees GNet(GNet) Network/vNIC profile. This is expected, all good.

Currently the permissions view look like this:

     object_name      |   owner_name   | object_type  |    role_name    
----------------------+----------------+--------------+-----------------
 GermanoNet           | admin  (admin) | Network      | NetworkAdmin
 GNetNotPublic        | admin  (admin) | vNIC Profile | NetworkAdmin
 GNet                 | admin  (admin) | vNIC Profile | NetworkAdmin
 GNet                 | Everyone       | vNIC Profile | VnicProfileUser

5. Go to the networks tab and add the following permission on the GermanoNet network:
   User: germano
   Role: VnicProfileUser

This is the result:


     object_name      |        owner_name        | object_type  |    role_name    
----------------------+--------------------------+--------------+-----------------
 GermanoNet           | admin  (admin)           | Network      | NetworkAdmin
 GermanoNet           | Germano Michel (germano) | Network      | VnicProfileUser
 GNetNotPublic        | admin  (admin)           | vNIC Profile | NetworkAdmin
 GNet                 | admin  (admin)           | vNIC Profile | NetworkAdmin
 GNet                 | Everyone                 | vNIC Profile | VnicProfileUser

Shouldn't it also create a object_type_id 27 (vNIC profile) permission for the Germano user? It's just creating id 20 (network) on step 5.

What happens now is that if I login with user germano, I cannot see the GNetNotPublic profile when creating a VM. I only see GNet(GNet).

Now I do step 5 again and use the NetworkAdmin role. This is added

     object_name      |        owner_name        | object_type  |    role_name    
----------------------+--------------------------+--------------+-----------------
 GermanoNet           | admin  (admin)           | Network      | NetworkAdmin
 GermanoNet           | Germano Michel (germano) | Network      | NetworkAdmin
 GermanoNet           | Germano Michel (germano) | Network      | VnicProfileUser
 GNetNotPublic        | admin  (admin)           | vNIC Profile | NetworkAdmin
 GNet                 | admin  (admin)           | vNIC Profile | NetworkAdmin
 GNet                 | Everyone                 | vNIC Profile | VnicProfileUser

So still no change in the vNIC profiles (id 27). User can't use or see them in the User Portal.

Version-Release number of selected component (if applicable):
ovirt-engine-4.1.4

How reproducible:
100%

Steps to Reproduce:
As above

(Originally by Germano Veit Michel)

Comment 1 rhev-integ 2017-09-28 06:32:36 UTC
Motty, would you be kind to review this?

(Originally by danken)

Comment 3 rhev-integ 2017-09-28 06:32:44 UTC
Motty, would you be kind to review this?

(Originally by danken)

Comment 4 rhev-integ 2017-09-28 06:32:48 UTC
(In reply to Germano Veit Michel from comment #0)
> Description of problem:
> 
> I have a few doubts on how this is supposed to work, but AFAIK this is a bug.
> 
> Users cannot use non Public vNIC Profiles even if permission explicitly
> added.
> 
> 1. Create internal user and set password:
> 2. Create Network (GermanoNet) with two profiles:
>    * GNet (Public)
>    * GNetNotPublic (Not Public)
> 3. Assign VmCreator role to user (germano)
> 4. User tries to create VM, only sees GNet(GNet) Network/vNIC profile. This
> is expected, all good.
> 
> Currently the permissions view look like this:
> 
>      object_name      |   owner_name   | object_type  |    role_name    
> ----------------------+----------------+--------------+-----------------
>  GermanoNet           | admin  (admin) | Network      | NetworkAdmin
>  GNetNotPublic        | admin  (admin) | vNIC Profile | NetworkAdmin
>  GNet                 | admin  (admin) | vNIC Profile | NetworkAdmin
>  GNet                 | Everyone       | vNIC Profile | VnicProfileUser
> 
> 5. Go to the networks tab and add the following permission on the GermanoNet
> network:
>    User: germano
>    Role: VnicProfileUser
> 
> This is the result:
> 
> 
>      object_name      |        owner_name        | object_type  |   
> role_name    
> ----------------------+--------------------------+--------------+------------
> -----
>  GermanoNet           | admin  (admin)           | Network      |
> NetworkAdmin
>  GermanoNet           | Germano Michel (germano) | Network      |
> VnicProfileUser
>  GNetNotPublic        | admin  (admin)           | vNIC Profile |
> NetworkAdmin
>  GNet                 | admin  (admin)           | vNIC Profile |
> NetworkAdmin
>  GNet                 | Everyone                 | vNIC Profile |
> VnicProfileUser
> 
> Shouldn't it also create a object_type_id 27 (vNIC profile) permission for
> the Germano user? It's just creating id 20 (network) on step 5.

No, it shouldn't. It creates the exact permission you've asked for:
VnicProfileUser role for user 'germano' on network 'GermanoNet'.

The reason it shouldn't create additional permission entry for each of the network's vnic profiles is due to the multi-level-administration.
If another profile will be added for that network, user 'germano' will have the 'VnicProfileUser' for it due to the hierarchical structure of the permissions model. 

In addition, all of the permissions of vnic profiles are listed in the following view: user_vnic_profile_permissions_view_base which should contain also permissions the user has on the vnic profile's network.

> 
> What happens now is that if I login with user germano, I cannot see the
> GNetNotPublic profile when creating a VM. I only see GNet(GNet).
> 
> Now I do step 5 again and use the NetworkAdmin role. This is added
> 
>      object_name      |        owner_name        | object_type  |   
> role_name    
> ----------------------+--------------------------+--------------+------------
> -----
>  GermanoNet           | admin  (admin)           | Network      |
> NetworkAdmin
>  GermanoNet           | Germano Michel (germano) | Network      |
> NetworkAdmin
>  GermanoNet           | Germano Michel (germano) | Network      |
> VnicProfileUser
>  GNetNotPublic        | admin  (admin)           | vNIC Profile |
> NetworkAdmin
>  GNet                 | admin  (admin)           | vNIC Profile |
> NetworkAdmin
>  GNet                 | Everyone                 | vNIC Profile |
> VnicProfileUser
> 
> So still no change in the vNIC profiles (id 27). User can't use or see them
> in the User Portal.
> 

The following entry:
     object_name      |        owner_name        | object_type  |    role_name    
----------------------+--------------------------+--------------+----------------
 GermanoNet           | Germano Michel (germano) | Network      | VnicProfileUser

means that user 'germano' should be able to view and use all of the profiles of network 'GermanoNet'.

This is also part of the design [1]:
"User (as opposed to an administrator), will be limited to the networks and VNIC profiles he can see. ===== VNIC Profiles ===== NOTE: the permissions used below besides the direct one, and the VM/Template one, must allow the user to view the child objects

The user has direct user permissions on the VNIC profile
The user has user permissions on the VNIC profile's network"

[1] http://www.ovirt.org/develop/release-management/features/sla/vnic-profiles/

> Version-Release number of selected component (if applicable):
> ovirt-engine-4.1.4
> 
> How reproducible:
> 100%
> 
> Steps to Reproduce:
> As above

Dan, it seems like a regression.

(Originally by Moti Asayag)

Comment 5 rhev-integ 2017-09-28 06:32:53 UTC
(In reply to Moti Asayag from comment #2)
> 
> Dan, it seems like a regression.

Pavel, is this tested? Can you tell which version has introduced this regression?

(Originally by danken)

Comment 6 rhev-integ 2017-09-28 06:32:58 UTC
(In reply to Moti Asayag from comment #2)
> The reason it shouldn't create additional permission entry for each of the
> network's vnic profiles is due to the multi-level-administration.
> If another profile will be added for that network, user 'germano' will have
> the 'VnicProfileUser' for it due to the hierarchical structure of the
> permissions model. 
> 
> In addition, all of the permissions of vnic profiles are listed in the
> following view: user_vnic_profile_permissions_view_base which should contain
> also permissions the user has on the vnic profile's network.

Understood. Thanks.

Is there any other data I can provide that would help clearing why the profiles are not shown even if the user has permission to the network?

(Originally by Germano Veit Michel)

Comment 7 rhev-integ 2017-09-28 06:33:02 UTC
(In reply to Dan Kenigsberg from comment #3)
> (In reply to Moti Asayag from comment #2)
> > 
> > Dan, it seems like a regression.
> 
> Pavel, is this tested? Can you tell which version has introduced this
> regression?

This particular test case is not part of our automation at the moment but we'll be working to include this in the near future. 
I'm afraid that in order to find out on which version this regression was introduced, we would have to try and reproduce this on previous versions.

(Originally by Gonzalo Rafuls)

Comment 11 Gonza 2017-10-23 13:36:51 UTC
Verified on:
ovirt-engine-4.1.7.3-0.0.master.20171001124835.git8d9e821.el7.centos.noarch

User is able to see both public and non public vnic profiles at VM creation.

Comment 13 errata-xmlrpc 2017-11-07 17:27:54 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:3138


Note You need to log in before you can comment on or make changes to this bug.