Created attachment 1336711 [details] normal_user through classic UI Description of problem: Unable to select storage manager from drop down list through classic UI via admin user as well as normal user. Refer attached pictures Version-Release number of selected component (if applicable): 5.8.1.5.20170725160636_e433fc0 How reproducible: Always Steps to Reproduce: 1. Add openstack provider. Go to Compute-> Clouds-> Providers-> Configuration-> Add new cloud provider 2. Go to Storage-> Block Storage-> Volumes-> Configuration-> Add a new cloud volume-> select storage manager from drop down list. 3. Try with both users admin as well as normal user. Additional info: I am able to select storage manager from drop down list through classic UI in 5.8.0.9-alpha2.20170404195944_1d7ece4. I think its a bug in 5.8.1.5.
Created attachment 1336712 [details] admin_user through classic UI
Odd, I can't reproduce this on the fine branch. Are there any errors in the log or in the javascript console?
(In reply to Tzu-Mainn Chen from comment #3) > Odd, I can't reproduce this on the fine branch. Are there any errors in the > log or in the javascript console? The user role is important. Role for normal_user have 'Storage/Block Storage/Block Storage Manager/List+Show' assignments and 'Cloud Volumes/List+Show and Add+Remove assignments'. Other values are disabled.
But the report also says it fails for the admin user, correct? That works for me as well.
(In reply to Tzu-Mainn Chen from comment #5) > But the report also says it fails for the admin user, correct? That works > for me as well. No, by admin user everything fine. I think there is a typo. Imaan, from my side I do not have issues with admin user, only for restricted user.
That's weird, I'm pretty sure that the screenshot shows that this is affecting the admin user as well?
(In reply to Tzu-Mainn Chen from comment #7) > That's weird, I'm pretty sure that the screenshot shows that this is > affecting the admin user as well? Anyway the core problem in features name mismatch for Storage providers may be. From my logs: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ DEBUG -- : MIQ(Rbac::Authorizer#role_allows?) Auth failed for user 'Igor.Tiunov', role 'ps_automation', feature identifier '' DEBUG -- : Role Authorization failed for: userid [Igor.Tiunov], main tab [opt] DEBUG -- : MIQ(Rbac::Authorizer#role_allows?) Auth failed for user 'Igor.Tiunov', role 'ps_automation', feature identifier 'ems_storage_refresh' DEBUG -- : MIQ(Rbac::Authorizer#role_allows?) Auth failed for user 'Igor.Tiunov', role 'ps_automation', feature identifier 'ems_storage_delete' DEBUG -- : MIQ(Rbac::Authorizer#role_allows?) Auth failed for user 'Igor.Tiunov', role 'ps_automation', feature identifier 'ems_block_storage_protect' DEBUG -- : MIQ(Rbac::Authorizer#role_allows?) Auth failed for user 'Igor.Tiunov', role 'ps_automation', feature identifier 'ems_block_storage_tag' DEBUG -- : MIQ(Rbac::Authorizer#role_allows?) Auth failed for user 'Igor.Tiunov', role 'ps_automation', feature identifier 'ems_storage_show' WARN -- : <AuditFailure> Username [Igor.Tiunov], Role ID [17] attempted to access area [ems_storage], type [Action], task [show] ERROR -- : MIQ(dashboard_controller-auth_error): The user is not authorized for this task or item. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ But features from role have completely different name. From api call to https://<miq>/api/roles/17?expand=resources,features ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ { "href": "https://<miq>/api/roles/17/features/1381", "id": 1381, "identifier": "ems_block_storage_show_list", "name": "List", "description": "Display Lists of Block Storage Managers", "feature_type": "view", "protected": false, "parent_id": 1380, "created_at": "2017-09-30T14:45:05Z", "updated_at": "2017-09-30T14:45:05Z" }, { "href": "https://<miq>/api/roles/17/features/1382", "id": 1382, "identifier": "ems_block_storage_show", "name": "Show", "description": "Display Individual Block Storage Managers", "feature_type": "view", "protected": false, "parent_id": 1380, "created_at": "2017-09-30T14:45:05Z", "updated_at": "2017-09-30T14:45:05Z" }, ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ the mismatch in 'ems_storage_show' and 'ems_block_storage_show'.
Also I think only 'ems_block_storage_show_list' is required for cloud volumes creation.
Can I get clarification as to which role the 'normal user' has? The default simple user roles I see in CF don't have any permissions for Storage.
(In reply to Tzu-Mainn Chen from comment #10) > Can I get clarification as to which role the 'normal user' has? The default > simple user roles I see in CF don't have any permissions for Storage. The role is custom role. Will be acceptable the json from API-request for role ? https://<miq>/api/roles/17?expand=resources,feature
Created attachment 1336892 [details] Custom role
Version: 5.8.0.9-alpha2.20170404195944_1d7ece4 In 5.8.0, it is working as expected for admin user.[Refer: admin_5.8.0] Version: 5.8.1.5.20170725160636_e433fc0 In 5.8.1, admin user is unable to select storage manager from the drop down list. [Refer: admin_5.8.1]
Created attachment 1337017 [details] Screenshot showing admin user in 5.8.0 is able to select the storage manager
Created attachment 1337018 [details] Screenshot showing admin user in 5.8.1 is unable to select the storage manager
My apologies guys but my version fixed from this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1478571 by hotfix rpm received from tech support cfme-5.8.1.5-9.el7cf.x86_64.rpm (51.2 MB) SHA-256: 6fc6cd82ca334db7084ce7a580bfd18f2977aed110aba5ca122e1ff4516a9bc8 cfme-gemset-5.8.1.5-7.el7cf.x86_64.rpm (58.8 MB) SHA-256: 34061e25c5c0120f0c3cfd3331582dc0f2157c88f98dbd24d7340a7a1322255e
(In reply to ITD27M01 from comment #18) > My apologies guys but my version fixed from this bug: > https://bugzilla.redhat.com/show_bug.cgi?id=1478571 > > by hotfix rpm received from tech support > > cfme-5.8.1.5-9.el7cf.x86_64.rpm (51.2 MB) > SHA-256: 6fc6cd82ca334db7084ce7a580bfd18f2977aed110aba5ca122e1ff4516a9bc8 > cfme-gemset-5.8.1.5-7.el7cf.x86_64.rpm (58.8 MB) > SHA-256: 34061e25c5c0120f0c3cfd3331582dc0f2157c88f98dbd24d7340a7a1322255e Oh! Let me try with hotfix. I 'll let you know my observations.
Imman, Can you please also enable debug logging on appliances and collect related to issue logs.
Should this be marked as a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1478571 then?
No, not related. current bug is about another issue.
As I say the core problem in features/identifier names mismatch. 1. First I try to show the properties of Storage Manager and get the error: From my logs: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ DEBUG -- : MIQ(Rbac::Authorizer#role_allows?) Auth failed for user 'Igor.Tiunov', role 'ps_automation', feature identifier '' DEBUG -- : Role Authorization failed for: userid [Igor.Tiunov], main tab [opt] DEBUG -- : MIQ(Rbac::Authorizer#role_allows?) Auth failed for user 'Igor.Tiunov', role 'ps_automation', feature identifier 'ems_storage_refresh' DEBUG -- : MIQ(Rbac::Authorizer#role_allows?) Auth failed for user 'Igor.Tiunov', role 'ps_automation', feature identifier 'ems_storage_delete' DEBUG -- : MIQ(Rbac::Authorizer#role_allows?) Auth failed for user 'Igor.Tiunov', role 'ps_automation', feature identifier 'ems_block_storage_protect' DEBUG -- : MIQ(Rbac::Authorizer#role_allows?) Auth failed for user 'Igor.Tiunov', role 'ps_automation', feature identifier 'ems_block_storage_tag' DEBUG -- : MIQ(Rbac::Authorizer#role_allows?) Auth failed for user 'Igor.Tiunov', role 'ps_automation', feature identifier 'ems_storage_show' WARN -- : <AuditFailure> Username [Igor.Tiunov], Role ID [17] attempted to access area [ems_storage], type [Action], task [show] ERROR -- : MIQ(dashboard_controller-auth_error): The user is not authorized for this task or item. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ But features from role have different name. From api call to https://<miq>/api/roles/17?expand=resources,features ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ { "href": "https://<miq>/api/roles/17/features/1381", "id": 1381, "identifier": "ems_block_storage_show_list", "name": "List", "description": "Display Lists of Block Storage Managers", "feature_type": "view", "protected": false, "parent_id": 1380, "created_at": "2017-09-30T14:45:05Z", "updated_at": "2017-09-30T14:45:05Z" }, { "href": "https://<miq>/api/roles/17/features/1382", "id": 1382, "identifier": "ems_block_storage_show", "name": "Show", "description": "Display Individual Block Storage Managers", "feature_type": "view", "protected": false, "parent_id": 1380, "created_at": "2017-09-30T14:45:05Z", "updated_at": "2017-09-30T14:45:05Z" }, ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ the mismatch in 'ems_storage_show' and 'ems_block_storage_show'. 2. Second I try to create Cloud Volume and get the error: From my logs: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ DEBUG -- : MIQ(Rbac::Authorizer#role_allows?) Auth failed for user 'Igor.Tiunov', role 'ps_automation', feature identifier 'ops_explorer' DEBUG -- : MIQ(Rbac::Authorizer#role_allows?) Auth failed for user 'Igor.Tiunov', role 'ps_automation', feature identifier 'chargeback' DEBUG -- : MIQ(Rbac::Authorizer#role_allows?) Auth failed for user 'Igor.Tiunov', role 'ps_automation', feature identifier 'timeline' DEBUG -- : MIQ(Rbac::Authorizer#role_allows?) Auth failed for user 'Igor.Tiunov', role 'ps_automation', feature identifier 'rss' DEBUG -- : MIQ(Rbac::Authorizer#role_allows?) Auth failed for user 'Igor.Tiunov', role 'ps_automation', feature identifier '' DEBUG -- : MIQ(Rbac::Authorizer#role_allows?) Auth failed for user 'Igor.Tiunov', role 'ps_automation', feature identifier 'ems_cloud_show_list' DEBUG -- : MIQ(Rbac::Authorizer#role_allows?) Auth failed for user 'Igor.Tiunov', role 'ps_automation', feature identifier 'availability_zone_show_list' DEBUG -- : MIQ(Rbac::Authorizer#role_allows?) Auth failed for user 'Igor.Tiunov', role 'ps_automation', feature identifier 'host_aggregate_show_list' DEBUG -- : MIQ(Rbac::Authorizer#role_allows?) Auth failed for user 'Igor.Tiunov', role 'ps_automation', feature identifier 'orchestration_stack_show_list' DEBUG -- : MIQ(Rbac::Authorizer#role_allows?) Auth failed for user 'Igor.Tiunov', role 'ps_automation', feature identifier 'auth_key_pair_cloud_show_list' DEBUG -- : MIQ(Rbac::Authorizer#role_allows?) Auth failed for user 'Igor.Tiunov', role 'ps_automation', feature identifier '' DEBUG -- : MIQ(Rbac::Authorizer#role_allows?) Auth failed for user 'Igor.Tiunov', role 'ps_automation', feature identifier '' DEBUG -- : MIQ(Rbac::Authorizer#role_allows?) Auth failed for user 'Igor.Tiunov', role 'ps_automation', feature identifier '' DEBUG -- : MIQ(Rbac::Authorizer#role_allows?) Auth failed for user 'Igor.Tiunov', role 'ps_automation', feature identifier '' DEBUG -- : MIQ(Rbac::Authorizer#role_allows?) Auth failed for user 'Igor.Tiunov', role 'ps_automation', feature identifier '' DEBUG -- : MIQ(Rbac::Authorizer#role_allows?) Auth failed for user 'Igor.Tiunov', role 'ps_automation', feature identifier '' DEBUG -- : MIQ(Rbac::Authorizer#role_allows?) Auth failed for user 'Igor.Tiunov', role 'ps_automation', feature identifier '' DEBUG -- : MIQ(Rbac::Authorizer#role_allows?) Auth failed for user 'Igor.Tiunov', role 'ps_automation', feature identifier 'cloud_volume_backup_show_list' DEBUG -- : MIQ(Rbac::Authorizer#role_allows?) Auth failed for user 'Igor.Tiunov', role 'ps_automation', feature identifier '' DEBUG -- : MIQ(Rbac::Authorizer#role_allows?) Auth failed for user 'Igor.Tiunov', role 'ps_automation', feature identifier '' DEBUG -- : MIQ(Rbac::Authorizer#role_allows?) Auth failed for user 'Igor.Tiunov', role 'ps_automation', feature identifier '' DEBUG -- : MIQ(Rbac::Authorizer#role_allows?) Auth failed for user 'Igor.Tiunov', role 'ps_automation', feature identifier '' DEBUG -- : MIQ(Rbac::Authorizer#role_allows?) Auth failed for user 'Igor.Tiunov', role 'ps_automation', feature identifier '' DEBUG -- : MIQ(Rbac::Authorizer#role_allows?) Auth failed for user 'Igor.Tiunov', role 'ps_automation', feature identifier '' DEBUG -- : MIQ(Rbac::Authorizer#role_allows?) Auth failed for user 'Igor.Tiunov', role 'ps_automation', feature identifier '' DEBUG -- : MIQ(Rbac::Authorizer#role_allows?) Auth failed for user 'Igor.Tiunov', role 'ps_automation', feature identifier '' DEBUG -- : MIQ(Rbac::Authorizer#role_allows?) Auth failed for user 'Igor.Tiunov', role 'ps_automation', feature identifier 'ems_infra_show_list' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ As you can see the required feature for cloud volume creation is ems_infra_show_list but not ems_block_storage_list. If I set this feature for user role (Compute->Infrastructure->Infrastructure Provider->View[List+Show]) the user can create volumes but cannot show Storage manager properties.
Another note for my environment - I have updated from 5.7.3 to 5.8.1.
Created attachment 1342051 [details] limited user roles
Hi, this bug appears on 5.8.1, because this PR (https://github.com/ManageIQ/manageiq/pull/15600) was not backported to 5.8.1. Updating to 5.8.2 should solve the problem
I have messed with the role settings and came to know the reason of the failure while adding storage. I have applied role changes on CU db dump and checked with both admin as well as normal user. It is working as expected. You can close this BZ. Thanks for help!
Fixed.
It appears that this is a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1538003, which has been fixed by the API team, although not yet backported to FINE. We have tested the fix against the appliance in question and it resolves the issue. Reassigning to the API team for the determination of whether they wish to close this as a duplicate and backport the pre-existing BZ or apply the fix via this present BZ.
Please note that the BZ in comment #52 above is not explicitly the same issue, but the PR against the API repo seems to address this issue. Address accordingly. Thanks.
https://github.com/ManageIQ/manageiq/pull/17156
Verified on 5.10.0.2