Bug 1511697 - [RFE] Unable to set permission on all but Hosted-Engine VM and Storage Domain
Summary: [RFE] Unable to set permission on all but Hosted-Engine VM and Storage Domain
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine
Version: 4.1.6
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ovirt-4.3.1
: 4.3.0
Assignee: Eli Mesika
QA Contact: Petr Matyáš
URL:
Whiteboard:
Depends On:
Blocks: CEECIR_RHV43_proposed
TreeView+ depends on / blocked
 
Reported: 2017-11-09 22:05 UTC by Andrea Perotti
Modified: 2019-05-08 12:37 UTC (History)
15 users (show)

Fixed In Version:
Doc Type: Release Note
Doc Text:
Previously, an administrator with the `ClusterAdmin` role was able to modify the self-hosted engine virtual machine, which could cause damage. In the current release, only a `SuperUser` can modify a self-hosted engine and its storage domain.
Clone Of:
Environment:
Last Closed: 2019-05-08 12:36:48 UTC
oVirt Team: Infra
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2019:1085 0 None None None 2019-05-08 12:37:11 UTC
oVirt gerrit 97689 0 master MERGED core: Allow operations on HE VM/SD only to SU 2021-02-03 11:06:54 UTC

Description Andrea Perotti 2017-11-09 22:05:51 UTC 
Description of problem:
When setting up permission for a group of users that should manage/offer support on VMs running on RHV but must NOT be admin of the whole infra, is not possible to define some permission that apply to all VMs and Storage Domains, except the Hosted-Engine one.

A typical 1st level support team should perform just following operations:
•	Login to Administration portal
•	Creating, editing and removing vNICs for all VMs (SHE excluded)
•	Full “BASIC OPERATION” (start, poweroff, suspend, reboot etc etc) for all VMs (SHE excluded)
•	Editing properties (hot plug/unplug vCPU, RAM etc etc) for all VMs (SHE excluded)
•	Creating, adding, attaching, detaching, removing, deleting and editing properties (size, alias, description etc etc) vDISKS for all VMs (SHE excluded, so master_hosted_engine storage domain)

So they should absolutely not be able to manage SHE VM and its master_hosted engine storage domain. (only Superuser msut be able).

This is not currently possible, because if the permission are given at system level, they do apply to ALL objects, including SHE and its SD.

That granularity level can be reached by setting VM per VM the permission, but this from an operations PoV is not a viable option.

The request here is to make SHE a special object with dedicated permission or to 
exclude by default when declaring at system level the permissions to exclude SHE and its SD.

Version-Release number of selected component (if applicable):
RHV 4.1.x
Comment 1 Yaniv Kaul 2017-11-09 22:14:39 UTC 
We have not yet released 4.1.9.
Which version is it?
Comment 12 Martin Perina 2017-12-08 13:41:31 UTC 
We are still evaluating possible technical solutions to this issue. When done we will target the bug to relevant release.
Comment 13 Olimp Bockowski 2018-09-13 08:12:22 UTC 
Hello Martin, 
nearly 1 year later, what is the plan?
Comment 15 Martin Perina 2019-02-05 13:00:02 UTC 
Removing devel_ack+, we are still discussing how this could be achieved
Comment 18 Petr Matyáš 2019-02-25 11:42:12 UTC 
Verified on ovirt-engine-4.3.1.1-0.1.el7.noarch
Comment 20 errata-xmlrpc 2019-05-08 12:36:48 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:1085
Note You need to log in before you can comment on or make changes to this bug.