Description of problem: It would be nice for user to be able to find out what action is he/she allowed to perform. This would allow to create more user friendly REST API based UIs. For example: "New VM" button may be disabled for users that don't have permission to create a new VM. Version-Release number of selected component (if applicable): current master, commit 8ebd58feca How reproducible: 100% Steps to Reproduce: 1. Fire api request GET /users/{user_id}/permissions Filter: true Authorization: ... using non-admin user Actual results: <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <permissions/> Expected results: List of permissions Additional info:
blocks VM Portal ability to find out if user can call an action or not
(In reply to Michal Skrivanek from comment #1) > blocks VM Portal ability to find out if user can call an action or not For example: It would be nice to have Create VM dialog accessible only for users that have VmCreator role assigned - https://github.com/oVirt/ovirt-web-ui/issues/286.
Allow API listing of clusters current user can create new VM in (that is: clusters that current user has VmCreate role to). It can be realized for example using query parameter 'canCreateVm': GET api/clusters Filter: true returns all clusters current user can see (already implemented) GET api/clusters?canCreateVm=true Filter: true returns all clusters current user can create new VM in (RFE) As mentioned in comment 2, it is supposed to allow UI to properly enable/disable create VM functionality and show the right set of clusters in new VM dialog.
I think that the current behavior should be good enough to implement the proposed functionality. The user can list the permissions (also inherited) via API for specific object using following request (as an example I use cluster 123): GET /ovirt-engine/api/clusters/123/permissions With this request you will receive all the permissions user has, also inherited permissions and also all groups which has permissions on that cluster. So client application need to check if the roles that are assigned to that object has specific action group, he looks for. Client app also need to check if he is part of the group which has some permissions on that object: GET /ovirt-engine/api/users/123/groups With this approach it should work just OK. The only issue we have is that when user has *only* inherited permissions on some object we don't return any permissions. That must be fixed.
Removing dependency on BZ1550568, which will fix most important issue in VM Portal. We will use this RFE to fix displaying direct and inherited permissions from parent resources, which may be needed if VM Portal or other RESTAPI client will need more detailed access to each resource (we already this functionality within webadmin, but it's not exposed in RESTAPI).
the current patch from Ondra seems to be enough for ovirt-web-ui (we can work around lack of inherited perms), but it is required in 4.2 please retarget
After further offline disccussion, we are changing this to a bug, the problem was on distinguishing permission for users or groups (bug) and not in not showing inherited permissions (RFE)
Is this on track to 4.2.2? If not, please defer to 4.2.3.
Verified in a similar manner as BZ1550165 . Version:4.2.2.5-0.1.el7
This bugzilla is included in oVirt 4.2.2 release, published on March 28th 2018. Since the problem described in this bug report should be resolved in oVirt 4.2.2 release, it has been closed with a resolution of CURRENT RELEASE. If the solution does not work for you, please open a new bug report.
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days