Created attachment 1425945 [details] read action forbidden error Description of problem: When user with limited roles permissions tries to attach / detach a cloud volume, a red error message is displayed in the ui stating "Use of the read action is forbidden". The only way I have found to address this, is by enabling the following product features for the user's role: Compute => Infrastructure => Infrastructure Providers => View However, user should not need to enable Infrastructure role features to attach / detach a cloud volume for a cloud provider. Please note, even though the red error message is being displayed, the user is still allowed to attach / detach the cloud instance. Version-Release number of selected component (if applicable): CFME 5.8.3.5 How reproducible: always Steps to Reproduce: 1. 2. 3. Actual results: Red error message is displayed when attempting to attach or detach a cloud instance Expected results: There should be no error message, as the user has the correct permissions. Additional info: This issue was originally for the whole attach / detach cloud image page not displaying and was supposed to be fixed in this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1462269 However, that bug was opened for a slightly different issue, so I wanted to open a fresh bug for clarity. Appliance 10.13.145.93 with credentials admin:smartvm exibits this behavior.
I'm copying over slucidi's comment from the related bug, since it explains the cause of the current behavior: "It looks like the other half of this issue is related to the 'providers' api endpoint. The cloud volume form calls to it to request a list of providers/managers with storage capabilities, but fails if the user doesn't have ems_infra permissions. Looking at https://github.com/imtayadeway/manageiq-api/blob/cebbdc102cd87d0d5120ca35c8571132f7e530eb/config/api.yml#L1856 it appears that the providers endpoint uses all ems_infra related roles. I'm not sure if the issue is that the required permissions are incorrect, if it's the wrong endpoint to use to list storage managers on this form, or if it's just misaligned expectations." The API call to the providers endpoint that requires these permissions is in the initialization of the angular cloudVolumeFormController. This is needed for the "new cloud volume" operation (to get the list of providers to choose from), but it's completely unnecessary for attach/detach volume. The angular controller needs to be refactored so that this API call isn't made for forms that don't need it.
[removed spam]