Bug 1612124
| Summary: | Engine raises 'insufficient permissions' error when normal user try to access /ovirt-engine/api | ||
|---|---|---|---|
| Product: | [oVirt] ovirt-engine | Reporter: | Greg Sheremeta <gshereme> |
| Component: | RestAPI | Assignee: | Ori Liel <oliel> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Lucie Leistnerova <lleistne> |
| Severity: | low | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | future | CC: | bugs, gshereme, lleistne, lsvaty, michal.skrivanek, mperina, omachace, smacko |
| Target Milestone: | ovirt-4.2.7 | Flags: | rule-engine:
ovirt-4.2+
lsvaty: testing_ack+ |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ovirt-engine-4.2.7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-11-02 14:31:27 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | Infra | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Greg Sheremeta
2018-08-03 14:12:25 UTC
GetSystemStatisticsQuery is called only when you directly access /ovirt-engine/api, which returns statistics about the whole system. Those information are not public and they should be presented only to administrators. So why are you accessing this page from VM portal which is primarily intended for users? [1] https://github.com/oVirt/ovirt-engine/blob/master/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/queries/QueryType.java#L270 because that's the one where we verify access to the API and discover the version. Is there any better way how to get version? btw, we do not need that system statistics. Just those versions OK, we can probably remove statistics from output for normal users if that doesn't break our API compatibility contract. (In reply to Martin Perina from comment #4) > OK, we can probably remove statistics from output for normal users if that > doesn't break our API compatibility contract. If it does, a new endpoint is fine. Tested in ovirt-engine version ovirt-engine-4.2.7-0.1.el7ev.noarch, ovirt-web-ui version ovirt-web-ui-1.4.3-1.el7ev.noarch. 1. After logging in as an admin user no errors are present. 2. After logging in as a non-admin user three errors are present. engine.log after logging in as a non-admin user: 2018-09-20 16:59:42,300+02 INFO [org.ovirt.engine.core.sso.utils.AuthenticationUtils] (default task-31) [] User user1@internal successfully logged in with scopes: ovirt-app-admin ovirt-app-api ovirt-app-portal ovirt-ext=auth:sequence-priority=~ ovirt-ext=revoke:revoke-all ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate ovirt-ext=token:password-access 2018-09-20 16:59:42,451+02 INFO [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default task-8) [51eb90fc] Running command: CreateUserSessionCommand internal: false. 2018-09-20 16:59:42,480+02 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-8) [51eb90fc] EVENT_ID: USER_VDC_LOGIN(30), User user1@internal-authz connecting from '10.34.130.172' using session 'YSjkmKcxWc4sHXWWLZB/rQkRHBF1lL4ihZ6ipznnPdxnPp17er5CgK7HO/FvCmBjzbFQJgisfVUyDpCVT7yQLQ==' logged in. 2018-09-20 16:59:43,420+02 ERROR [org.ovirt.engine.core.bll.GetPermissionsForObjectQuery] (default task-14) [e9999618-b197-46c0-85c0-878fb9caafa2] Query execution failed due to insufficient permissions. 2018-09-20 16:59:43,431+02 ERROR [org.ovirt.engine.api.restapi.resource.AbstractBackendResource] (default task-14) [] Operation Failed: query execution failed due to insufficient permissions. No idea what exactly VM portal trying to fetch, but access to /ovirt-engine/api for non-admin users was fixed properly: 1. Create a user jdoe in internal domain and assign it UserRole as System Permission 2. Fetch /ovirt-engine/api URL using 'curl -v -u "jdoe@internal:john" --request GET http://localhost:8080/ovirt-engine/api' 3. Check engine.log: 2018-09-21 11:31:39,164+02 INFO [org.ovirt.engine.core.sso.utils.AuthenticationUtils] (default task-7) [9f06dd9] User jdoe@internal successfully logged in with scopes: ovirt-app-api ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate ovirt-ext=token:password-access 2018-09-21 11:31:39,190+02 INFO [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default task-1) [5b7508cd] Running command: CreateUserSessionCommand internal: false. 2018-09-21 11:31:39,208+02 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-1) [5b7508cd] EVENT_ID: USER_VDC_LOGIN(30), User jdoe@internal-authz connecting from '0:0:0:0:0:0:0:1' using session '/g7YQNmGz5wo1NlwXNY9WweOtCIccmufEF3PsVE/8f6gSfr4VR5fn3AoOCySVvXcjPOSVjPTjJLPbNayzbTeKg==' logged in. 2018-09-21 11:31:39,247+02 INFO [org.ovirt.engine.core.bll.aaa.LogoutSessionCommand] (default task-1) [386d1e0f] Running command: LogoutSessionCommand internal: false. 2018-09-21 11:31:39,262+02 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-1) [386d1e0f] EVENT_ID: USER_VDC_LOGOUT(31), User jdoe@internal-authz connected from '0:0:0:0:0:0:0:1' using session '/g7YQNmGz5wo1NlwXNY9WweOtCIccmufEF3PsVE/8f6gSfr4VR5fn3AoOCySVvXcjPOSVjPTjJLPbNayzbTeKg==' logged out. So from infra point of view access to /ovirt-engine/api for non-admin user was fixed properly (In reply to Martin Perina from comment #7) > So from infra point of view access to /ovirt-engine/api for non-admin user > was fixed properly I'll take a look. Tested on ovirt-engine version: ovirt-engine-4.2.7.2-0.1.el7ev.noarch After logging in as a user with system role 'UserRole' errors are still present. 2018-10-17 13:57:13,119+02 INFO [org.ovirt.engine.core.sso.utils.AuthenticationUtils] (default task-3) [2bcb2f0] User user1@internal successfully logged in with scopes: ovirt-app-admin ovirt-app-api ovirt-app-portal ovirt-ext=auth:sequence-priority=~ ovirt-ext=revoke:revoke-all ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate ovirt-ext=token:password-access 2018-10-17 13:57:13,244+02 INFO [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default task-8) [49dc7642] Running command: CreateUserSessionCommand internal: false. 2018-10-17 13:57:13,260+02 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-8) [49dc7642] EVENT_ID: USER_VDC_LOGIN(30), User user1@internal-authz connecting from '10.34.130.137' using session 'hldZK/OambUk8KoZ4CnDxwwzT2Hu2F+qlcrBtVUH0fiA1pn+J+pqr1bDVPp/rh+B6jAY4W0y7e6kv+4wzx0G5Q==' logged in. 2018-10-17 13:57:14,096+02 ERROR [org.ovirt.engine.core.bll.GetPermissionsForObjectQuery] (default task-15) [620bec9d-9b2b-426a-afce-d9aa14908f93] Query execution failed due to insufficient permissions. 2018-10-17 13:57:14,097+02 ERROR [org.ovirt.engine.api.restapi.resource.AbstractBackendResource] (default task-15) [] Operation Failed: query execution failed due to insufficient permissions. 2018-10-17 13:57:14,264+02 ERROR [org.ovirt.engine.core.bll.storage.domain.GetStorageDomainListByIdQuery] (default task-37) [3c556215-5e6e-4165-84b5-83d1c430994b] Query execution failed due to insufficient permissions. Logging into an API does not cause any errors but bug is about logging into a VM portal. Perhaps a change of a component would be appropriate. > Logging into an API does not cause any errors but bug is about logging into a
> VM portal. Perhaps a change of a component would be appropriate.
I don't agree with that, we have fixed the problematic RESTAPI call and that's what this bug is about.
Greg, could you please specify which RESTAPI calls are invoked when user logs into VM Portal? Which of them are required for proper functionality of VM Portal?
Once we have this list we can discuss what can be done for each RESTAPI call ...
There are other API calls that have permission issues, but this bug is specifically about /api (the root) only, aka GetSystemStatisticsQuery @Samuel, if you clear out your engine.log and re-test, as long as you don't see permission errors specifically about GetSystemStatisticsQuery, this is pass. Login for nonadmin user still shows permissions error in engine.log This call causes GetPermissionsForObjectQuery error: curl -k -H "Filter: false" -u test@internal:passw -H "Prefer: persistent-auth" https://engine/ovirt-engine/api/permissions without header "Filter: false" are permissions returned correctly. And this one is for GetStorageDomainListByIdQuery error: curl -k -u test@internal:passw -H "Prefer: persistent-auth" https://ll-engine3/ovirt-engine/api/datacenters?follow=storage_domains Should that be fixed also in this BZ? I'm sorry, I forgot to mention which version I was testing ovirt-engine-restapi-4.2.7.3-0.1.el7ev.noarch with ovirt-web-ui-1.4.4-2.el7ev.noarch I talked to Greg and according to that I created new BZ 1641048 for the datacenter call (permissions will follow). Calling /ovirt-engine/api doesn't return any error for nonadmin user, so this issue is fixed. verified in ovirt-engine-restapi-4.2.7.3-0.1.el7ev.noarch This bugzilla is included in oVirt 4.2.7 release, published on November 2nd 2018. Since the problem described in this bug report should be resolved in oVirt 4.2.7 release, it has been closed with a resolution of CURRENT RELEASE. If the solution does not work for you, please open a new bug report. |