+++ This bug is a downstream clone. The original bug is: +++ +++ bug 1624219 +++ ====================================================================== Description of problem: Upon login to VM Portal, a user cannot see a Pool if the permission was given to the user's Group and not directly to the user. The user only sees it after a refresh. Version-Release number of selected component (if applicable): ovirt-web-ui-1.3.9-1.el7.centos.noarch ovirt-engine-4.2.5.2-1.el7.noarch How reproducible: 100% Steps to Reproduce: 1. Add internal user # ovirt-aaa-jdbc-tool user add germano --attribute=firstName=Germano # ovirt-aaa-jdbc-tool user password-reset germano --password=pass:redhat --password-valid-to="2026-01-01 23:59:59Z" 2. Add internal group and add user to group # ovirt-aaa-jdbc-tool group add mygroup --attribute=displayName=mygroup # ovirt-aaa-jdbc-tool group-manage useradd mygroup --user=germano 3. Create Pool on the Administration Portal 4. Assign UserRole permission to group mygroup 5. Login with user on Vm Portal [ Pool is not shown ] 6. Click refresh [ Pool is shown ] Actual results: Pool not shown upon login Expected results: Pool shown (Originally by Germano Veit Michel)
VM portal performs auto-refresh, so the pool appears after some time automatically. (Originally by Lucie Leistnerova)
The auto-refresh REST query for Pools uses a slightly different form than the query used at initial load time. With the permissions as described above and applied to 2 different Pools (to be able to test paging), the vmpools query seems to work in different ways. Querying against my dev engine built from current master and using curl of the form `curl -k -u"user@internal:pass" -H"Filter: true" -H"Accept: application/json" -D - "https://localhost:8443/$URLPART"`: 1. /ovirt-engine/api/vmpools get all pools but no sorting or paging --> works 2. /ovirt-engine/api/vmpools;max=1 grab the first pool for the user --> works (and for any value of max) 3. /ovirt-engine/api/vmpools;max=1?search=page%201 grab the first page of pools (page size = 1) for the user --> works (and for any value of max) 4. /ovirt-engine/api/vmpools;max=1?search=page%202 grab the second pool for the user --> FAIL, got "{ }", expected 1 Pool 5. /ovirt-engine/api/vmpools?search=SORTBY%20NAME%20ASC grab all pools and sort by name --> works 6. /ovirt-engine/api/vmpools;max=1?search=SORTBY%20NAME%20ASC grab the first pool, alphabetically, for the user --> FAIL, got "{ }", expected 1 Pool 7. /ovirt-engine/api/vmpools;max=1?search=SORTBY%20NAME%20ASC%20page%201 grab the first page of pools (page size = 1), alphabetically, for the user --> FAIL, got "{ }", expected 1 Pool 8. /ovirt-engine/api/vmpools;max=1?search=SORTBY%20NAME%20ASC%20page%202 grab the second page of pools (page size = 1), alphabetically, for the user --> FAIL, got "{ }", expected 1 Pool (Originally by Scott Dickerson)
so, for listing available pools we're calling either - GetAllVmPoolsAttachedToUser query calling GetAllVm_poolsByUser_id_with_groups_and_UserRoles function using user_vm_pool_permissions_view or in case that both "sortby name asc" and "max" are in URL: - GetAllVmPoolsFilteredAndSorted query calling GetAllFromVmPoolsFilteredAndSorted function using vm_pools_full_view so 4. is not supposed to work. It doesn't work for non-group user either. but those SPs are quite different and apparently the second one doesn't really map groups (Originally by michal.skrivanek)
Martin could you please help with understanding what and how are groups ignored in one of them? (Originally by michal.skrivanek)
(In reply to Michal Skrivanek from comment #8) > so, for listing available pools we're calling either > - GetAllVmPoolsAttachedToUser query calling > GetAllVm_poolsByUser_id_with_groups_and_UserRoles function using > user_vm_pool_permissions_view GetAllVm_poolsByUser_id_with_groups_and_UserRoles SQL query is using user_vm_pool_permissions_view, which joins user_vm_pool_permissions_view_base (permissions for pool directly assigned to the user) with engine_session_user_flat_groups (permissions for pool assigned to groups which user is a memberof). So this procedure returns correct objects using direct and indirect permissions. > > or in case that both "sortby name asc" and "max" are in URL: > - GetAllVmPoolsFilteredAndSorted query calling > GetAllFromVmPoolsFilteredAndSorted function using vm_pools_full_view GetAllFromVmPoolsFilteredAndSorted is using users_and_groups_to_vm_pool_map_view to get all permissions for pool, but afterwards it matches the permission only by user and doesn't include also indirect permissions by group membership. Assigning to Ori who introduced this code. (Originally by Martin Perina)
Verified on ovirt-engine-4.2.8-0.1.el7ev.noarch. Verified by following the reproducer.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:0121