Bug 1641048 - Engine raises 'insufficient permissions' error when normal user try to access /datacenters?follow=storage_domains
Summary: Engine raises 'insufficient permissions' error when normal user try to access...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: ovirt-engine
Classification: oVirt
Component: RestAPI
Version: 4.3.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ovirt-4.3.0
: ---
Assignee: Ahmad Khiet
QA Contact: Lucie Leistnerova
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-10-19 13:42 UTC by Lucie Leistnerova
Modified: 2019-02-21 14:17 UTC (History)
4 users (show)

Fixed In Version: ovirt-engine-4.3.0_rc
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-02-21 14:17:12 UTC
oVirt Team: Storage
Embargoed:
rule-engine: ovirt-4.3+
lleistne: testing_ack+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
oVirt gerrit 96134 0 master ABANDONED restapi: remove error message for vmCreator request for datacenters 2018-12-30 16:26:06 UTC
oVirt gerrit 96293 0 master MERGED restapi: return storage information based on role. 2018-12-30 14:31:44 UTC

Description Lucie Leistnerova 2018-10-19 13:42:21 UTC 
Description of problem:
Calling storagedomains?follow=storage_domains with non admin users shows error 'insufficient permissions' in engine log and returns not all informations.

Version-Release number of selected component (if applicable):
ovirt-engine-restapi-4.3.0-0.0.master.20181016132820.gite60d148.el7.noarch

How reproducible: always


Steps to Reproduce:
1. call as nonadmin user with VmCreator role
curl -k -u test@internal:passw -H "Prefer: persistent-auth" https://engine/ovirt-engine/api/datacenters?follow=storage_domains


Actual results: storage element contains only:

                <storage>
                    <type>nfs</type>
                </storage>

error 3x in engine log

2018-10-19 15:36:02,485+02 ERROR [org.ovirt.engine.core.bll.storage.domain.GetStorageDomainListByIdQuery] (default task-29) [2873abfe-5332-48a6-a309-f46596df59da] Query execution failed due to insufficient permissions.



Expected results:
storage with all information and no error
Comment 1 Ondra Machacek 2018-10-22 12:26:57 UTC 
It's because GetStorageDomainListByIdQuery is not user query.
Comment 2 Tal Nisan 2018-10-22 13:22:51 UTC 
(In reply to Ondra Machacek from comment #1)
> It's because GetStorageDomainListByIdQuery is not user query.

Exactly, why is this query needed for an unprivileged user?
Comment 3 Lucie Leistnerova 2018-10-22 14:50:14 UTC 
VM portal calls that query when it checks available data storage domains for creating new disks.
For VM portal are used only id, name and type of the storage_domain, so it's not necessary to return all values in <storage> element. But it shouldn't show error in engine.log
Comment 4 Ahmad Khiet 2018-12-11 12:50:05 UTC 
The Error message in the log removed. after adding GetStorageDomainListById(QueryAuthType.User) to QueryType

but the storage domain information was intentionally filtered for admin only requests.

this change was made in the following patch : 
https://gerrit.ovirt.org/c/7003

where the isFiltered() filters admin users only to view the infromation.

https://github.com/oVirt/ovirt-engine/blob/23cb61706a11a589c7586b366fe0981291d4d816/backend/manager/modules/restapi/jaxrs/src/main/java/org/ovirt/engine/api/restapi/resource/BackendStorageDomainsResource.java#L334
Comment 5 Lucie Leistnerova 2019-02-18 07:50:29 UTC 
No error in log and storage contains values that VM portal needs.

verified in ovirt-engine-restapi-4.3.0.4-0.1.el7.noarch
Comment 6 Sandro Bonazzola 2019-02-21 14:17:12 UTC 
This bugzilla is included in oVirt 4.3.0 release, published on February 4th 2019.

Since the problem described in this bug report should be
resolved in oVirt 4.3.0 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.
Note You need to log in before you can comment on or make changes to this bug.