Bug 1656794 - Disable the ability to remove permissions to Everyone
Summary: Disable the ability to remove permissions to Everyone
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: ovirt-engine
Classification: oVirt
Component: Frontend.WebAdmin
Version: 4.2.7.1
Hardware: All
OS: Unspecified
unspecified
medium vote
Target Milestone: ovirt-4.3.2
: ---
Assignee: Dana
QA Contact: Roni
URL:
Whiteboard: VerificationWeek
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-12-06 10:51 UTC by Paul Staniforth
Modified: 2019-03-19 10:05 UTC (History)
8 users (show)

Fixed In Version: ovirt-engine-4.3.2
Doc Type: Enhancement
Doc Text:
This release disables the "Remove" button on the Everyone permissions page to prevent misconfiguring Red Hat Virtualization Manager permissions.
Clone Of:
Environment:
Last Closed: 2019-03-19 10:05:20 UTC
oVirt Team: Infra
rule-engine: ovirt-4.3+
lleistne: testing_ack+


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 3957281 Supportability None Error while executing action: It's not allowed to remove system permissions assigned to built-in Everyone group 2019-03-07 05:33:32 UTC
oVirt gerrit 97708 'None' 'MERGED' 'engine: Disable the ability to remove permissions to Everyone' 2019-11-27 10:47:09 UTC

Description Paul Staniforth 2018-12-06 10:51:13 UTC
Description of problem:
In Administration->Users->Everyone can add system permissions

When you try to remove the permission the operation is cancelled with the message

Error while executing action: It's not allowed to remove system permissions assigned to built-in Everyone group

Version-Release number of selected component (if applicable):
4.2 up to the latest version 4.2.7.1

How reproducible:
Always

Steps to Reproduce:
1. add  system permission to group everyone
2. remove same permission


Actual results:
Can't remove permission

Expected results:
Either don't allow system permission to be added or allow it to be removed

Additional info:

It looks like the only way to remove the permission is to delete it from the engine database

Comment 1 Martin Perina 2019-01-21 14:34:01 UTC
We have disable the ability to remove permissions from Eveyrone, because administrators performed too many mistakes, which ended in unrecoverable corrupted engine permissions. So it makes sense also to disable adding permissions to Everyone to prevent confusion.

If administrators wants to assign permissions to all users, then it makes sense to create a group, where all users belongs, and assign a relevant system permission to this group.

Comment 2 Robert Suszek 2019-01-31 11:01:08 UTC
By mistake I have added a VnicProfileUser to Everyone which I don't want, is there any way, other than modifying the database, to delete it? I wouldn't want to alter the database in any way manually.

Comment 3 Ravi Nori 2019-01-31 18:30:00 UTC
Base on comment #1 updating the title of the BZ. The remove permissions button should be disabled on the Everyone permissions page.

Leaving the ability to add permissions for Everyone so as to avoid breaking any customer user cases

Comment 4 Roni 2019-03-06 15:36:15 UTC
Verified: 4.3.2-0.1.el7

Comment 5 Sandro Bonazzola 2019-03-19 10:05:20 UTC
This bugzilla is included in oVirt 4.3.2 release, published on March 19th 2019.

Since the problem described in this bug report should be
resolved in oVirt 4.3.2 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.