Description of problem: User with custom role cannot retire VM. Version-Release number of selected component (if applicable): 5.10.1 How reproducible: Always Steps to Reproduce: 1. Copy vm-user role 2. Assign it to user 3. User retire VM Actual results: User can't retire VM Expected results: User should be able to to retire VM Additional info: Not sure if this happens on the vm-user default role, have not tested that out [----] I, [2019-03-11T12:00:52.113483 #11151:14fe4e8] INFO -- : <AuditSuccess> MIQ(MiqRequest.log_request_success) userid: [sbr-cfme] - VM Retire requested by <sbr-cfme> for Vm:[12000000000857] [----] I, [2019-03-11T12:00:52.124757 #11151:14fe4e8] INFO -- : MIQ(MiqQueue.put) Message id: [12000008436191], id: [], Zone: [CFME-RHV], Role: [], Server: [], MiqTask id: [], Ident: [generic], Target id: [], Instance id: [12000000000913], Task id: [], Command: [VmRetireRequest.call_automate_event], Timeout: [3600], Priority: [100], State: [ready], Deliver On: [], Data: [], Args: ["request_created"] [----] E, [2019-03-11T12:00:52.125469 #11151:14fe4e8] ERROR -- : MIQ(vm_infra_controller-x_button): Error during 'retire_now': not authorized
David, do you have logs? Do we know if the current group for the user is the group with that role? You assign the role to the group, not the user. If they're in more than one group, the current group dropdown could be on the wrong group. In user.rb, we: delegate :miq_user_role, ... :to => :current_group ... Can you test the default vm_user in the way you recreated it? It should have access to the retire now. db/fixtures/miq_user_roles.yml: ... - :name: EvmRole-vm_user :read_only: true :miq_product_feature_identifiers: - about - all_vm_rules ... - vm_retire_now After testing this with the out of box vm_user, please try with the copied one and provide the logs. Specifically, I need to see the evm.log, audit.log and production.log but the current logs would be great. Thanks! Joe
Hey Joe, I just created a vm_user with default vm_user group and I don't even have the option to retire the VM. The only option I have in the UI is to provision.
Ah, it looks like it's Retire this VM isn't showing up in the VM overview, but if I click on a specific virtual machine, it'll let me click on retire, BUT, it gives me the same error. Immediately after clicking retire I'm brought to the requests on UI with this message: 'Error during 'retire_now': not authorized' The retire this VM does show up on my custom role on a different VM though, so I'm not sure what's going on there. Attaching pics and logs.
Created attachment 1548706 [details] request error
I believe this is in automate. It looks to be hitting call_automate_event_queue and somehow it's not being approved with a "not authorized". Does this code look at the role of the group the user is currently in? The vm_user role has the vm_retire_now product feature found in db/fixtures/miq_user_roles.yml: - :name: EvmRole-vm_user :read_only: true :miq_product_feature_identifiers: - about - all_vm_rules ... - vm_retire_now ...
https://github.com/ManageIQ/manageiq/pull/18626
New commit detected on ManageIQ/manageiq/master: https://github.com/ManageIQ/manageiq/commit/0cefc4c7f567484086321e0265d164e8655a941a commit 0cefc4c7f567484086321e0265d164e8655a941a Author: Lucy Fu <lufu> AuthorDate: Wed Apr 3 11:52:03 2019 -0400 Commit: Lucy Fu <lufu> CommitDate: Wed Apr 3 11:52:03 2019 -0400 Use admin to auto approve a request. The approver needs to have miq_request_approval role and admin is the only default user with that role. https://bugzilla.redhat.com/show_bug.cgi?id=1687597 app/models/miq_request.rb | 2 +- spec/models/automation_request_spec.rb | 3 + spec/models/miq_request_spec.rb | 12 + spec/models/miq_schedule_spec.rb | 1 + 4 files changed, 17 insertions(+), 1 deletion(-)
Checked on version: 5.11.0.14.20190710225033_cb17ff0 Created user(new_user) with custom role(coping default vm_user role) attached to custom group and retired VM. VM retired successfully. Retire VM option is available on Vm's all and details page. Hence verifying this BZ.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:4199