Description of problem: - Error screen displayed after user login in admin portal after which the user login works fine. - The issue is with local user and as well as external auth users. Version-Release number of selected component (if applicable): RHV 4.4.3 How reproducible: Always Steps to Reproduce: 1. Configure a user to login with SuperUser role on a DC. 2. Login with the user 3. It will display the error box which automatically disappears and login works after that. Actual results: Error screen displayed Expected results: There should not be any error. Additional info: - Error is not observed if it's configured as system user. - Error in engine logs: ~~~ 2021-01-26 16:53:25,472+05 INFO [org.ovirt.engine.core.bll.aaa.UpdateUserOptionsCommand] (default task-43) [eed7f17b-3423-4470-ab4a-ee3feeeb0cea] No permission found for user '99d53be4-76f6-4d23-b7f7-2b57e73f48ba' or one of the groups he is member of, when running action 'UpdateUserOptions', Required permissions are: Action type: 'ADMIN' Action group: 'MANIPULATE_USERS' Object type: 'System' Object ID: 'aaa00000-0000-0000-0000-123456789aaa'. 2021-01-26 16:53:25,472+05 WARN [org.ovirt.engine.core.bll.aaa.UpdateUserOptionsCommand] (default task-43) [eed7f17b-3423-4470-ab4a-ee3feeeb0cea] Validation of action 'UpdateUserOptions' failed for user user1@internal-authz. Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION ~~~
Possibly caused by user options changes from bug 1752751 We shouldn’t assume a user has a System level permission, even though it’s not that common not to add SuperUser just there. SuperUser is meant to be just that, a System level all-access account.
OK so SuperUser can access all components agree. https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.3/html/administration_guide/sect-system_permissions#Administrator_Roles_Explained How about DataCenterAdmin role: https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.3/html/administration_guide/sect-system_permissions#Data_center_permissions_entities "For example, a DataCenterAdmin role has administrator privileges only for the assigned data center with the exception of the storage for that data center" But I can still see the other DataCetners with user assigned to one DC with this role. Am I missing any configuration or roles are not working as expected?
None of the roles define visibility. There's only the distinction between user and admin role type. Once you're any kind of admin you can see (as in REST API or webadmin) everything. It is not related to this bug
(In reply to Michal Skrivanek from comment #8) > None of the roles define visibility. There's only the distinction between > user and admin role type. Once you're any kind of admin you can see (as in > REST API or webadmin) everything. > It is not related to this bug Thanks for clarifying, Michal. So this is by design.
MANIPULATE_USERS permission will be no longer required for storing user options after [1] is merged. This should remove the root cause of this problem. [1] https://gerrit.ovirt.org/113128
Aligning with BZ1171924
that is already in progress, should be in 4.4.6, Radek please keep the bug updated
The fix has been backported to 4.4.5.z branch with patch https://gerrit.ovirt.org/c/113859/
Steps: 1. Configure a user to login with SuperUser role on a DC. 2. Login with the user Results: No error during the login. User is logged in correctly. Verified in: ovirt-engine-4.4.5.11-0.1.el8ev.noarch
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: RHV Manager (ovirt-engine) 4.4.z [ovirt-4.4.5] 0-day security, bug fix, enhance), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:1186
Due to QE capacity, we are not going to cover this issue in our automation