Bug 1951579 - RHV api issues when account has only "UserRole" permissions
Summary: RHV api issues when account has only "UserRole" permissions
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine
Version: 4.3.11
Hardware: Unspecified
OS: Unspecified
Target Milestone: ovirt-4.4.7
: 4.4.7
Assignee: Ori Liel
QA Contact: Guilherme Santos
Depends On:
TreeView+ depends on / blocked
Reported: 2021-04-20 13:53 UTC by Marian Jankular
Modified: 2021-07-22 15:13 UTC (History)
3 users (show)

Fixed In Version: ovirt-engine-4.4.7
Doc Type: No Doc Update
Doc Text:
Clone Of:
Last Closed: 2021-07-22 15:12:33 UTC
oVirt Team: Infra
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:2865 0 None None None 2021-07-22 15:13:39 UTC
oVirt gerrit 114547 0 master MERGED restapi - Search hosts as non-admin user 2021-04-29 09:16:40 UTC

Description Marian Jankular 2021-04-20 13:53:42 UTC
Description of problem:
RHV api issues when user has only "UserRole" permissions

Version-Release number of selected component (if applicable):
4.4.x as well

How reproducible:

Steps to Reproduce:
1. create user with "UserRole" permission only
2. try to get host info with query below issued on the manager:
# curl --cacert /etc/pki/ovirt-engine/ca.pem -u <USER>:<PASSWORD> https://<manager_fqdn>/ovirt-engine/api/hosts?search=page%2050

or even 

# curl --cacert /etc/pki/ovirt-engine/ca.pem -u <USER>:<PASSWORD> https://<manager_fqdn>/ovirt-engine/api/hosts?search=page%20100

Actual results:
even there is only one host im my environment the same host repeats on and on  in pages 1-100+ 

Expected results:
if all hosts were shown on the first page, do not show them on the next pages

Additional info:
if user has any of the admin account (tested with "ReadOnlyAdmin" and "SuperUser") the query is correct, in my case i get ouput of one host on page 1 and when i query page 2 the output is:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

Comment 1 Ori Liel 2021-04-22 08:50:22 UTC
From a brief examination it doesn't look to me like the problem is in the API layer, rather I tend to believe that its somewhere in the search implementation in the Engine

Comment 5 Guilherme Santos 2021-07-01 15:26:51 UTC
Verified on:

1. Create a new user (user1) with User Role
2. Query paginated hosts info tru rest api
# curl -u user1@internal:<password> "https://<engine-fqdn>/ovirt-engine/api/hosts?search=page%201" -k
# curl -u user1@internal:<password> "https://<engine-fqdn>/ovirt-engine/api/hosts?search=page%202" -k
# curl -u user1@internal:<password> "https://<engine-fqdn>/ovirt-engine/api/hosts?search=page%203" -k

Info properly queried and not repetition of info in empty pages (same response as admin user):
# curl -u user1@internal:<password> "https://<engine-fqdn>/ovirt-engine/api/hosts?search=page%203" -k
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

Comment 10 errata-xmlrpc 2021-07-22 15:12:33 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: RHV Manager (ovirt-engine) security update [ovirt-4.4.7]), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.