Bug 1951579 - RHV api issues when account has only "UserRole" permissions
Summary: RHV api issues when account has only "UserRole" permissions
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine
Version: 4.3.11
Hardware: Unspecified
OS: Unspecified
low
medium
Target Milestone: ovirt-4.4.7
: 4.4.7
Assignee: Ori Liel
QA Contact: Guilherme Santos
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-04-20 13:53 UTC by Marian Jankular
Modified: 2022-08-03 12:01 UTC (History)
4 users (show)

Fixed In Version: ovirt-engine-4.4.7
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-07-22 15:12:33 UTC
oVirt Team: Infra
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:2865 0 None None None 2021-07-22 15:13:39 UTC
oVirt gerrit 114547 0 master MERGED restapi - Search hosts as non-admin user 2021-04-29 09:16:40 UTC

Description Marian Jankular 2021-04-20 13:53:42 UTC 
Description of problem:
RHV api issues when user has only "UserRole" permissions

Version-Release number of selected component (if applicable):
4.3.x
4.4.x as well

How reproducible:
everytime

Steps to Reproduce:
1. create user with "UserRole" permission only
2. try to get host info with query below issued on the manager:
# curl --cacert /etc/pki/ovirt-engine/ca.pem -u <USER>:<PASSWORD> https://<manager_fqdn>/ovirt-engine/api/hosts?search=page%2050

or even 

# curl --cacert /etc/pki/ovirt-engine/ca.pem -u <USER>:<PASSWORD> https://<manager_fqdn>/ovirt-engine/api/hosts?search=page%20100
3.

Actual results:
even there is only one host im my environment the same host repeats on and on  in pages 1-100+ 

Expected results:
if all hosts were shown on the first page, do not show them on the next pages

Additional info:
if user has any of the admin account (tested with "ReadOnlyAdmin" and "SuperUser") the query is correct, in my case i get ouput of one host on page 1 and when i query page 2 the output is:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<hosts/>
Comment 1 Ori Liel 2021-04-22 08:50:22 UTC 
From a brief examination it doesn't look to me like the problem is in the API layer, rather I tend to believe that its somewhere in the search implementation in the Engine
Comment 5 Guilherme Santos 2021-07-01 15:26:51 UTC 
Verified on:
ovirt-engine-4.4.7.5-0.9.el8ev.noarch

Steps:
1. Create a new user (user1) with User Role
2. Query paginated hosts info tru rest api
# curl -u user1@internal:<password> "https://<engine-fqdn>/ovirt-engine/api/hosts?search=page%201" -k
# curl -u user1@internal:<password> "https://<engine-fqdn>/ovirt-engine/api/hosts?search=page%202" -k
# curl -u user1@internal:<password> "https://<engine-fqdn>/ovirt-engine/api/hosts?search=page%203" -k

Results:
Info properly queried and not repetition of info in empty pages (same response as admin user):
# curl -u user1@internal:<password> "https://<engine-fqdn>/ovirt-engine/api/hosts?search=page%203" -k
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<hosts/>
Comment 10 errata-xmlrpc 2021-07-22 15:12:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: RHV Manager (ovirt-engine) security update [ovirt-4.4.7]), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2865
Comment 11 meital avital 2022-08-03 12:01:22 UTC 
Due to QE capacity, we are not going to cover this issue in our automation
Note You need to log in before you can comment on or make changes to this bug.