Description of problem: RHV api issues when user has only "UserRole" permissions Version-Release number of selected component (if applicable): 4.3.x 4.4.x as well How reproducible: everytime Steps to Reproduce: 1. create user with "UserRole" permission only 2. try to get host info with query below issued on the manager: # curl --cacert /etc/pki/ovirt-engine/ca.pem -u <USER>:<PASSWORD> https://<manager_fqdn>/ovirt-engine/api/hosts?search=page%2050 or even # curl --cacert /etc/pki/ovirt-engine/ca.pem -u <USER>:<PASSWORD> https://<manager_fqdn>/ovirt-engine/api/hosts?search=page%20100 3. Actual results: even there is only one host im my environment the same host repeats on and on in pages 1-100+ Expected results: if all hosts were shown on the first page, do not show them on the next pages Additional info: if user has any of the admin account (tested with "ReadOnlyAdmin" and "SuperUser") the query is correct, in my case i get ouput of one host on page 1 and when i query page 2 the output is: <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <hosts/>
From a brief examination it doesn't look to me like the problem is in the API layer, rather I tend to believe that its somewhere in the search implementation in the Engine
Verified on: ovirt-engine-4.4.7.5-0.9.el8ev.noarch Steps: 1. Create a new user (user1) with User Role 2. Query paginated hosts info tru rest api # curl -u user1@internal:<password> "https://<engine-fqdn>/ovirt-engine/api/hosts?search=page%201" -k # curl -u user1@internal:<password> "https://<engine-fqdn>/ovirt-engine/api/hosts?search=page%202" -k # curl -u user1@internal:<password> "https://<engine-fqdn>/ovirt-engine/api/hosts?search=page%203" -k Results: Info properly queried and not repetition of info in empty pages (same response as admin user): # curl -u user1@internal:<password> "https://<engine-fqdn>/ovirt-engine/api/hosts?search=page%203" -k <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <hosts/>
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: RHV Manager (ovirt-engine) security update [ovirt-4.4.7]), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:2865
Due to QE capacity, we are not going to cover this issue in our automation