Red Hat Bugzilla – Bug 839319
Permissions given to DataCenter level do not apply
Last modified: 2015-09-22 09:09 EDT
Description of problem:
When user is granted any role on DC level, some of the permissions don't apply. This makes PowerUser and higer permissions granted on DataCenter-Permissions useless.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. add PowerUserRole to some user in DataCenter-Permissions tab
2. log in to User Portal
1. as said PowerUser, create VM
2. create a disk for the VM
1. in DataCenter-Permissions, add SuperUser role to some user
2. log in to webadmin ad the user in step above
3. try to create/import/modify storage domain
A. user can not access Power User Portal
B. dialog says that no active storage domain is available
C. none of the action is done, error is popped that user is not permitted to do the specified action
A. user can see Extended portal
B. user can create a disk
C. user can work with storage
note that it is possible to log to webadmin in C.
(In reply to comment #0)
I don't understand how you got to the result of B if A failed
C. Are you sure of this?
Both cases B and C indicate that your storage domain may have been down during your test - but again I don't understand how you got to B if in A you could not log into the portal in the first place.
(In reply to comment #1)
> I don't understand how you got to the result of B if A failed
a clarification: A hits if you add permissions to group whose member is our user. Once you add the permissions to the user, he is able to see the portal and create a VM - but not to create the disk for it.
Sounds similar to
But need to investigate this more .
Quality Engineering Management has reviewed and declined this request.
You may appeal this decision by reopening this request.
Still present in si13.2, marking as a regression because my 3.0 configuration is unusable in 3.1.
Checking upstream env (including some changes inserted after SI13.2 was released) -
Scenario A - works
Scenario C - does not work
not sure why C is a regression. I'm pretty sure in 3.0 storage domain permissions had to be given at system level.
I did the following testing with the fix for bug #846300 (you can find a similar comment in that bug as well).
Added a new user, and gave him power user role on the DC.
Then, I logged in with it to the user portal, added a new VM, and added a new disk. It worked well.
One of the changes I did was to make the storage domain inherit the permissions from the DC, so looks like that was what solved your scenario, as PowerUser has permissions to create disks, and with my patches this permission also propogates to the storage domains.
Scenario C does not work at 3.0 as well, threfore is not a part of the regression (Just chedked on 3.0 setup) - a storage domain is created under SYSTEM, not under data center. A storage domain is associated to data center only using attach.
IMHO, changing this , even for the sake of creating storage domain is incorrect.
If A is not reporoduced, B is solved in bug #846300, and C won't be fixes, can we close this bug?