Description of problem: Engine should not return all host details for non-admin users Expected results: only 'display ip details' with the ip/port should be returned in host object, also VdcQueryType.GetVdsCertificateSubjectByVdsId query should be permitted for non-admin users or alternatively BE should expose host_subject via host property.
not sure if the correct approach is to keep GetVdsCertificateSubjectByVdsId as a user query, or wrap it with a user query of GetVdsCertificateSubjectByVmId
at the end, users should not be able to GET /hosts resources at all, but VM resource should expose display_addr/port/host_subject for console
*** Bug 839227 has been marked as a duplicate of this bug. ***
Posted a patch for that: http://gerrit.ovirt.org/#/c/6542 Information on the contents of this patch (also answering Yaniv's question): 1. Block users from getting Host information via REST API (both host resource, and relevant host data in the VM resource). 2. Add GetManagementInterfaceAddressByVmIdQuery, removing GetManagementInterfaceAddressByVdsIdQuery (as it isn't used anywhere). 3. Add GetVdsCertificateSubjectByVmIdQuery which uses the existing GetVdsCertificateSubjectByVdsIdQuery (as this query is also used in other scenarios). 4. Update VncConsoleModel and SpiceConsoleModel to work with the new queries. So, need to test that when using User level API: 1. The user can't access /api/hosts (error 403, forbidden) 2. The user can't access a specific host (/api/host/<some guid>). 3. When getting all VMs (/api/vms), or a specific one (/api/vms/<some guid>) the user doesn't see any host information. 4. When getting all VMs (/api/vms), or a specific one (/api/vms/<some guid>) the user neither sees any placement policy information, nor can change it! i.e, only administrators are allowed to change the placement policy.
Commit: 1ca8d9e215bbf94138dac4ff1aa6055321fb438d http://gerrit.ovirt.org/gitweb?p=ovirt-engine.git;a=commit;h=1ca8d9e215bbf94138dac4ff1aa6055321fb438d