Bug 845022
| Summary: | ovirt-engine-backend [Quota]: superuser cannot add or run a vm when quota policy is changed to enforce when there is no quota defined | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Virtualization Manager | Reporter: | Dafna Ron <dron> | ||||
| Component: | ovirt-engine | Assignee: | ofri <omasad> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Dafna Ron <dron> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | 3.1.0 | CC: | dfediuck, dyasny, hateya, iheim, jbiddle, lpeer, mkenneth, pstehlik, Rhev-m-bugs, sgrinber, yeylon, ykaul | ||||
| Target Milestone: | --- | Keywords: | Improvement | ||||
| Target Release: | 3.2.0 | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | sla | ||||||
| Fixed In Version: | sf3 | Doc Type: | Enhancement | ||||
| Doc Text: |
The quota sub tab of the datacenter tab now has basic edit operations, as well as a warning notification when moving a datacenter to quota enforced mode for the first time. This prevents users from accidentally moving into quota enforced mode without being aware of the consequences.
|
Story Points: | --- | ||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2013-06-10 21:08:44 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | SLA | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 915537 | ||||||
| Attachments: |
|
||||||
Quota is not a permission check - I'm not sure superuser should be able to bypass quota definition, unless we add a permission for bypassing quota checks (which we can give to other users as well). I couldn't locate anywhere this was defined as part of feature scope/design. this also happens when we are in Audit: 2012-08-06 13:44:51,749 WARN [org.ovirt.engine.core.bll.AddVmFromScratchCommand] (ajp-/127.0.0.1:8009-1) [4fb12cdb] CanDoAction of action AddVmFromScratch failed. Reasons:VAR__ACTION__ADD,VAR__TYPE__VM,ACTION_TYPE_FAILED_QUOTA_IS_NOT_VALID This is following the Quota design. Quota has allocation and consumers. Regardless of the role, you cannot create / run a VM if you have no allocations when quota is being enforced, following similar concepts of selinux. So there are 2 issues I see here: 1. Check what happens in audit mode which should allow normal work giving proper warnings. 2. When moving to enforcing mode, warn the admin if there are no quotas defined. This is also related to bug 855630. This is going to be handled together with Bug 855630, which will: 1. Enable action buttons in the Quota sub-tab of a DC, so this sub tab will behave and used in the same way as other sub tabs in the system. 2. Provide the user with a special feedback when enabling Quota for a specific DC. merged upstream: http://gerrit.ovirt.org/#/c/10520/ verified on sf4. I am verifying since we have a new alert and a new quota sub tab added however, I am opening 2 new bugs 1. for the alert which is very complicated and long 2. for the quota sub tab taking a long time to appear and disappear when we enable/disable the quota. This bug is currently attached to errata RHEA-2013:14491. If this change is not to be documented in the text for this errata please either remove it from the errata, set the requires_doc_text flag to minus (-), or leave a "Doc Text" value of "--no tech note required" if you do not have permission to alter the flag. Otherwise to aid in the development of relevant and accurate release documentation, please fill out the "Doc Text" field above with these four (4) pieces of information: * Cause: What actions or circumstances cause this bug to present. * Consequence: What happens when the bug presents. * Fix: What was done to fix the bug. * Result: What now happens when the actions or circumstances above occur. (NB: this is not the same as 'the bug doesn't present anymore') Once filled out, please set the "Doc Type" field to the appropriate value for the type of change made and submit your edits to the bug. For further details on the Cause, Consequence, Fix, Result format please refer to: https://bugzilla.redhat.com/page.cgi?id=fields.html#cf_release_notes Thanks in advance. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0888.html |
Created attachment 601748 [details] log Description of problem: I changed the quota policy to enforce without creating a quota in the system. superadmin user got a CanDoAction on create or run vm. Version-Release number of selected component (if applicable): si12 How reproducible: 100% Steps to Reproduce: 1. without creating a quota, change the quota policy to enforce 2. try to create a vm 3. try to run a vm Actual results: we fail with CanDoAction on both actions Expected results: superuser should be able to run/create vm's even if there is no quota present in the system. Additional info: log 2012-08-01 16:54:47,044 WARN [org.ovirt.engine.core.bll.RunVmCommand] (ajp-/127.0.0.1:8009-33) CanDoAction of action RunVm failed. Reasons:VAR__ACTION__RUN,VAR__TYPE__VM,ACTION_TYPE_FAILED_QUOTA_IS_NOT_VALID 2012-08-01 16:53:08,425 WARN [org.ovirt.engine.core.bll.AddVmFromScratchCommand] (ajp-/127.0.0.1:8009-26) [46ea43f4] CanDoAction of action AddVmFromScratch failed. Reasons:VAR__ACTION__ADD,VAR__TYPE__VM,ACTION_TYPE_FAILED_QUOTA_IS_NOT_ VALID