Bug 845022 - ovirt-engine-backend [Quota]: superuser cannot add or run a vm when quota policy is changed to enforce when there is no quota defined
ovirt-engine-backend [Quota]: superuser cannot add or run a vm when quota pol...
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine (Show other bugs)
x86_64 Linux
high Severity high
: ---
: 3.2.0
Assigned To: ofri
Dafna Ron
: Improvement
Depends On:
Blocks: 915537
  Show dependency treegraph
Reported: 2012-08-01 10:05 EDT by Dafna Ron
Modified: 2016-02-10 15:17 EST (History)
12 users (show)

See Also:
Fixed In Version: sf3
Doc Type: Enhancement
Doc Text:
The quota sub tab of the datacenter tab now has basic edit operations, as well as a warning notification when moving a datacenter to quota enforced mode for the first time. This prevents users from accidentally moving into quota enforced mode without being aware of the consequences.
Story Points: ---
Clone Of:
Last Closed: 2013-06-10 17:08:44 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: SLA
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
log (83.66 KB, application/x-xz)
2012-08-01 10:05 EDT, Dafna Ron
no flags Details

External Trackers
Tracker ID Priority Status Summary Last Updated
oVirt gerrit 10520 None None None Never
Red Hat Product Errata RHSA-2013:0888 normal SHIPPED_LIVE Moderate: Red Hat Enterprise Virtualization Manager 3.2 update 2013-06-10 20:55:41 EDT

  None (edit)
Description Dafna Ron 2012-08-01 10:05:58 EDT
Created attachment 601748 [details]

Description of problem:

I changed the quota policy to enforce without creating a quota in the system. 
superadmin user got a CanDoAction on create or run vm. 

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. without creating a quota, change the quota policy to enforce
2. try to create a vm
3. try to run a vm
Actual results:

we fail with CanDoAction on both actions

Expected results:

superuser should be able to run/create vm's even if there is no quota present in the system.

Additional info: log

2012-08-01 16:54:47,044 WARN  [org.ovirt.engine.core.bll.RunVmCommand] (ajp-/ CanDoAction of action RunVm failed. Reasons:VAR__ACTION__RUN,VAR__TYPE__VM,ACTION_TYPE_FAILED_QUOTA_IS_NOT_VALID

2012-08-01 16:53:08,425 WARN  [org.ovirt.engine.core.bll.AddVmFromScratchCommand] (ajp-/ [46ea43f4] CanDoAction of action AddVmFromScratch failed. Reasons:VAR__ACTION__ADD,VAR__TYPE__VM,ACTION_TYPE_FAILED_QUOTA_IS_NOT_
Comment 1 Itamar Heim 2012-08-01 11:07:09 EDT
Quota is not a permission check - I'm not sure superuser should be able to bypass quota definition, unless we add a permission for bypassing quota checks (which we can give to other users as well).

I couldn't locate anywhere this was defined as part of feature scope/design.
Comment 2 Dafna Ron 2012-08-06 06:52:47 EDT
this also happens when we are in Audit:

2012-08-06 13:44:51,749 WARN  [org.ovirt.engine.core.bll.AddVmFromScratchCommand] (ajp-/ [4fb12cdb] CanDoAction of action AddVmFromScratch failed. Reasons:VAR__ACTION__ADD,VAR__TYPE__VM,ACTION_TYPE_FAILED_QUOTA_IS_NOT_VALID
Comment 4 Doron Fediuck 2012-12-30 03:38:39 EST
This is following the Quota design.
Quota has allocation and consumers. Regardless of the role, you cannot
create / run a VM if you have no allocations when quota is being enforced,
following similar concepts of selinux.

So there are 2 issues I see here:
1. Check what happens in audit mode which should allow normal work giving
proper warnings.
2. When moving to enforcing mode, warn the admin if there are no quotas defined.

This is also related to bug 855630.
Comment 5 Doron Fediuck 2013-01-01 02:58:05 EST
This is going to be handled together with Bug 855630, which will:
1. Enable action buttons in the Quota sub-tab of a DC, so this sub tab will behave and used in the same way as other sub tabs in the system.
2. Provide the user with a special feedback when enabling Quota for a specific DC.
Comment 6 ofri 2013-01-01 09:37:42 EST
merged upstream: http://gerrit.ovirt.org/#/c/10520/
Comment 7 Dafna Ron 2013-01-24 08:43:37 EST
verified on sf4. 
I am verifying since we have a new alert and a new quota sub tab added
however, I am opening 2 new bugs 
1. for the alert which is very complicated and long
2. for the quota sub tab taking a long time to appear and disappear when we enable/disable the quota.
Comment 8 Cheryn Tan 2013-04-03 02:51:57 EDT
This bug is currently attached to errata RHEA-2013:14491. If this change is not to be documented in the text for this errata please either remove it from the errata, set the requires_doc_text flag to minus (-), or leave a "Doc Text" value of "--no tech note required" if you do not have permission to alter the flag.

Otherwise to aid in the development of relevant and accurate release documentation, please fill out the "Doc Text" field above with these four (4) pieces of information:

* Cause: What actions or circumstances cause this bug to present.

* Consequence: What happens when the bug presents.

* Fix: What was done to fix the bug.

* Result: What now happens when the actions or circumstances above occur. (NB: this is not the same as 'the bug doesn't present anymore')

Once filled out, please set the "Doc Type" field to the appropriate value for the type of change made and submit your edits to the bug.

For further details on the Cause, Consequence, Fix, Result format please refer to:


Thanks in advance.
Comment 9 errata-xmlrpc 2013-06-10 17:08:44 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.