Red Hat Bugzilla – Bug 845022
ovirt-engine-backend [Quota]: superuser cannot add or run a vm when quota policy is changed to enforce when there is no quota defined
Last modified: 2016-02-10 15:17:58 EST
Created attachment 601748 [details]
Description of problem:
I changed the quota policy to enforce without creating a quota in the system.
superadmin user got a CanDoAction on create or run vm.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. without creating a quota, change the quota policy to enforce
2. try to create a vm
3. try to run a vm
we fail with CanDoAction on both actions
superuser should be able to run/create vm's even if there is no quota present in the system.
Additional info: log
2012-08-01 16:54:47,044 WARN [org.ovirt.engine.core.bll.RunVmCommand] (ajp-/127.0.0.1:8009-33) CanDoAction of action RunVm failed. Reasons:VAR__ACTION__RUN,VAR__TYPE__VM,ACTION_TYPE_FAILED_QUOTA_IS_NOT_VALID
2012-08-01 16:53:08,425 WARN [org.ovirt.engine.core.bll.AddVmFromScratchCommand] (ajp-/127.0.0.1:8009-26) [46ea43f4] CanDoAction of action AddVmFromScratch failed. Reasons:VAR__ACTION__ADD,VAR__TYPE__VM,ACTION_TYPE_FAILED_QUOTA_IS_NOT_
Quota is not a permission check - I'm not sure superuser should be able to bypass quota definition, unless we add a permission for bypassing quota checks (which we can give to other users as well).
I couldn't locate anywhere this was defined as part of feature scope/design.
this also happens when we are in Audit:
2012-08-06 13:44:51,749 WARN [org.ovirt.engine.core.bll.AddVmFromScratchCommand] (ajp-/127.0.0.1:8009-1) [4fb12cdb] CanDoAction of action AddVmFromScratch failed. Reasons:VAR__ACTION__ADD,VAR__TYPE__VM,ACTION_TYPE_FAILED_QUOTA_IS_NOT_VALID
This is following the Quota design.
Quota has allocation and consumers. Regardless of the role, you cannot
create / run a VM if you have no allocations when quota is being enforced,
following similar concepts of selinux.
So there are 2 issues I see here:
1. Check what happens in audit mode which should allow normal work giving
2. When moving to enforcing mode, warn the admin if there are no quotas defined.
This is also related to bug 855630.
This is going to be handled together with Bug 855630, which will:
1. Enable action buttons in the Quota sub-tab of a DC, so this sub tab will behave and used in the same way as other sub tabs in the system.
2. Provide the user with a special feedback when enabling Quota for a specific DC.
merged upstream: http://gerrit.ovirt.org/#/c/10520/
verified on sf4.
I am verifying since we have a new alert and a new quota sub tab added
however, I am opening 2 new bugs
1. for the alert which is very complicated and long
2. for the quota sub tab taking a long time to appear and disappear when we enable/disable the quota.
This bug is currently attached to errata RHEA-2013:14491. If this change is not to be documented in the text for this errata please either remove it from the errata, set the requires_doc_text flag to minus (-), or leave a "Doc Text" value of "--no tech note required" if you do not have permission to alter the flag.
Otherwise to aid in the development of relevant and accurate release documentation, please fill out the "Doc Text" field above with these four (4) pieces of information:
* Cause: What actions or circumstances cause this bug to present.
* Consequence: What happens when the bug presents.
* Fix: What was done to fix the bug.
* Result: What now happens when the actions or circumstances above occur. (NB: this is not the same as 'the bug doesn't present anymore')
Once filled out, please set the "Doc Type" field to the appropriate value for the type of change made and submit your edits to the bug.
For further details on the Cause, Consequence, Fix, Result format please refer to:
Thanks in advance.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.