Bug 845026 - ovirt-engine-backend [MLA]: DomainAdmin role cannot add user permissions to created objects with CanDoAction
Summary: ovirt-engine-backend [MLA]: DomainAdmin role cannot add user permissions to c...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine
Version: 3.1.0
Hardware: x86_64
OS: Linux
high
high
Target Milestone: ---
: 3.1.0
Assignee: Oved Ourfali
QA Contact: Ondra Machacek
URL:
Whiteboard: infra
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-08-01 14:30 UTC by Dafna Ron
Modified: 2016-02-10 19:42 UTC (History)
12 users (show)

Fixed In Version: si14
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed:
oVirt Team: Infra
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
log (84.75 KB, application/x-xz)
2012-08-01 14:30 UTC, Dafna Ron
no flags Details

Description Dafna Ron 2012-08-01 14:30:57 UTC
Created attachment 601754 [details]
log

Description of problem:

as a DataCenterAdmin I was trying to add user permissions on objects under the DC (quota and vm's). I got a CanDoAction that user is not permitted to perfor action 

Version-Release number of selected component (if applicable):

si12

How reproducible:

100%

Steps to Reproduce:
1. create a user and assign it with DataCenterAdmin role. 
2. login to the admin portal
3. add a vm -> try to assign a user under the vm -> permissions tab
  
Actual results:

we are getting CanDoAction 

Expected results:

Data Center Admin should be allowed to add permissions on objects. 


Additional info:

2012-08-01 17:16:45,727 WARN  [org.ovirt.engine.core.bll.AddPermissionCommand] (ajp-/127.0.0.1:8009-35) CanDoAction of action AddPermission failed. Reasons:USER_NOT_AUTHORIZED_TO_PERFORM_ACTION

Comment 2 Itamar Heim 2012-08-02 10:46:33 UTC
why would creator roles need this permission? the created object would be created with an owner permission?

Comment 4 Oved Ourfali 2012-08-02 11:31:30 UTC
(In reply to comment #2)
> why would creator roles need this permission? the created object would be
> created with an owner permission?

The creator will indeed become the owner (have UserVmManager role on the created VM, and TemplateOwner on the created template template).

However, as a UserVmManager, he won't be able to add permission to other people (unless we decide to include the UserVmManager, and the TemplateOwner in the list of roles that have AddPermission action group).

Comment 6 Itamar Heim 2012-08-05 21:23:30 UTC
miki - for which roles? it seems no one in the field is using our roles that way as this is the current status and no one complained about this?

oved - please discuss with Alon - I find UserVmManager a very strange default ownership role if it doesn't contain permission manipulation for object creator.
please check behavior for disks as well.

Comment 11 Oved Ourfali 2012-08-09 09:34:48 UTC
Commit: a8ffb6fcef5c79dd641f51176e8b13de6824ce27

http://gerrit.ovirt.org/gitweb?p=ovirt-engine.git;a=commit;h=a8ffb6fcef5c79dd641f51176e8b13de6824ce27


Note You need to log in before you can comment on or make changes to this bug.