Red Hat Bugzilla – Bug 845026
ovirt-engine-backend [MLA]: DomainAdmin role cannot add user permissions to created objects with CanDoAction
Last modified: 2016-02-10 14:42:22 EST
Created attachment 601754 [details]
Description of problem:
as a DataCenterAdmin I was trying to add user permissions on objects under the DC (quota and vm's). I got a CanDoAction that user is not permitted to perfor action
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. create a user and assign it with DataCenterAdmin role.
2. login to the admin portal
3. add a vm -> try to assign a user under the vm -> permissions tab
we are getting CanDoAction
Data Center Admin should be allowed to add permissions on objects.
2012-08-01 17:16:45,727 WARN [org.ovirt.engine.core.bll.AddPermissionCommand] (ajp-/127.0.0.1:8009-35) CanDoAction of action AddPermission failed. Reasons:USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
why would creator roles need this permission? the created object would be created with an owner permission?
(In reply to comment #2)
> why would creator roles need this permission? the created object would be
> created with an owner permission?
The creator will indeed become the owner (have UserVmManager role on the created VM, and TemplateOwner on the created template template).
However, as a UserVmManager, he won't be able to add permission to other people (unless we decide to include the UserVmManager, and the TemplateOwner in the list of roles that have AddPermission action group).
miki - for which roles? it seems no one in the field is using our roles that way as this is the current status and no one complained about this?
oved - please discuss with Alon - I find UserVmManager a very strange default ownership role if it doesn't contain permission manipulation for object creator.
please check behavior for disks as well.