First Last Prev Next    This bug is not in your last search results.
Bug 845026 - ovirt-engine-backend [MLA]: DomainAdmin role cannot add user permissions to created objects with CanDoAction
ovirt-engine-backend [MLA]: DomainAdmin role cannot add user permissions to c...
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine (Show other bugs)
3.1.0
x86_64 Linux
high Severity high
: ---
: 3.1.0
Assigned To: Oved Ourfali
Ondra Machacek
infra
: Improvement
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-08-01 10:30 EDT by Dafna Ron
Modified: 2016-02-10 14:42 EST (History)
12 users (show)

See Also:
Fixed In Version: si14
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: Infra
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
log (84.75 KB, application/x-xz)
2012-08-01 10:30 EDT, Dafna Ron 		no flags Details
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Dafna Ron 2012-08-01 10:30:57 EDT 
Created attachment 601754 [details]
log

Description of problem:

as a DataCenterAdmin I was trying to add user permissions on objects under the DC (quota and vm's). I got a CanDoAction that user is not permitted to perfor action 

Version-Release number of selected component (if applicable):

si12

How reproducible:

100%

Steps to Reproduce:
1. create a user and assign it with DataCenterAdmin role. 
2. login to the admin portal
3. add a vm -> try to assign a user under the vm -> permissions tab
  
Actual results:

we are getting CanDoAction 

Expected results:

Data Center Admin should be allowed to add permissions on objects. 


Additional info:

2012-08-01 17:16:45,727 WARN  [org.ovirt.engine.core.bll.AddPermissionCommand] (ajp-/127.0.0.1:8009-35) CanDoAction of action AddPermission failed. Reasons:USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
Comment 2 Itamar Heim 2012-08-02 06:46:33 EDT 
why would creator roles need this permission? the created object would be created with an owner permission?
Comment 4 Oved Ourfali 2012-08-02 07:31:30 EDT 
(In reply to comment #2)
> why would creator roles need this permission? the created object would be
> created with an owner permission?

The creator will indeed become the owner (have UserVmManager role on the created VM, and TemplateOwner on the created template template).

However, as a UserVmManager, he won't be able to add permission to other people (unless we decide to include the UserVmManager, and the TemplateOwner in the list of roles that have AddPermission action group).
Comment 6 Itamar Heim 2012-08-05 17:23:30 EDT 
miki - for which roles? it seems no one in the field is using our roles that way as this is the current status and no one complained about this?

oved - please discuss with Alon - I find UserVmManager a very strange default ownership role if it doesn't contain permission manipulation for object creator.
please check behavior for disks as well.
Comment 11 Oved Ourfali 2012-08-09 05:34:48 EDT 
Commit: a8ffb6fcef5c79dd641f51176e8b13de6824ce27

http://gerrit.ovirt.org/gitweb?p=ovirt-engine.git;a=commit;h=a8ffb6fcef5c79dd641f51176e8b13de6824ce27
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.