Bug 847781 - system-defined PowerUser is able to see all the VMs in the setup
system-defined PowerUser is able to see all the VMs in the setup
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine-userportal (Show other bugs)
3.1.0
Unspecified Unspecified
high Severity high
: ---
: ---
Assigned To: Oved Ourfali
Pavel Stehlik
infra
: Regression, Reopened
Depends On:
Blocks: 856741
  Show dependency treegraph
 
Reported: 2012-08-13 10:19 EDT by David Jaša
Modified: 2016-02-10 14:11 EST (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Release Note
Doc Text:
In previous versions assigning the "PowerUserRole" to a user over a data center or cluster allowed the user to create virtual machines. The user was only permitted to view virtual machines which they had created. In Red Hat Enterprise Virtualization 3.1 this behavior has changed to provide increased permission granularity for objects. The "PowerUserRole" now grants full control over the data center or cluster including the ability to view the virtual machines it contains. The new "VMCreator" role grants permissions similar to those of the old "PowerUserRole". Users with the VMCreator role over a data center or cluster are able to create virtual machines, but are only permitted to view virtual machines which they themselves created.
Story Points: ---
Clone Of:
: 856741 (view as bug list)
Environment:
Last Closed: 2012-08-16 12:43:50 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: Infra
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Jaša 2012-08-13 10:19:32 EDT
Description of problem:
system-defined PowerUser is able to see all the VMs in the setup.

Version-Release number of selected component (if applicable):
rhevm-userportal-3.1.0-11.el6ev.noarch / si13.2

How reproducible:
always

Steps to Reproduce:
1. In Configure -> System permissions, add PowerUserRole to some user, make sure that he has no other permissions defined elsewhere (DC/Cluster/VM)
2. make sure there is a VM in the setup that the user has no permissions to access it (it's fine if there are no permissions set to it)
3. log in to User Portal as the user with PowerUserRole
  
Actual results:
* user can see the VMs
* user can trigger run/shutdown/pause actions

Expected results:
user can not see the VMs

Additional info:
when trying to connect to the VM consoles, user is refused with some VMs with "User is not authorized to perform this action." error message, but he is able to connect to the others. There is no apparent pattern to this (like permission, other users being logged in etc.)
Comment 2 Itamar Heim 2012-08-13 11:21:39 EDT
you gave the user a system level PowerUserRole, which means you gave the user permissions to all vm's in the system, so user should see all VMs in the system.

system permissions are not only admin permissions. admin vs. user depends on the role.

for the additional info, need more details / another bug to look into.
Comment 3 David Jaša 2012-08-13 12:02:23 EDT
(In reply to comment #2)
> you gave the user a system level PowerUserRole, which means you gave the
> user permissions to all vm's in the system, so user should see all VMs in
> the system.

OK but then PowerUserRole changed its meaning from 3.0 entirely and it seems pretty useless in its current form. What about dropping it and recreating it again in 3.0 scope on top of 3.1 permission model*, should I create a new bug for it?

* IIUC, that would be union of UserRole, VMCreator, TemplateCreator, DiskCreator (with Delete Disk permission added) and ability to grant other users UserRole

Reopening till this question is answered.

> 
> system permissions are not only admin permissions. admin vs. user depends on
> the role.
> 
> for the additional info, need more details / another bug to look into.

FWIW, I've read bug 831146 then bug 826648 and bug 815010 that lead directly to it and associtated feature page: 
http://wiki.ovirt.org/wiki/Features/User_Portal_Permissions
so IMNSHO I do have the necessary context.

Note You need to log in before you can comment on or make changes to this bug.