Description of problem: Version-Release number of selected component (if applicable): How reproducible: always Steps to Reproduce: 1. Add user with NetworkAdmin/ClusterAdmin role on DC. 2. Try to add network for cluster which is on DC. Actual results: User is not authorized to perform this action. Expected results: New network created. Additional info: Should be able to ClusterAdmin/NetworkAdmin create new network in cluster?
Ondrej , please attach relevant logs .
did you used sdk or api?
Api and webadmin. Can NetworkAdmin and ClusterAdmin add new network to DataCenter, is this action included in 'configure_cluster_network' permissions, or this permissions inlude only assign/unassing network? code: dc = API.datacenters.get("DC") net = params.Network(name="networkName", data_center=dc) API.networks.add(net) logs: 2012-09-25 10:56:07,666 INFO [org.ovirt.engine.core.bll.LoginUserCommand] (ajp-/127.0.0.1:8009-4) Checking if user portaluser2 is an admin, result true 2012-09-25 10:56:07,667 INFO [org.ovirt.engine.core.bll.LoginUserCommand] (ajp-/127.0.0.1:8009-4) Running command: LoginUserCommand internal: false. 2012-09-25 10:56:07,676 WARN [org.ovirt.engine.core.bll.GetConfigurationValueQuery] (ajp-/127.0.0.1:8009-4) calling GetConfigurationValueQuery (ApplicationMode) with null version, using default general for version 2012-09-25 10:56:07,676 WARN [org.ovirt.engine.core.bll.GetConfigurationValueQuery] (ajp-/127.0.0.1:8009-4) calling GetConfigurationValueQuery (VdcVersion) with null version, using default general for version 2012-09-25 10:56:07,851 WARN [org.ovirt.engine.core.bll.storage.AddNetworkCommand] (ajp-/127.0.0.1:8009-1) [76d40240] CanDoAction of action AddNetwork failed. Reasons:USER_NOT_AUTHORIZED_TO_PERFORM_ACTION 2012-09-25 10:56:07,851 ERROR [org.ovirt.engine.api.restapi.resource.AbstractBackendResource] (ajp-/127.0.0.1:8009-1) Operation Failed: [User is not authorized to perform this action.]
(In reply to comment #4) > Api and webadmin. > > Can NetworkAdmin and ClusterAdmin add new network to DataCenter, is this > action included in 'configure_cluster_network' permissions, or this > permissions inlude only assign/unassing network? > > code: > dc = API.datacenters.get("DC") > net = params.Network(name="networkName", data_center=dc) > API.networks.add(net) > > logs: > 2012-09-25 10:56:07,666 INFO [org.ovirt.engine.core.bll.LoginUserCommand] > (ajp-/127.0.0.1:8009-4) Checking if user portaluser2 is an admin, result true > 2012-09-25 10:56:07,667 INFO [org.ovirt.engine.core.bll.LoginUserCommand] > (ajp-/127.0.0.1:8009-4) Running command: LoginUserCommand internal: false. > 2012-09-25 10:56:07,676 WARN > [org.ovirt.engine.core.bll.GetConfigurationValueQuery] > (ajp-/127.0.0.1:8009-4) calling GetConfigurationValueQuery (ApplicationMode) > with null version, using default general for version > 2012-09-25 10:56:07,676 WARN > [org.ovirt.engine.core.bll.GetConfigurationValueQuery] > (ajp-/127.0.0.1:8009-4) calling GetConfigurationValueQuery (VdcVersion) with > null version, using default general for version > 2012-09-25 10:56:07,851 WARN > [org.ovirt.engine.core.bll.storage.AddNetworkCommand] > (ajp-/127.0.0.1:8009-1) [76d40240] CanDoAction of action AddNetwork failed. > Reasons:USER_NOT_AUTHORIZED_TO_PERFORM_ACTION > 2012-09-25 10:56:07,851 ERROR > [org.ovirt.engine.api.restapi.resource.AbstractBackendResource] > (ajp-/127.0.0.1:8009-1) Operation Failed: [User is not authorized to perform > this action.] Currently, only super user and DC admin can add networks to the DC. Currently, network admin can: CONFIGURE_CLUSTER_NETWORK CONFIGURE_HOST_NETWORK MANIPUTLATE_HOST Cluster admin can do many things, but he also can't create new logical network. So, in order to add a new network you first have to add it in the DC (with DCadmin/SuperUser role), and then attach it to the cluster. Adding it directly from the cluster logical networks dialog won't work if you don't have one of the roles above. So, if the use-case you described is attaching an existing network to the cluster, then network admin should be enough (and if not that's a bug). However, if you are trying to add a new logical network through the cluster logical networks dialog, with only network admin permissions, then it should fail (if that's the case, please close the bug, as this is not a bug).