860056 – ClusterAdmin/NetworkAdmin are unable to add/remove network to cluster

Bug 860056 - ClusterAdmin/NetworkAdmin are unable to add/remove network to cluster

Summary: ClusterAdmin/NetworkAdmin are unable to add/remove network to cluster

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Virtualization Manager
Classification:	Red Hat
Component:	ovirt-engine-restapi
Sub Component:
Version:	3.1.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	---
Assignee:	Oved Ourfali
QA Contact:	Oded Ramraz
Docs Contact:
URL:
Whiteboard:	network
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-09-24 19:23 UTC by Ondra Machacek
Modified:	2016-02-10 19:58 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-09-25 09:22:28 UTC
oVirt Team:	Network
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Ondra Machacek 2012-09-24 19:23:56 UTC

Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:
1. Add user with NetworkAdmin/ClusterAdmin role on DC.
2. Try to add network for cluster which is on DC.
  
Actual results:
User is not authorized to perform this action.

Expected results:
New network created.

Additional info:
Should be able to ClusterAdmin/NetworkAdmin create new network in cluster?

Comment 2 Oded Ramraz 2012-09-25 07:09:07 UTC

Ondrej , please attach relevant logs .

Comment 3 Michael Pasternak 2012-09-25 08:38:21 UTC

did you used sdk or api?

Comment 4 Ondra Machacek 2012-09-25 09:03:28 UTC

Api and webadmin.

Can NetworkAdmin and ClusterAdmin add new network to DataCenter, is this action included in 'configure_cluster_network' permissions, or this permissions inlude only assign/unassing network?

code:
 dc = API.datacenters.get("DC")
 net = params.Network(name="networkName", data_center=dc)
 API.networks.add(net)

logs:
2012-09-25 10:56:07,666 INFO  [org.ovirt.engine.core.bll.LoginUserCommand] (ajp-/127.0.0.1:8009-4) Checking if user portaluser2 is an admin, result true
2012-09-25 10:56:07,667 INFO  [org.ovirt.engine.core.bll.LoginUserCommand] (ajp-/127.0.0.1:8009-4) Running command: LoginUserCommand internal: false.
2012-09-25 10:56:07,676 WARN  [org.ovirt.engine.core.bll.GetConfigurationValueQuery] (ajp-/127.0.0.1:8009-4) calling GetConfigurationValueQuery (ApplicationMode) with null version, using default general for version
2012-09-25 10:56:07,676 WARN  [org.ovirt.engine.core.bll.GetConfigurationValueQuery] (ajp-/127.0.0.1:8009-4) calling GetConfigurationValueQuery (VdcVersion) with null version, using default general for version
2012-09-25 10:56:07,851 WARN  [org.ovirt.engine.core.bll.storage.AddNetworkCommand] (ajp-/127.0.0.1:8009-1) [76d40240] CanDoAction of action AddNetwork failed. Reasons:USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
2012-09-25 10:56:07,851 ERROR [org.ovirt.engine.api.restapi.resource.AbstractBackendResource] (ajp-/127.0.0.1:8009-1) Operation Failed: [User is not authorized to perform this action.]

Comment 5 Oved Ourfali 2012-09-25 09:17:32 UTC

(In reply to comment #4)
> Api and webadmin.
> 
> Can NetworkAdmin and ClusterAdmin add new network to DataCenter, is this
> action included in 'configure_cluster_network' permissions, or this
> permissions inlude only assign/unassing network?
> 
> code:
>  dc = API.datacenters.get("DC")
>  net = params.Network(name="networkName", data_center=dc)
>  API.networks.add(net)
> 
> logs:
> 2012-09-25 10:56:07,666 INFO  [org.ovirt.engine.core.bll.LoginUserCommand]
> (ajp-/127.0.0.1:8009-4) Checking if user portaluser2 is an admin, result true
> 2012-09-25 10:56:07,667 INFO  [org.ovirt.engine.core.bll.LoginUserCommand]
> (ajp-/127.0.0.1:8009-4) Running command: LoginUserCommand internal: false.
> 2012-09-25 10:56:07,676 WARN 
> [org.ovirt.engine.core.bll.GetConfigurationValueQuery]
> (ajp-/127.0.0.1:8009-4) calling GetConfigurationValueQuery (ApplicationMode)
> with null version, using default general for version
> 2012-09-25 10:56:07,676 WARN 
> [org.ovirt.engine.core.bll.GetConfigurationValueQuery]
> (ajp-/127.0.0.1:8009-4) calling GetConfigurationValueQuery (VdcVersion) with
> null version, using default general for version
> 2012-09-25 10:56:07,851 WARN 
> [org.ovirt.engine.core.bll.storage.AddNetworkCommand]
> (ajp-/127.0.0.1:8009-1) [76d40240] CanDoAction of action AddNetwork failed.
> Reasons:USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
> 2012-09-25 10:56:07,851 ERROR
> [org.ovirt.engine.api.restapi.resource.AbstractBackendResource]
> (ajp-/127.0.0.1:8009-1) Operation Failed: [User is not authorized to perform
> this action.]

Currently, only super user and DC admin can add networks to the DC.

Currently, network admin can:
CONFIGURE_CLUSTER_NETWORK
CONFIGURE_HOST_NETWORK
MANIPUTLATE_HOST

Cluster admin can do many things, but he also can't create new logical network.

So, in order to add a new network you first have to add it in the DC (with DCadmin/SuperUser role), and then attach it to the cluster. Adding it directly from the cluster logical networks dialog won't work if you don't have one of the roles above.

So, if the use-case you described is attaching an existing network to the cluster, then network admin should be enough (and if not that's a bug).
However, if you are trying to add a new logical network through the cluster logical networks dialog, with only network admin permissions, then it should fail (if that's the case, please close the bug, as this is not a bug).

Note You need to log in before you can comment on or make changes to this bug.