Bug 860056 - ClusterAdmin/NetworkAdmin are unable to add/remove network to cluster
ClusterAdmin/NetworkAdmin are unable to add/remove network to cluster
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine-restapi (Show other bugs)
3.1.0
Unspecified Unspecified
unspecified Severity high
: ---
: ---
Assigned To: Oved Ourfali
Oded Ramraz
network
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-09-24 15:23 EDT by Ondra Machacek
Modified: 2016-02-10 14:58 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-09-25 05:22:28 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: Network
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ondra Machacek 2012-09-24 15:23:56 EDT
Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:
1. Add user with NetworkAdmin/ClusterAdmin role on DC.
2. Try to add network for cluster which is on DC.
  
Actual results:
User is not authorized to perform this action.

Expected results:
New network created.

Additional info:
Should be able to ClusterAdmin/NetworkAdmin create new network in cluster?
Comment 2 Oded Ramraz 2012-09-25 03:09:07 EDT
Ondrej , please attach relevant logs .
Comment 3 Michael Pasternak 2012-09-25 04:38:21 EDT
did you used sdk or api?
Comment 4 Ondra Machacek 2012-09-25 05:03:28 EDT
Api and webadmin.

Can NetworkAdmin and ClusterAdmin add new network to DataCenter, is this action included in 'configure_cluster_network' permissions, or this permissions inlude only assign/unassing network?

code:
 dc = API.datacenters.get("DC")
 net = params.Network(name="networkName", data_center=dc)
 API.networks.add(net)

logs:
2012-09-25 10:56:07,666 INFO  [org.ovirt.engine.core.bll.LoginUserCommand] (ajp-/127.0.0.1:8009-4) Checking if user portaluser2 is an admin, result true
2012-09-25 10:56:07,667 INFO  [org.ovirt.engine.core.bll.LoginUserCommand] (ajp-/127.0.0.1:8009-4) Running command: LoginUserCommand internal: false.
2012-09-25 10:56:07,676 WARN  [org.ovirt.engine.core.bll.GetConfigurationValueQuery] (ajp-/127.0.0.1:8009-4) calling GetConfigurationValueQuery (ApplicationMode) with null version, using default general for version
2012-09-25 10:56:07,676 WARN  [org.ovirt.engine.core.bll.GetConfigurationValueQuery] (ajp-/127.0.0.1:8009-4) calling GetConfigurationValueQuery (VdcVersion) with null version, using default general for version
2012-09-25 10:56:07,851 WARN  [org.ovirt.engine.core.bll.storage.AddNetworkCommand] (ajp-/127.0.0.1:8009-1) [76d40240] CanDoAction of action AddNetwork failed. Reasons:USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
2012-09-25 10:56:07,851 ERROR [org.ovirt.engine.api.restapi.resource.AbstractBackendResource] (ajp-/127.0.0.1:8009-1) Operation Failed: [User is not authorized to perform this action.]
Comment 5 Oved Ourfali 2012-09-25 05:17:32 EDT
(In reply to comment #4)
> Api and webadmin.
> 
> Can NetworkAdmin and ClusterAdmin add new network to DataCenter, is this
> action included in 'configure_cluster_network' permissions, or this
> permissions inlude only assign/unassing network?
> 
> code:
>  dc = API.datacenters.get("DC")
>  net = params.Network(name="networkName", data_center=dc)
>  API.networks.add(net)
> 
> logs:
> 2012-09-25 10:56:07,666 INFO  [org.ovirt.engine.core.bll.LoginUserCommand]
> (ajp-/127.0.0.1:8009-4) Checking if user portaluser2 is an admin, result true
> 2012-09-25 10:56:07,667 INFO  [org.ovirt.engine.core.bll.LoginUserCommand]
> (ajp-/127.0.0.1:8009-4) Running command: LoginUserCommand internal: false.
> 2012-09-25 10:56:07,676 WARN 
> [org.ovirt.engine.core.bll.GetConfigurationValueQuery]
> (ajp-/127.0.0.1:8009-4) calling GetConfigurationValueQuery (ApplicationMode)
> with null version, using default general for version
> 2012-09-25 10:56:07,676 WARN 
> [org.ovirt.engine.core.bll.GetConfigurationValueQuery]
> (ajp-/127.0.0.1:8009-4) calling GetConfigurationValueQuery (VdcVersion) with
> null version, using default general for version
> 2012-09-25 10:56:07,851 WARN 
> [org.ovirt.engine.core.bll.storage.AddNetworkCommand]
> (ajp-/127.0.0.1:8009-1) [76d40240] CanDoAction of action AddNetwork failed.
> Reasons:USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
> 2012-09-25 10:56:07,851 ERROR
> [org.ovirt.engine.api.restapi.resource.AbstractBackendResource]
> (ajp-/127.0.0.1:8009-1) Operation Failed: [User is not authorized to perform
> this action.]

Currently, only super user and DC admin can add networks to the DC.

Currently, network admin can:
CONFIGURE_CLUSTER_NETWORK
CONFIGURE_HOST_NETWORK
MANIPUTLATE_HOST

Cluster admin can do many things, but he also can't create new logical network.

So, in order to add a new network you first have to add it in the DC (with DCadmin/SuperUser role), and then attach it to the cluster. Adding it directly from the cluster logical networks dialog won't work if you don't have one of the roles above.

So, if the use-case you described is attaching an existing network to the cluster, then network admin should be enough (and if not that's a bug).
However, if you are trying to add a new logical network through the cluster logical networks dialog, with only network admin permissions, then it should fail (if that's the case, please close the bug, as this is not a bug).

Note You need to log in before you can comment on or make changes to this bug.