Description of problem: Version-Release number of selected component (if applicable): si21 How reproducible: always Steps to Reproduce: 1. As admin create disk and vm without disk. 1. Add user StorageAdmin permissions on 'system' object. 2. As user try to attach disk to vm. Actual results: User is not authorized to perform this action. Expected results: Disk is attached. Additional info: 2012-10-23 23:07:14,896 INFO [org.ovirt.engine.core.bll.LoginAdminUserCommand] (ajp-/127.0.0.1:8009-18) Checking if user portaluser2 is an admin, result true 2012-10-23 23:07:14,896 INFO [org.ovirt.engine.core.bll.LoginAdminUserCommand] (ajp-/127.0.0.1:8009-18) Running command: LoginAdminUserCommand internal: false. 2012-10-23 23:07:49,107 WARN [org.ovirt.engine.core.bll.AttachDiskToVmCommand] (ajp-/127.0.0.1:8009-18) [33aeaa1f] CanDoAction of action AttachDiskToVm failed. Reasons:VAR__ACTION__ATTACH_ACTION_TO,VAR__TYPE__VM_DISK,USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
storage admin is allowed to manage storage domains, and disks. not VMs. attaching/removing disks from VMs requires more permissions. I don't see this as a bug.
So the backend shouldn't return that it can: for r in API.roles.list(): if r.get_name() == 'StorageAdmin': print 'attach_disk' in [p.get_name() for p in r.get_permits().list()] >>> True
(In reply to comment #2) > So the backend shouldn't return that it can: > > for r in API.roles.list(): > if r.get_name() == 'StorageAdmin': > print 'attach_disk' in [p.get_name() for p in r.get_permits().list()] > > >>> True That's true as well. You need two permissions in order to attach a disk to a VM: 1. Permissions on the disk, that allows you to attach it - "ATTACH_DISK" on the disk. 2. Permissions on the VM, that allows you to configure storage for it - "CONFIGURE_VM_STORAGE".