Bug 869433 - [MLA] StorageAdmin can't attach disk.
[MLA] StorageAdmin can't attach disk.
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine (Show other bugs)
3.1.0
Unspecified Unspecified
unspecified Severity medium
: ---
: ---
Assigned To: Nobody's working on this, feel free to take it
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-10-23 17:17 EDT by Ondra Machacek
Modified: 2012-10-24 07:46 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-10-23 22:16:59 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ondra Machacek 2012-10-23 17:17:34 EDT
Description of problem:


Version-Release number of selected component (if applicable):
si21

How reproducible:
always

Steps to Reproduce:
1. As admin create disk and vm without disk.
1. Add user StorageAdmin permissions on 'system' object.
2. As user try to attach disk to vm.
  
Actual results:
User is not authorized to perform this action.

Expected results:
Disk is attached.

Additional info:

2012-10-23 23:07:14,896 INFO  [org.ovirt.engine.core.bll.LoginAdminUserCommand] (ajp-/127.0.0.1:8009-18) Checking if user portaluser2 is an admin, result true
2012-10-23 23:07:14,896 INFO  [org.ovirt.engine.core.bll.LoginAdminUserCommand] (ajp-/127.0.0.1:8009-18) Running command: LoginAdminUserCommand internal: false.
2012-10-23 23:07:49,107 WARN  [org.ovirt.engine.core.bll.AttachDiskToVmCommand] (ajp-/127.0.0.1:8009-18) [33aeaa1f] CanDoAction of action AttachDiskToVm failed. Reasons:VAR__ACTION__ATTACH_ACTION_TO,VAR__TYPE__VM_DISK,USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
Comment 1 Itamar Heim 2012-10-23 22:16:59 EDT
storage admin is allowed to manage storage domains, and disks. not VMs.
attaching/removing disks from VMs requires more permissions.
I don't see this as a bug.
Comment 2 Ondra Machacek 2012-10-24 07:17:39 EDT
So the backend shouldn't return that it can:

for r in API.roles.list():
    if r.get_name() == 'StorageAdmin':
        print 'attach_disk' in [p.get_name() for p in r.get_permits().list()]

>>> True
Comment 3 Oved Ourfali 2012-10-24 07:46:52 EDT
(In reply to comment #2)
> So the backend shouldn't return that it can:
> 
> for r in API.roles.list():
>     if r.get_name() == 'StorageAdmin':
>         print 'attach_disk' in [p.get_name() for p in r.get_permits().list()]
> 
> >>> True

That's true as well.
You need two permissions in order to attach a disk to a VM:
1. Permissions on the disk, that allows you to attach it - "ATTACH_DISK" on the disk.
2. Permissions on the VM, that allows you to configure storage for it - "CONFIGURE_VM_STORAGE".

Note You need to log in before you can comment on or make changes to this bug.