Red Hat Bugzilla – Bug 869433
[MLA] StorageAdmin can't attach disk.
Last modified: 2012-10-24 07:46:52 EDT
Description of problem:
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. As admin create disk and vm without disk.
1. Add user StorageAdmin permissions on 'system' object.
2. As user try to attach disk to vm.
User is not authorized to perform this action.
Disk is attached.
2012-10-23 23:07:14,896 INFO [org.ovirt.engine.core.bll.LoginAdminUserCommand] (ajp-/127.0.0.1:8009-18) Checking if user portaluser2 is an admin, result true
2012-10-23 23:07:14,896 INFO [org.ovirt.engine.core.bll.LoginAdminUserCommand] (ajp-/127.0.0.1:8009-18) Running command: LoginAdminUserCommand internal: false.
2012-10-23 23:07:49,107 WARN [org.ovirt.engine.core.bll.AttachDiskToVmCommand] (ajp-/127.0.0.1:8009-18) [33aeaa1f] CanDoAction of action AttachDiskToVm failed. Reasons:VAR__ACTION__ATTACH_ACTION_TO,VAR__TYPE__VM_DISK,USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
storage admin is allowed to manage storage domains, and disks. not VMs.
attaching/removing disks from VMs requires more permissions.
I don't see this as a bug.
So the backend shouldn't return that it can:
for r in API.roles.list():
if r.get_name() == 'StorageAdmin':
print 'attach_disk' in [p.get_name() for p in r.get_permits().list()]
(In reply to comment #2)
> So the backend shouldn't return that it can:
> for r in API.roles.list():
> if r.get_name() == 'StorageAdmin':
> print 'attach_disk' in [p.get_name() for p in r.get_permits().list()]
> >>> True
That's true as well.
You need two permissions in order to attach a disk to a VM:
1. Permissions on the disk, that allows you to attach it - "ATTACH_DISK" on the disk.
2. Permissions on the VM, that allows you to configure storage for it - "CONFIGURE_VM_STORAGE".