Bug 876460 - user who can create a VM in extended user portal can not create VM in filtered API due to insufficient permissions
user who can create a VM in extended user portal can not create VM in filtere...
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine-restapi (Show other bugs)
3.1.0
Unspecified Unspecified
unspecified Severity medium
: ---
: 3.2.0
Assigned To: Ravi Nori
Ondra Machacek
infra
:
Depends On:
Blocks: 915537
  Show dependency treegraph
 
Reported: 2012-11-14 03:24 EST by David Jaša
Modified: 2016-02-10 14:03 EST (History)
8 users (show)

See Also:
Fixed In Version: sf1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: Infra
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description David Jaša 2012-11-14 03:24:50 EST
Description of problem:
user who can create a VM in extended user portal can not create VM in filtered API due to insufficient permissions

Version-Release number of selected component (if applicable):
si24.1 / rhevm-restapi-3.1.0-28.el6ev.noarch

How reproducible:
always

Steps to Reproduce:
1. give a user the PowerUserRole over a cluster Default
2. create a VM via user portal and API (example):
curl --cacert .certs/cert.pem -D - -b JSESSIONID=JGOUUMzeGMN4-zs0JC1-nubr \
-H "prefer: persistent-auth" -H "Content-Type: application/xml" \
-H "filter: true" https://rhevm31.example.com/api/vms -X POST -d \
'<vm><name>test-vm-fdloddfl</name><cluster><name>Default</name></cluster><template><name>Blank</name></template></vm>'
  
Actual results:
UI: works
API:
HTTP/1.1 400 Bad Request
Date: Wed, 14 Nov 2012 08:21:00 GMT
Content-Type: application/xml
Content-Length: 188
Connection: close

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<fault>
    <reason>Operation Failed</reason>
    <detail>query execution failed due to insufficient permissions.</detail>
</fault>

Expected results:
operation succeeds via API as well

Additional info:
Comment 1 Michael Pasternak 2012-11-14 05:08:43 EST
well, the problem is that api using /search to fetch template/cluster id by name,
workaround is using IDs instead.
Comment 2 David Jaša 2012-11-14 06:04:20 EST
The operation fails even when I specify a cluster with an ID:

$ curl --cacert .cert.pem -D - -b JSESSIONID=7RhiNHUP6ORsTrX0-OCyDh+a \
-H "prefer: persistent-auth" -H "Content-Type: application/xml" \
-H "filter: true" https://rhevm31.example.com/api/vms -X POST -d \
"<vm><name>test-vm-fdloddfl</name><cluster id='99408929-82cf-4dc7-a532-9d998063fa95'/><template><name>Blank</name></template></vm>"
HTTP/1.1 400 Bad Request
Date: Wed, 14 Nov 2012 10:42:42 GMT
Content-Type: application/xml
Content-Length: 188
Connection: close

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<fault>
    <reason>Operation Failed</reason>
    <detail>query execution failed due to insufficient permissions.</detail>
</fault>


The permission is given at system-level to a group where the user belongs.

When I try to look up the permissions of the cluster, I get this empty reply no matter if I ask as a filtered user or unfiltered admin:
GET /api/clusters/99408929-82cf-4dc7-a532-9d998063fa95/permissions

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<permissions/>

The same goes for respective data center and in /api, I can not see permissions at all (as admin). I'd expect to see inherited permissions or, in case filtered requests, just the subset of the permissions related to the user.
Comment 3 Michael Pasternak 2012-11-14 08:03:07 EST
(In reply to comment #2)
> The operation fails even when I specify a cluster with an ID:
> 
> $ curl --cacert .cert.pem -D - -b JSESSIONID=7RhiNHUP6ORsTrX0-OCyDh+a \
> -H "prefer: persistent-auth" -H "Content-Type: application/xml" \
> -H "filter: true" https://rhevm31.example.com/api/vms -X POST -d \
> "<vm><name>test-vm-fdloddfl</name><cluster
> id='99408929-82cf-4dc7-a532-9d998063fa95'/><template><name>Blank</name></
> template></vm>"
> HTTP/1.1 400 Bad Request
> Date: Wed, 14 Nov 2012 10:42:42 GMT
> Content-Type: application/xml
> Content-Length: 188
> Connection: close
> 
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <fault>
>     <reason>Operation Failed</reason>
>     <detail>query execution failed due to insufficient permissions.</detail>
> </fault>
> 
> 

Comment 1 says: use template/cluster by-id
Comment 4 David Jaša 2012-11-14 09:22:41 EST
(In reply to comment #3)
> (In reply to comment #2)
> Comment 1 says: use template/cluster by-id

sorry, I missed the template part. When specifying both as ids, the VM gets created. So is this a duplicate of bug 869334, i guess?
Comment 5 Ravi Nori 2012-11-14 13:34:07 EST
link : http://gerrit.ovirt.org/#/c/9248/

change id : I604883bc48dce3f326046d59534fb9134c1bbb29
Comment 6 Michael Pasternak 2012-11-15 02:05:50 EST
(In reply to comment #4)
> (In reply to comment #3)
> > (In reply to comment #2)
> > Comment 1 says: use template/cluster by-id
> 
> sorry, I missed the template part. When specifying both as ids, the VM gets
> created. So is this a duplicate of bug 869334, i guess?

indeed, but i prefer keeping it in separate bug for not overloading #869334
Comment 7 Itamar Heim 2013-06-11 05:35:22 EDT
3.2 has been released
Comment 8 Itamar Heim 2013-06-11 05:35:25 EDT
3.2 has been released
Comment 9 Itamar Heim 2013-06-11 05:50:47 EDT
3.2 has been released

Note You need to log in before you can comment on or make changes to this bug.