Bug 878812 - [RFE] In user view there is no consideration of the permission type
Summary: [RFE] In user view there is no consideration of the permission type
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: ovirt-engine
Classification: oVirt
Component: RFEs
Version: ---
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: ---
Assignee: Oved Ourfali
QA Contact:
URL:
Whiteboard: infra
: 910846 (view as bug list)
Depends On: 950503
Blocks: 910846 951935 978968
TreeView+ depends on / blocked
 
Reported: 2012-11-21 09:38 UTC by lpeer
Modified: 2016-02-10 19:09 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-12-02 06:14:33 UTC
oVirt Team: Infra
Embargoed:
pkliczew: needinfo+
ylavi: ovirt-future?
rule-engine: planning_ack?
lpeer: devel_ack?
rule-engine: testing_ack?

Attachments (Terms of Use)

Description lpeer 2012-11-21 09:38:45 UTC 
Description of problem:
When calculating the entities a user can view in the user API/portal we do not take into consideration what type of permission is given on the entity.

For example if I want to give a user permission to use all the templates in the data center I'll give him permission to consumeTemplate on the data center, the impact today is that the user API can view ALL the VM in the data center.

This is just an example there are many other examples.

proposed solution -
We are missing some kind of containers in a DC, if I want to give permission on the templates in the data center or if I want to give permissions on the networks in the data center it should be given on containers which leaves in the DC: Networks, Storage-Domains, Templates etc. 

Other option is to classify Action-Groups to entities and use it in user view calculation



Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 lpeer 2012-11-21 09:47:17 UTC 
maybe a more clear explanation -

Today when we give permission on an entity like a data center the user gets the permission on all the entities in the data center hierarchy.

for example -

- I gave a user permission to use the templates in the data center now he can see all VM in the dc.

- I gave a user permission to use the networks in the data center now he can see all VMs in the dc.
Comment 2 Miki Kenneth 2012-11-22 09:49:53 UTC 
this is definetly a bug. I'm not sure that container is the right term, I would say let's have differentiatation  between the place in the Hierarchy and the actual objects:
- all VMs in Cluster A.
- all templates in DC DC1
- all networks in cluster A

etc.
Comment 3 Yair Zaslavsky 2012-12-30 11:27:13 UTC 
After consulting with Oved, it sounds to us more of a "sub feature" at permissions, which is not that trivial to implement in the given timeframe for 3.2.
I suggest to handle it in future version.
Comment 6 Piotr Kliczewski 2013-11-14 14:12:30 UTC 
Can you please provide the role names that you assigned to the users?
Comment 7 lpeer 2013-12-31 12:46:15 UTC 
(In reply to Piotr Kliczewski from comment #6)
> Can you please provide the role names that you assigned to the users?

Piotr,
This bug is about the concept, not a specific case, Please see comment 1 for more details.
You can also talk to Oved who is also familiar with the issue.

The general problem as described in earlier comments is that the permission hierarchy is not sensitive to entities type.
When I give permission on a DC is propagates to all the entities in the DC instead-of, for example, all the templates in the DC or all the VMs in the DC.
Comment 9 Barak 2014-03-18 12:32:17 UTC 
*** Bug 910846 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.