Bug 907374
| Summary: | [User Portal] "Admin" user do not see all permissions on a template in User Portal | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Virtualization Manager | Reporter: | Jiri Belka <jbelka> | ||||
| Component: | ovirt-engine-userportal | Assignee: | Einav Cohen <ecohen> | ||||
| Status: | CLOSED WONTFIX | QA Contact: | Pavel Stehlik <pstehlik> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 3.2.0 | CC: | acathrow, ecohen, iheim, jkt, michal.skrivanek, oourfali, Rhev-m-bugs, ykaul, yzaslavs | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | virt | ||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2013-12-01 10:20:28 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Current logic in the user permissions view is to show a user only his permissions on the user portal (or permissions on groups he is a member on). So, in the template case, we show both the inherited and direct permissions on the template object, but only permissions for the querying user. Changing the logic to show all the permissions is also problematic, as we would only want to show that to users that are really power users, but not to other users. Maybe we should make a distinction between the extended user portal and the regular one, and show all permissions in the extended one, and only "my" permissions on the basic one. However, it means we would show all permissions for a template even if the power user isn't a power user on that template... btw, for VMs the logic is the same, but without showing inherited permissions. Einav - any thoughts on that? (In reply to comment #1) > Current logic in the user permissions view is to show a user only his > permissions on the user portal (or permissions on groups he is a member on). > > So, in the template case, we show both the inherited and direct permissions > on the template object, but only permissions for the querying user. > > Changing the logic to show all the permissions is also problematic, as we > would only want to show that to users that are really power users, but not > to other users. > > Maybe we should make a distinction between the extended user portal and the > regular one, and show all permissions in the extended one, and only "my" > permissions on the basic one. However, it means we would show all > permissions for a template even if the power user isn't a power user on that > template... > > btw, for VMs the logic is the same, but without showing inherited > permissions. > > Einav - any thoughts on that? i thought we only show permissions in the extended power user portal, not in the basic user portal? (In reply to comment #2) > (In reply to comment #1) > > Current logic in the user permissions view is to show a user only his > > permissions on the user portal (or permissions on groups he is a member on). > > > > So, in the template case, we show both the inherited and direct permissions > > on the template object, but only permissions for the querying user. > > > > Changing the logic to show all the permissions is also problematic, as we > > would only want to show that to users that are really power users, but not > > to other users. > > > > Maybe we should make a distinction between the extended user portal and the > > regular one, and show all permissions in the extended one, and only "my" > > permissions on the basic one. However, it means we would show all > > permissions for a template even if the power user isn't a power user on that > > template... > > > > btw, for VMs the logic is the same, but without showing inherited > > permissions. > > > > Einav - any thoughts on that? > > i thought we only show permissions in the extended power user portal, not in > the basic user portal? You're right. My mistake. Anyway, we should also make the same logic for the user level API, I guess. [I apologize for my *very* late response] maybe I am missing something, but I don't see any problem with showing the user *all* permissions on Template in his view (both his permissions and other users' permissions). IMO, if a user can see a Template, he should also be able to see *all* of its Disks, NICs, ..., and permissions (not necessarily *manipulate* them, but definitely *see* them). Think of the following use-case: If I am a team manager, and (as a power-user) I want to create a Template and let my team members (other power-users) use it, I would want to grant my team-members permissions on that Template, and, of course, see those permissions in my "Permissions" sub-tab for that Template (so I would "remember" that they have these permissions, remove these permissions if I don't want them to use this Template anymore, etc.). IIUC, it would be impossible in the current state, and it doesn't make sense to me. > I would want to grant my team-members permissions on that Template, and, of
> course, see those permissions in my "Permissions" sub-tab for that Template
> (so I would "remember" that they have these permissions, remove these
> permissions if I don't want them to use this Template anymore, etc.).
+1
Closing old bugs. If this issue is still relevant/important in current version, please re-open the bug. |
Created attachment 692659 [details] engine.log Description of problem: As "admin" (PowerUserRole) I do not see all permissions when configuring permissions on my newly created template in User Portal (which inherited TemplateOwner, PowerUserRole, NetworkUser roles). I was adding 'RHEV\vdcadmin' user as UserRole on this template but I do not see this user in the Permissions subtab list, although I _do_ see this user in Admin Portal. I also doubt PowerUserRole should be added to a template. Version-Release number of selected component (if applicable): sf5 How reproducible: 100% Steps to Reproduce: 1. Log in User portal as user with PowerUserRole/NetworkUser 2. create a VM 3. make a template from this VM 4. check permissions on this template from both User Portal and Administration Portal 5. in User Portal, try to assign a user to this tempalate from AD with UserRole 6. check permissions on this template from both User Portal and Administration Portal Actual results: 1. some permission are not visible in user portal 2. looks like permissions mismatch on template (PowerUserRole on template???) Expected results: 1. should see all permissions on a template in User Portal Additional info: