923191 – [UserPortal] User can see other users only from one domain, selected domain is ignored.

Bug 923191 - [UserPortal] User can see other users only from one domain, selected domain is ignored.

Summary: [UserPortal] User can see other users only from one domain, selected domain i...

Keywords:
Status:	CLOSED DUPLICATE of bug 923197
Alias:	None
Product:	Red Hat Enterprise Virtualization Manager
Classification:	Red Hat
Component:	ovirt-engine
Sub Component:
Version:	3.2.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	3.4.0
Assignee:	Ravi Nori
QA Contact:	Ondra Machacek
Docs Contact:
URL:
Whiteboard:	infra
Duplicates (1):	972751 (view as bug list)
Depends On:
Blocks:	rhev3.4beta 1142926
TreeView+	depends on / blocked

Reported:	2013-03-19 11:56 UTC by Ondra Machacek
Modified:	2016-02-10 19:03 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-01-08 21:10:31 UTC
oVirt Team:	Infra
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
user_portal_add_perms_to_user_screenshot (90.58 KB, image/png) 2013-03-19 11:56 UTC, Ondra Machacek	no flags	Details
View All

Description Ondra Machacek 2013-03-19 11:56:01 UTC

Created attachment 712608 [details]
user_portal_add_perms_to_user_screenshot

Description of problem:
When we wanna add permissions to other users in userportal, then the filtering ignore selected domain, and also it shows users only from one domain.

Version-Release number of selected component (if applicable):
sf10

How reproducible:
always

Steps to Reproduce:
1. Add two domains to rhevm.
2. Add UserVmManager permissions on cluster to user1.
3. Login as user1 and try to add permissions on some object in cluster.
  
Actual results:
If we select domain within we wanna search - it is ingored, we still search in one domain. It is not possible to search for users in other domains.

Expected results:
User can search within all domains all users, maybe? Or he should view only users which are already added to system. See also bug 923100.

Additional info:

2013-03-19 12:35:09,204 INFO  [org.ovirt.engine.core.bll.LoginUserCommand] (ajp-/127.0.0.1:8702-9) Running command: LoginUserCommand internal: false.
2013-03-19 12:35:09,216 WARN  [org.ovirt.engine.core.bll.GetConfigurationValueQuery] (ajp-/127.0.0.1:8702-9) calling GetConfigurationValueQuery (ApplicationMode) with null version, using default general for version
2013-03-19 12:35:09,216 WARN  [org.ovirt.engine.core.bll.GetConfigurationValueQuery] (ajp-/127.0.0.1:8702-9) calling GetConfigurationValueQuery (VdcVersion) with null version, using default general for version
2013-03-19 12:35:31,297 INFO  [org.ovirt.engine.core.bll.LoginUserCommand] (ajp-/127.0.0.1:8702-1) Running command: LoginUserCommand internal: false.
2013-03-19 12:35:31,308 WARN  [org.ovirt.engine.core.bll.GetConfigurationValueQuery] (ajp-/127.0.0.1:8702-1) calling GetConfigurationValueQuery (ApplicationMode) with null version, using default general for version
2013-03-19 12:35:31,308 WARN  [org.ovirt.engine.core.bll.GetConfigurationValueQuery] (ajp-/127.0.0.1:8702-1) calling GetConfigurationValueQuery (VdcVersion) with null version, using default general for version
2013-03-19 12:35:39,421 INFO  [org.ovirt.engine.core.bll.LoginUserCommand] (ajp-/127.0.0.1:8702-5) Running command: LoginUserCommand internal: false.
2013-03-19 12:35:39,429 WARN  [org.ovirt.engine.core.bll.GetConfigurationValueQuery] (ajp-/127.0.0.1:8702-5) calling GetConfigurationValueQuery (ApplicationMode) with null version, using default general for version
2013-03-19 12:35:39,430 WARN  [org.ovirt.engine.core.bll.GetConfigurationValueQuery] (ajp-/127.0.0.1:8702-5) calling GetConfigurationValueQuery (VdcVersion) with null version, using default general for version
2013-03-19 12:35:41,158 INFO  [org.ovirt.engine.core.bll.AddPermissionCommand] (pool-3-thread-37) [cbf6fa4] Running command: AddPermissionCommand internal: false. Entities affected :  ID: fea51314-f9bf-45a0-9c5b-3bb2085b1876 Type: VdsGroups
2013-03-19 12:35:57,982 INFO  [org.ovirt.engine.core.bll.LoginUserCommand] (ajp-/127.0.0.1:8702-11) [2bfe00e3] Running command: LoginUserCommand internal: false.
2013-03-19 12:36:09,330 INFO  [org.ovirt.engine.core.bll.LoginUserCommand] (ajp-/127.0.0.1:8702-12) Running command: LoginUserCommand internal: false.
2013-03-19 12:36:09,341 WARN  [org.ovirt.engine.core.bll.GetConfigurationValueQuery] (ajp-/127.0.0.1:8702-12) calling GetConfigurationValueQuery (ApplicationMode) with null version, using default general for version
2013-03-19 12:36:09,341 WARN  [org.ovirt.engine.core.bll.GetConfigurationValueQuery] (ajp-/127.0.0.1:8702-12) calling GetConfigurationValueQuery (VdcVersion) with null version, using default general for version
2013-03-19 12:36:31,426 INFO  [org.ovirt.engine.core.bll.LoginUserCommand] (ajp-/127.0.0.1:8702-12) Running command: LoginUserCommand internal: false.
2013-03-19 12:36:31,438 WARN  [org.ovirt.engine.core.bll.GetConfigurationValueQuery] (ajp-/127.0.0.1:8702-12) calling GetConfigurationValueQuery (ApplicationMode) with null version, using default general for version
2013-03-19 12:36:31,439 WARN  [org.ovirt.engine.core.bll.GetConfigurationValueQuery] (ajp-/127.0.0.1:8702-12) calling GetConfigurationValueQuery (VdcVersion) with null version, using default general for version
2013-03-19 12:36:37,793 INFO  [org.ovirt.engine.core.bll.AddPermissionCommand] (pool-3-thread-37) [63ef1192] Running command: AddPermissionCommand internal: false. Entities affected :  ID: 00000000-0000-0000-0000-000000000000 Type: VmTemplate

Comment 1 Simon Grinberg 2013-04-07 15:24:31 UTC

Ondra, 

Is the domain the user can search limited to the domain the user belongs to or is it an arbitrary domain? 

If the user is limited only to domain he belongs to, then it should not be a bug since not sure the user should have permissions to see users from other domains it may be a security issue.

Comment 2 Ondra Machacek 2013-04-09 11:46:11 UTC

(In reply to comment #1)
> Ondra, 
> 
> Is the domain the user can search limited to the domain the user belongs to
> or is it an arbitrary domain?

Seems, that are shown users from last domain in alphabet.

Comment 3 Yair Zaslavsky 2013-06-16 14:25:09 UTC

This happens only in user portal.
Does not happen in admin portal.

Comment 4 Yair Zaslavsky 2013-06-16 14:25:48 UTC

*** Bug 972751 has been marked as a duplicate of this bug. ***

Comment 5 Yair Zaslavsky 2013-06-16 15:09:16 UTC

At UserPortal we use two user queries - AdUserSearch and AdGroupSearch.

At Webadmin we call two queries of SearchQuery and pass pass each time different search type - Group or User.

Seems like the search patterns are different -

For user portal (looking for a*) 

groups: ADGROUP: name=a*
users:  ADUSER: allnames=a*

For admin portal: (looking for a* at domain example.com)
users: ADUSER: allnames=a*
groups: ADGROUP: name=*

Since there is no domain in case of user portal, the getDefaultDomain() (at the SearchQuery class) method is invoked which returns the default name which gets the first domain from the domains list that is defined in vdc_options (DomainName entry).


Simon, if a user can add permissions via user portal, is it ok that he will add permissions from multiple domains? if so, we just need to fix the AdUserSearch and AdGroupSearch queries

Comment 6 Simon Grinberg 2013-06-17 12:50:45 UTC

(In reply to Yair Zaslavsky from comment #5)
> 
> Simon, if a user can add permissions via user portal, is it ok that he will
> add permissions from multiple domains? if so, we just need to fix the
> AdUserSearch and AdGroupSearch queries

Look at #comment 1

Comment 7 Yair Zaslavsky 2013-06-17 13:49:44 UTC

(In reply to Simon Grinberg from comment #6)
> (In reply to Yair Zaslavsky from comment #5)
> > 
> > Simon, if a user can add permissions via user portal, is it ok that he will
> > add permissions from multiple domains? if so, we just need to fix the
> > AdUserSearch and AdGroupSearch queries
> 
> Look at #comment 1

Ok, then what we should do is not use getDefaultDomain, but getCurrentDomain (from the user on the session).

Comment 8 Mooli Tayer 2013-06-23 07:51:26 UTC

So to summarize the above discussion,
this is what I am going to do:

1.) In UserPortal's add permissions dialog - remove other domains from selection, the user should only see users from his own domain.

2.) Make sure the users he can actually see after searching are those from his own domain, and not some other randomly selected domain.

makes sense?

Comment 9 Simon Grinberg 2013-06-23 11:58:28 UTC

(In reply to Mooli Tayer from comment #8)
> So to summarize the above discussion,
> this is what I am going to do:
> 
> 1.) In UserPortal's add permissions dialog - remove other domains from
> selection, the user should only see users from his own domain.
> 
> 2.) Make sure the users he can actually see after searching are those from
> his own domain, and not some other randomly selected domain.
> 
> makes sense?

Yes. 
Also make sure that the user have the permission to manipulate users in the first place. 

Long term we may need to add domains as an entity we can set permissions on. 
Then admin can grant a user with permission to assign permission to users from this domain.

Comment 11 Ravi Nori 2014-01-08 21:10:31 UTC


*** This bug has been marked as a duplicate of bug 923197 ***

Note You need to log in before you can comment on or make changes to this bug.