Bug 924357
| Summary: | [RHEVM-SDK] user should not see admin permissions the DC | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Virtualization Manager | Reporter: | Ondra Machacek <omachace> |
| Component: | ovirt-engine-sdk | Assignee: | Michael Pasternak <mpastern> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Ondra Machacek <omachace> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 3.2.0 | CC: | acathrow, bazulay, dyasny, iheim, mpastern, oramraz, Rhev-m-bugs, sgrinber, yeylon, ykaul |
| Target Milestone: | --- | Keywords: | Regression, TestBlocker |
| Target Release: | 3.2.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | infra | ||
| Fixed In Version: | sf13-beta2 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | Bug | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | Infra | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Ondra, can you please elaborate what do you mean by "Multi-instance user mode don't work as expected"? - multi-instance feature of sdk is related to creating several instances of the sdk under same memory domain - in your example seems like adm user fails to execute the query due to "insufficient permissions" i'm not sure i understand how these two are related. Let's say I have user with UserRole on vm and admin@internal.
I create instance of API like this:
API_user = ovirtsdk.api.API(url=url, username=user, password=pwd, filter=True)
API_admin = ovirtsdk.api.API(url=url, username=adm, password=pwd, filter=False)
I have no permissions on 'mydc' only admin@internal have inherited permissions from system. Now if I run these line of code:
print len(API_admin.datacenters.get('mydc').permissions.list())
print len(API_user.datacenters.get('mydc').permissions.list())
As a result I got:
1
1
Which is incorrect, because user should not see admin permissions on 'mydc'.
This happens only via SDK, if I run this not via SDK, but via API directly result is OK:
for admin:
curl -k -X GET -H "Accept: application/xml" -H "Content-Type: application/xml" -H "Filter: $filter" -u $U $URL/datacenters/$dc_id/permissions
<permissions>
<permission .../>
</permissions>
for user:
curl -k -X GET -H "Accept: application/xml" -H "Content-Type: application/xml" -H "Filter: $filter" -u $U $URL/datacenters/$dc_id/permissions
<permissions/>
In comment #0 I showed that reverse order only for example, because i think that admin@internal should never get "insufficient permissions", so it seems as some problem with filter=true/false. As I noted in rhevm-sdk-3.2.0.2-1.el6ev.noarch I did not meet with this issue.
(In reply to comment #3) > Let's say I have user with UserRole on vm and admin@internal. > > I create instance of API like this: > API_user = ovirtsdk.api.API(url=url, username=user, password=pwd, > filter=True) > API_admin = ovirtsdk.api.API(url=url, username=adm, password=pwd, > filter=False) > > I have no permissions on 'mydc' only admin@internal have inherited > permissions from system. Now if I run these line of code: > > print len(API_admin.datacenters.get('mydc').permissions.list()) > print len(API_user.datacenters.get('mydc').permissions.list()) > > As a result I got: > 1 > 1 > > Which is incorrect, because user should not see admin permissions on 'mydc'. > This happens only via SDK, if I run this not via SDK, but via API directly > result is OK: > > for admin: > curl -k -X GET -H "Accept: application/xml" -H "Content-Type: > application/xml" -H "Filter: $filter" -u $U > $URL/datacenters/$dc_id/permissions > > <permissions> > <permission .../> > </permissions> > > for user: > curl -k -X GET -H "Accept: application/xml" -H "Content-Type: > application/xml" -H "Filter: $filter" -u $U > $URL/datacenters/$dc_id/permissions > > <permissions/> i suspect that you misused $filter here (i.e it is the same in both curl calls), in any case sdk doesn't have own logic and pass params as they are, i.e it should behave exactly as api. well done Ondra! 3.2 has been released 3.2 has been released |
Description of problem: It is not possible to work properly in multi instance mode in SDK. Version-Release number of selected component (if applicable): sf10 How reproducible: rhevm-sdk-3.2.0.5-1.el6ev.noarch Steps to Reproduce: 1. Add user with UserRole on some vm. 2. Run code below. import ovirtsdk.api API_user = ovirtsdk.api.API(url=url, username=user, password=pwd, filter=True) API_admin = ovirtsdk.api.API(url=url, username=adm, password=pwd, filter=False) print len(API_user.datacenters.list()[0].permissions.list()) print len(API_admin.datacenters.list()[0].permissions.list()) Result: 0 Traceback (most recent call last): File "./t.py", line 12, in <module> print API_admin.datacenters.list()[0].permissions.list() File "/usr/lib/python2.6/site-packages/ovirtsdk/infrastructure/brokers.py", line 1449, in list {'{datacenter:id}': self.parentclass.get_id()} File "/usr/lib/python2.6/site-packages/ovirtsdk/infrastructure/proxy.py", line 140, in get return self.request(method='GET', url=url, headers=headers) File "/usr/lib/python2.6/site-packages/ovirtsdk/infrastructure/proxy.py", line 199, in request noParse=noParse) File "/usr/lib/python2.6/site-packages/ovirtsdk/infrastructure/proxy.py", line 244, in __doRequest raise RequestError, response ovirtsdk.infrastructure.errors.RequestError: status: 400 reason: Bad Request detail: query execution failed due to insufficient permissions. ---------------------------------------------------------------- If I switch 'prints': print len(API_admin.datacenters.list()[0].permissions.list()) print len(API_user.datacenters.list()[0].permissions.list()) Result is: 3 2 OK in rhevm-sdk-3.2.0.2-1.el6ev.noarch.