Bug 961053 - No permissions check on target storage domains when creating a template (the check is on the entire data-center)
No permissions check on target storage domains when creating a template (the ...
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine (Show other bugs)
Unspecified Unspecified
medium Severity high
: ---
: 3.5.0
Assigned To: Daniel Erez
Leonid Natapov
Depends On:
  Show dependency treegraph
Reported: 2013-05-08 11:58 EDT by Daniel Erez
Modified: 2016-02-10 15:21 EST (History)
12 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2014-09-03 12:22:59 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: Storage
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
scohen: Triaged+

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
oVirt gerrit 32199 master ABANDONED core: AddVmTemplate - check perms on target SDs Never

  None (edit)
Description Daniel Erez 2013-05-08 11:58:03 EDT
Description of problem:
When creating a template, permissions are checked on the entire data-center instead of each target storage domain.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Make a template from a VM (AddVmTemplateCommand)
Actual results:
Permissions are checked on the entire data-center.

Expected results:
Permissions should be checked on each target storage domain.

Additional info:
Comment 3 Allon Mureinik 2014-04-23 09:03:38 EDT
Michal, need your input on this bug. In your opinion, would this be the desired behavior?

In any event, this issue existed since 3.1 - It's an enhancement request.
Comment 4 Michal Skrivanek 2014-05-05 02:13:31 EDT
I think it's just a long outstanding bug. There are quite a few problems with permissions, basically anything else but PowerUser on DataCenter is unusable, this bug would help...
Comment 6 Daniel Erez 2014-09-03 12:22:59 EDT
Since creating a template requires CREATE_TEMPLATE action group on the entire data-center, adding granularity for storage domains (e.g. by checking against CREATE_DISK action group) seems currently redundant/over-complexed. Adding it, essentially means granting current TemplateAdmins/TemplateCreators/etc permissions for CREATE_DISK on the entire DC (to keep current behavior), or, require them to manually grant the needed permissions. Hence, it looks like a best of a bad lot to keep the current design as is and revisit on permissions mechanism overall simplification.

Note You need to log in before you can comment on or make changes to this bug.