Red Hat Bugzilla – Bug 961053
No permissions check on target storage domains when creating a template (the check is on the entire data-center)
Last modified: 2016-02-10 15:21:45 EST
Description of problem:
When creating a template, permissions are checked on the entire data-center instead of each target storage domain.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Make a template from a VM (AddVmTemplateCommand)
Permissions are checked on the entire data-center.
Permissions should be checked on each target storage domain.
Michal, need your input on this bug. In your opinion, would this be the desired behavior?
In any event, this issue existed since 3.1 - It's an enhancement request.
I think it's just a long outstanding bug. There are quite a few problems with permissions, basically anything else but PowerUser on DataCenter is unusable, this bug would help...
Since creating a template requires CREATE_TEMPLATE action group on the entire data-center, adding granularity for storage domains (e.g. by checking against CREATE_DISK action group) seems currently redundant/over-complexed. Adding it, essentially means granting current TemplateAdmins/TemplateCreators/etc permissions for CREATE_DISK on the entire DC (to keep current behavior), or, require them to manually grant the needed permissions. Hence, it looks like a best of a bad lot to keep the current design as is and revisit on permissions mechanism overall simplification.