<html><head><meta http-equiv="Content-Type" content="text/html; charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On 3 Apr 2018, at 15:23, Lloyd Kamara <<a href="mailto:l.kamara@imperial.ac.uk" class="">l.kamara@imperial.ac.uk</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="">Dear Sir/Madam,<br class=""><br class="">The ability to upload ISOs through the web interface and boot<br class="">VMs from them is a welcome addition in oVirt release 4.2.2.<br class="">I am grateful to the people behind the implementation of this.<br class=""><br class="">Consider a scenario in which you wish to allow *end-users*<br class="">to upload ISOs to one or more Data Domains. The users can<br class="">then use the uploaded ISOs to boot their VMs.<br class=""><br class="">Is it possible to grant a user permission to upload ISOs through<br class="">the web interface? I tried to to this under oVirt release 4.2.2<br class="">by doing the following:<br class=""><br class="">- adding the 'SuperUser' role to a target user for a specific<br class="">Data Domain, which enables the user to log onto the Administration Portal.<br class=""><br class="">- adding the 'DiskCreator' role to the same target user for the<br class="">same Data Domain, which, I would hope, would allow the user to<br class="">both create disks and upload ISOs within that Data Domain.<br class=""><br class="">Disk creation in the Data Domain for the target user works as expected;<br class="">ISO upload does not. A dialog appears with the message: 'Operation<br class="">Canceled Error while executing action: User is not authorized to<br class="">perform this action.'<br class=""><br class="">Here is the message that appears in /var/log/ovirt-engine/engine.log<br class="">when an attempt at uploading an ISO is made by the target user:<br class=""><br class=""><br class="">INFO<br class="">[org.ovirt.engine.core.bll.storage.disk.image.TransferImageStatusCommand]<br class="">(default task-40) [5b3fef06-49c8-4c34-81a3-a20fa691709a] No permission<br class="">found for user 'a9fde4c3-97a3-4494-84f8-08041a16710c' or one of the<br class="">groups he is member of, when running action 'TransferImageStatus',<br class="">Required permissions are: Action type: 'USER' Action group:<br class="">'CREATE_DISK' Object type: 'System' Object ID:<br class="">'aaa00000-0000-0000-0000-123456789aaa'.<br class=""><br class=""><br class="">If one assigns the DiskCreator role System permission for the target<br class="">user then that user can upload ISOs without problem. Unfortunately,<br class="">the user can upload ISOs - and create disks - in *all* data domains.<br class=""><br class="">To re-iterate, is it possible to grant an end-user permission to<br class="">upload ISOs to specific data domains through the web interface without<br class="">granting an all-encompassing System permission?<br class=""></div></div></blockquote><div><br class=""></div>it does sound like a bug to me. Can you open one with those details?</div><div><a href="https://bugzilla.redhat.com/enter_bug.cgi?product=ovirt-engine" class="">https://bugzilla.redhat.com/enter_bug.cgi?product=ovirt-engine</a></div><div><br class=""></div><div>Thanks,</div><div>michal</div><div><blockquote type="cite" class=""><div class=""><div class=""><br class=""><br class="">Best wishes,<br class=""> Lloyd Kamara<br class=""><br class=""><br class="">References:<br class="">[The first two are included insofar as they concern ISO upload via web]<br class=""><a href="https://bugzilla.redhat.com/show_bug.cgi?id=1530730" class="">https://bugzilla.redhat.com/show_bug.cgi?id=1530730</a><br class=""><br class="">https://bugzilla.redhat.com/show_bug.cgi?id=1536826<br class=""><br class="">[This one is included because I wonder if the testing requests<br class="">includes the ability for users to upload ISOs via the web GUI, not<br class="">just attach existing ISOs in data domains to VMs]<br class=""><br class="">https://bugzilla.redhat.com/show_bug.cgi?id=1058798<br class="">_______________________________________________<br class="">Users mailing list<br class="">Users@ovirt.org<br class="">http://lists.ovirt.org/mailman/listinfo/users<br class=""><br class=""><br class=""></div></div></blockquote></div><br class=""></body></html>