From: "Christopher Morrissey" <Christopher.Morrissey(a)netapp.com&gt; To: "Eli Mesika" <emesika(a)redhat.com&gt;, "engine-devel" <engine-devel(a)ovirt.org&gt; Sent: Monday, November 19, 2012 4:50:34 PM Subject: RE: [Engine-devel] Design review summary for 3.2 - adding support for External Events Hi Eli, I've perused the design and it looks very good for the purpose of adding events to the log as back end tasks on the NetApp VSC are started and complete. I do have one question. As part of the new UI plugin framework that Vojtech is working on he added the capability to retrieve a session ID that will be used outside of the oVirt engine to invoke REST API calls. I'm assuming this session would have the same role as the user that is currently logged in. According to the event log design, only the Super user will have permissions to add events by default. This would mean that if anyone other than the super user is logged in and performing any tasks through the NetApp plugin, the server side of the VSC will likely not be able to log events. This could be confusing for users as sometimes they see events showing up giving them information on the task progress and sometimes they don't depending on the role logged in. Would it make sense to allow all roles to log events by default? I'm not sure what security problems would arise given that it is just a log and they would be tagged as external events.

-Chris -----Original Message----- From: engine-devel-bounces(a)ovirt.org [mailto:engine-devel-bounces@ovirt.org] On Behalf Of Eli Mesika Sent: Monday, November 19, 2012 7:24 AM To: engine-devel Subject: [Engine-devel] Design review summary for 3.2 - adding support for External Events Discussion : http://wiki.ovirt.org/wiki/Talk:ExternalEvents Updated Design : http://wiki.ovirt.org/wiki/Features/Design/DetailedExternalEvents#Future_... _______________________________________________ Engine-devel mailing list Engine-devel(a)ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-devel

-----Original Message----- From: Eli Mesika [mailto:emesika@redhat.com] Sent: Monday, November 19, 2012 11:16 PM To: Morrissey, Christopher Cc: engine-devel Subject: Re: [Engine-devel] Design review summary for 3.2 - adding support for External Events ----- Original Message ----- > From: "Eli Mesika" <emesika(a)redhat.com&gt; > To: "Christopher Morrissey" <Christopher.Morrissey(a)netapp.com&gt; > Cc: "engine-devel" <engine-devel(a)ovirt.org&gt; > Sent: Monday, November 19, 2012 11:09:32 PM > Subject: Re: [Engine-devel] Design review summary for 3.2 - adding support for External Events > > > > ----- Original Message ----- > > From: "Christopher Morrissey" <Christopher.Morrissey(a)netapp.com&gt; > > To: "Eli Mesika" <emesika(a)redhat.com&gt;, "engine-devel" > > <engine-devel(a)ovirt.org&gt; > > Sent: Monday, November 19, 2012 4:50:34 PM > > Subject: RE: [Engine-devel] Design review summary for 3.2 - adding > > support for External Events > > > > Hi Eli, > > > > I've perused the design and it looks very good for the purpose of > > adding events to the log as back end tasks on the NetApp VSC are > > started and complete. > > > > I do have one question. As part of the new UI plugin framework that > > Vojtech is working on he added the capability to retrieve a session > > ID that will be used outside of the oVirt engine to invoke REST API > > calls. I'm assuming this session would have the same role as the > > user that is currently logged in. > > > > According to the event log design, only the Super user will have > > permissions to add events by default. This would mean that if anyone > > other than the super user is logged in and performing any tasks > > through the NetApp plugin, the server side of the VSC will likely > > not be able to log events. This could be confusing for users as > > sometimes they see events showing up giving them information on the > > task progress and sometimes they don't depending on the role logged > > in. > > > > Would it make sense to allow all roles to log events by default? > > I'm > > not sure what security problems would arise given that it is just a > > log and they would be tagged as external events. > > Hi Christopher, our security model implies a black-list, oops, I meant white-list of course ....

so, I don;t > think this is possible > But still, a super-user can of course give the permission to add new > events to all Roles in the system and you will have the same result. > Does that make sense ? >

> > > > -Chris > > > > > > -----Original Message----- > > From: engine-devel-bounces(a)ovirt.org > > [mailto:engine-devel-bounces@ovirt.org] On Behalf Of Eli Mesika > > Sent: Monday, November 19, 2012 7:24 AM > > To: engine-devel > > Subject: [Engine-devel] Design review summary for 3.2 - adding > > support for External Events > > > > Discussion : http://wiki.ovirt.org/wiki/Talk:ExternalEvents > > Updated Design : > > http://wiki.ovirt.org/wiki/Features/Design/DetailedExternalEvents#Fu > > ture_directions _______________________________________________ > > Engine-devel mailing list > > Engine-devel(a)ovirt.org > > http://lists.ovirt.org/mailman/listinfo/engine-devel > > > _______________________________________________ > Engine-devel mailing list > Engine-devel(a)ovirt.org > http://lists.ovirt.org/mailman/listinfo/engine-devel >

From: "Itamar Heim" <iheim(a)redhat.com&gt; To: "Christopher Morrissey" <Christopher.Morrissey(a)netapp.com&gt; Cc: "Eli Mesika" <emesika(a)redhat.com&gt;, "engine-devel" <engine-devel(a)ovirt.org&gt; Sent: Thursday, November 22, 2012 8:35:56 AM Subject: Re: [Engine-devel] Design review summary for 3.2 - adding support for External Events On 11/20/2012 04:07 PM, Morrissey, Christopher wrote: ... >>>> Hi Eli, >>>> >>>> I've perused the design and it looks very good for the purpose >>>> of >>>> adding events to the log as back end tasks on the NetApp VSC are >>>> started and complete. >>>> >>>> I do have one question. As part of the new UI plugin framework >>>> that >>>> Vojtech is working on he added the capability to retrieve a >>>> session >>>> ID that will be used outside of the oVirt engine to invoke REST >>>> API >>>> calls. I'm assuming this session would have the same role as the >>>> user that is currently logged in. >>>> >>>> According to the event log design, only the Super user will have >>>> permissions to add events by default. This would mean that if >>>> anyone >>>> other than the super user is logged in and performing any tasks >>>> through the NetApp plugin, the server side of the VSC will >>>> likely >>>> not be able to log events. This could be confusing for users as >>>> sometimes they see events showing up giving them information on >>>> the >>>> task progress and sometimes they don't depending on the role >>>> logged >>>> in. >>>> >>>> Would it make sense to allow all roles to log events by default? >>>> I'm >>>> not sure what security problems would arise given that it is >>>> just a >>>> log and they would be tagged as external events. >>> >>> Hi Christopher, our security model implies a black-list, >> >> oops, I meant white-list of course .... >> > > That's what I figured. :) > >> so, I don;t >>> think this is possible >>> But still, a super-user can of course give the permission to add >>> new >>> events to all Roles in the system and you will have the same >>> result. >>> Does that make sense ? >>> > > That does make sense. We'll likely just try to use the API to log > events when starting a task and if we receive an error we can > bubble that up to the user letting them know that they need to > either get the right permission or accept that they won't get > messages in the oVirt log while the task completes. Eli - not that the design includes checking for permissions on objects, why wouldn't we add this permission (ActionGroup) to other admin roles as well?

this is only for admin roles, not user roles. what's the risk in allowing admins to inject external events?

From: "Itamar Heim" <iheim(a)redhat.com&gt; To: "Eli Mesika" <emesika(a)redhat.com&gt; Cc: "engine-devel" <engine-devel(a)ovirt.org&gt;, "Christopher Morrissey" <Christopher.Morrissey(a)netapp.com&gt; Sent: Friday, November 23, 2012 8:38:34 AM Subject: Re: [Engine-devel] Design review summary for 3.2 - adding support for External Events On 11/23/2012 01:10 AM, Eli Mesika wrote: > > > ----- Original Message ----- >> From: "Itamar Heim" <iheim(a)redhat.com&gt; >> To: "Christopher Morrissey" <Christopher.Morrissey(a)netapp.com&gt; >> Cc: "Eli Mesika" <emesika(a)redhat.com&gt;, "engine-devel" >> <engine-devel(a)ovirt.org&gt; >> Sent: Thursday, November 22, 2012 8:35:56 AM >> Subject: Re: [Engine-devel] Design review summary for 3.2 - adding >> support for External Events >> >> On 11/20/2012 04:07 PM, Morrissey, Christopher wrote: >> ... >> >>>>>> Hi Eli, >>>>>> >>>>>> I've perused the design and it looks very good for the purpose >>>>>> of >>>>>> adding events to the log as back end tasks on the NetApp VSC >>>>>> are >>>>>> started and complete. >>>>>> >>>>>> I do have one question. As part of the new UI plugin framework >>>>>> that >>>>>> Vojtech is working on he added the capability to retrieve a >>>>>> session >>>>>> ID that will be used outside of the oVirt engine to invoke >>>>>> REST >>>>>> API >>>>>> calls. I'm assuming this session would have the same role as >>>>>> the >>>>>> user that is currently logged in. >>>>>> >>>>>> According to the event log design, only the Super user will >>>>>> have >>>>>> permissions to add events by default. This would mean that if >>>>>> anyone >>>>>> other than the super user is logged in and performing any >>>>>> tasks >>>>>> through the NetApp plugin, the server side of the VSC will >>>>>> likely >>>>>> not be able to log events. This could be confusing for users >>>>>> as >>>>>> sometimes they see events showing up giving them information >>>>>> on >>>>>> the >>>>>> task progress and sometimes they don't depending on the role >>>>>> logged >>>>>> in. >>>>>> >>>>>> Would it make sense to allow all roles to log events by >>>>>> default? >>>>>> I'm >>>>>> not sure what security problems would arise given that it is >>>>>> just a >>>>>> log and they would be tagged as external events. >>>>> >>>>> Hi Christopher, our security model implies a black-list, >>>> >>>> oops, I meant white-list of course .... >>>> >>> >>> That's what I figured. :) >>> >>>> so, I don;t >>>>> think this is possible >>>>> But still, a super-user can of course give the permission to >>>>> add >>>>> new >>>>> events to all Roles in the system and you will have the same >>>>> result. >>>>> Does that make sense ? >>>>> >>> >>> That does make sense. We'll likely just try to use the API to log >>> events when starting a task and if we receive an error we can >>> bubble that up to the user letting them know that they need to >>> either get the right permission or accept that they won't get >>> messages in the oVirt log while the task completes. >> >> Eli - not that the design includes checking for permissions on >> objects, >> why wouldn't we add this permission (ActionGroup) to other admin >> roles >> as well? > > You mean in DB upgrade , right ? well, in design, but then yes, as part of upgrade to fix the relevant pre-defined roles

> >> this is only for admin roles, not user roles. what's the risk in >> allowing admins to inject external events? > > IIUC , you are right , no risk > >>

Hi please note that this section http://wiki.ovirt.org/wiki/Features/Design/DetailedExternalEvents#Permiss... was changed and approved by PM (Miki) _______________________________________________ Engine-devel mailing list Engine-devel(a)ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-devel

Invoke ..api/events/add API giving at least AuditLogType, Severity, Origin & CustomEventId

When the Event/Alert is on a specific object, the object instance id should be set.

Permissions on Entity Instances There will be no permission check on entity instances on which External Events are injected

The reason is that in order to invoke an External Events on an entity instance, the invoker should know the entity instance UUID and therefore we had already checked that the invoker has the right permissions on the entity instance when he gets the information.

Also, double checking that in the AddExternalEvent command is not simple, since each Entity may have several ActionGroups (Create, Edit etc.) associated with it, so it is not clear which to check

So, in order to keep things simple, we will assume that if the caller to Add External Event has the Entity UUID in hand, all we have to check is that he has permission to inject External Events

User Experience Global External Events will be displayed on the Global Events TAB Entity instance External Events will be displayed on the Events TAB when selecting the Entity instance

Installation/Upgrade Add additional fields to audit_log table upon upgrade Add the permission(ActionGroup) to manipulate External Events to other admin roles already defined upon upgrade.

>> Invoke ..api/events/add API giving at least AuditLogType, Severity, >> > >Origin & CustomEventId > > > >why do you need the AuditLogType - you already know it is > >ExternalEvent/Alert? you only need to know the severity iiuc. Sorry for the late respond (too many urgent issue :-)) I need that because we have not just and Alert but also Warning , Error & Normal External Events