Hi All,
This is in regard to BZ 1511697 - Unable to set permission on all but
Hosted-Engine VM and Storage Domain
The Issue:
---------------
As described in the BZ, inherited permissions for HE VM/SD
lets non SUPER_USER admins perform operations on the VM.
Currently as far as permissions go there is no way to
distinguish between a HE VM/SD and normal VMs/SDs and
there is no way to set permissions only for the HE VM/SD. So
all admins can perform operation on the HE VM/SD.
Proposed Solution:
--------------------------
The proposed solution is to prevent operations on a HE VM/SD for
all users who do not have SUPER_USER system privilages as per [2].
Moving host to maintenance is allowed for all admins and the
HE VM/SD is listed in search queries. Only when performing operations
on the VM/SD we check user permissions.
This requires documentation change as not all admin users can
perform actions on a HE VM/SD.
Please let me know if you have any objections to the proposed change
before it is merged.
Thanks
Ravi
[1]
https://bugzilla.redhat.com/show_bug.cgi?id=1511697
[2]
https://gerrit.ovirt.org/#/c/97689/