Omer Frenkel has submitted this change and it was merged. Change subject: engine,webdmin: Restrict destination host parameter for administrators ...................................................................... engine,webdmin: Restrict destination host parameter for administrators Users aren't supposed to be able to provide any host level parameters to commands. New action groups added: - EDIT_ADMIN_VM_PROPERTIES - EDIT_ADMIN_TEMPLATE_PROPERTIES The permission check is applied if e.g. destination host is specified and is different from the default VM destination host for Run/RunOnce/UpdateVM/UpdateVmTemplate/AddVM/AddVmTemplate VM actions. The new action groups are assigned to: - SuperUser, DataCenterAdmin, (ClusterAdmin, TemplateAdmin) roles. GUI role tree is updated. Permissions are propagated into REST API layer. Change-Id: I5294854d24b235f2c50fa7f3d4e7472cf7598b53 Bug-Url: https://bugzilla.redhat.com/902353 Signed-off-by: Libor Spevak <lspevak@redhat.com> --- A backend/manager/dbscripts/upgrade/03_03_0030_add_edit_admin_vm_props.sql M backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddVmCommand.java M backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddVmFromScratchCommand.java M backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddVmFromSnapshotCommand.java M backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddVmTemplateCommand.java M backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/RunVmCommand.java M backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/UpdateVmCommand.java M backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/UpdateVmTemplateCommand.java M backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/businessentities/ActionGroup.java M backend/manager/modules/restapi/interface/definition/src/main/java/org/ovirt/engine/api/model/PermitType.java M backend/manager/modules/restapi/types/src/main/java/org/ovirt/engine/api/restapi/types/PermitMapper.java M frontend/webadmin/modules/uicommonweb/src/main/java/org/ovirt/engine/ui/uicommonweb/models/configure/roles_ui/RoleTreeView.java M frontend/webadmin/modules/uicompat/src/main/java/org/ovirt/engine/ui/uicompat/Constants.java M frontend/webadmin/modules/uicompat/src/main/java/org/ovirt/engine/ui/uicompat/LocalizedEnums.java M frontend/webadmin/modules/uicompat/src/main/resources/org/ovirt/engine/ui/uicompat/LocalizedEnums.properties 15 files changed, 177 insertions(+), 29 deletions(-) Approvals: Libor Spevak: Verified Omer Frenkel: Oved Ourfali: Looks good to me, approved -- To view, visit http://gerrit.ovirt.org/11303 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: merged Gerrit-Change-Id: I5294854d24b235f2c50fa7f3d4e7472cf7598b53 Gerrit-PatchSet: 8 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Libor Spevak <lspevak@redhat.com> Gerrit-Reviewer: Einav Cohen <ecohen@redhat.com> Gerrit-Reviewer: Gilad Chaplik <gchaplik@redhat.com> Gerrit-Reviewer: Itamar Heim <iheim@redhat.com> Gerrit-Reviewer: Libor Spevak <lspevak@redhat.com> Gerrit-Reviewer: Michael Pasternak <mpastern@redhat.com> Gerrit-Reviewer: Omer Frenkel <ofrenkel@redhat.com> Gerrit-Reviewer: Oved Ourfali <oourfali@redhat.com> Gerrit-Reviewer: Tomas Jelinek <tjelinek@redhat.com>