Re: [ovirt-users] user permissions

It's getting stranger. I have written code to dump roles and permits for a given user. ./ovcmd user -n rexecutor roles | gsort -V ... has role 'InstanceCreator' on vm 'fa42' has role 'UserInstanceManager' on vm 'fa42' has role 'UserRole' on vm 'fa42' has role 'UserVmManager' on vm 'fa42' has role 'UserVmRunTimeManager' on vm 'fa42' So no super-user role for that VM. ./ovcmd user -n rexecutor permits ... vm/fa42: add_users_and_groups_from_directory assign_cpu_profile attach_disk change_vm_cd configure_vm_network configure_vm_storage connect_to_vm create_disk create_vm delete_disk delete_vm edit_disk_properties edit_vm_properties hibernate_vm login manipulate_permissions reboot_vm run_vm shut_down_vm sparsify_disk stop_vm ./ovcmd -u rexecutor@internal --passwordfile=/tmp/passwordfile vm -n fa42 stop The action "vm stop" failed with: query execution failed due to insufficient permissions. The role has the stop_vm but it can't stop it. Now I add the SuperUser role for that VM. ./ovcmd user -n rexecutor roles | gsort -V ... has role 'InstanceCreator' on vm 'fa42' has role 'SuperUser' on vm 'fa42' has role 'UserInstanceManager' on vm 'fa42' has role 'UserRole' on vm 'fa42' has role 'UserVmManager' on vm 'fa42' has role 'UserVmRunTimeManager' on vm 'fa42' The permits are the same: ./ovcmd user -n rexecutor permits vm/fa42: add_users_and_groups_from_directory assign_cpu_profile attach_disk change_vm_cd configure_vm_network configure_vm_storage connect_to_vm create_disk create_vm delete_disk delete_vm edit_disk_properties edit_vm_properties hibernate_vm login manipulate_permissions reboot_vm run_vm shut_down_vm sparsify_disk stop_vm ./ovcmd -u rexecutor@internal --passwordfile=/tmp/passwordfile vm -n fa42 stop (OK) But now it can stop the vm. Why ?