Bug 928410 (https://bugzilla.redhat.com/show_bug.cgi?id=928410) opened on this issue.
Additionally Bug 928399 (https://bugzilla.redhat.com/show_bug.cgi?id=928399) which is possibly related to this issue opened.

- DHC


On Mon, Mar 18, 2013 at 10:02 PM, Dead Horse <deadhorseconsulting@gmail.com> wrote:
Verified this is present in latest engine built from master with latest VDSM built from master.
On the surface this literally seems as simple as a lack of Read-Only access to the template image when requesting to clone it from the template on the storage domain wherein the user cloning from the template has no permissions.
- DHC


On Wed, Mar 13, 2013 at 4:34 PM, Dead Horse <deadhorseconsulting@gmail.com> wrote:
Got an interesting one here as pertaining to template permissions and provisioning.

Given the following setup/situation:

A cluster with a user A assigned poweruser role permissions on the cluster.
- User A is assigned poweruser role permissions to storage domain A
- User A is a consumer of quota A which is assigned to specific storage domain A

A cluster with a user B assigned poweruser role permissions on the cluster.
- User B is assigned poweruser role permissions to storage domain B
- User B is a consumer of quota B which is assigned to specific storage domain B

User A creates a VM and makes it a template of it with permissions of everyone as UserTemplateBasedVM.

User B tries to create a VM based on the template that User A created. While the base VM profile can be created the storage provisioning encounters an issue.

Via Template provisioning option with the thin provision option will fail due to the fact that User B does not have proper permissions to User A's storage domain. The symptom of this expected failure is the target storage domain pull-down is empty. (It really should show something or be greyed out rather than just be blank at least some sort of user notification).

The real issue here is with the clone provisioning option. The idea here is to be to clone a copy of the template disks into User B's storage domain as a target where User B has poweruser role permissions. The problem here is that this fails just like the above thin provision which should not be the case. The target pulldown still blank it should by default show the target storage domain to which User B has permissions to that being Storage domain B.

Further debugging yields that by assigning UserTemplateVM permissions to User A's storage domain allows User B to use either of the options above although the only one really desired is the clone option since we don't want User B creating VM's in User A's storage domain. There still however was an issue upon selecting clone and selecting Storage domain B as the target the VM is  created but the disk is created in Storage domain A instead of storage domain B.


Running build of the engine is built from commit: 7354d3283627bdbe30dd9c15ce45eba375280a8c

- DHC