9:23 a.m.
Dear Sir/Madam,
The ability to upload ISOs through the web interface and boot
VMs from them is a welcome addition in oVirt release 4.2.2.
I am grateful to the people behind the implementation of this.
Consider a scenario in which you wish to allow *end-users*
to upload ISOs to one or more Data Domains. The users can
then use the uploaded ISOs to boot their VMs.
Is it possible to grant a user permission to upload ISOs through
the web interface? I tried to to this under oVirt release 4.2.2
by doing the following:
- adding the 'SuperUser' role to a target user for a specific
Data Domain, which enables the user to log onto the Administration Portal.
- adding the 'DiskCreator' role to the same target user for the
same Data Domain, which, I would hope, would allow the user to
both create disks and upload ISOs within that Data Domain.
Disk creation in the Data Domain for the target user works as expected;
ISO upload does not. A dialog appears with the message: 'Operation
Canceled Error while executing action: User is not authorized to
perform this action.'
Here is the message that appears in /var/log/ovirt-engine/engine.log
when an attempt at uploading an ISO is made by the target user:
INFO
[org.ovirt.engine.core.bll.storage.disk.image.TransferImageStatusCommand]
(default task-40) [5b3fef06-49c8-4c34-81a3-a20fa691709a] No permission
found for user 'a9fde4c3-97a3-4494-84f8-08041a16710c' or one of the
groups he is member of, when running action 'TransferImageStatus',
Required permissions are: Action type: 'USER' Action group:
'CREATE_DISK' Object type: 'System' Object ID:
'aaa00000-0000-0000-0000-123456789aaa'.
If one assigns the DiskCreator role System permission for the target
user then that user can upload ISOs without problem. Unfortunately,
the user can upload ISOs - and create disks - in *all* data domains.
To re-iterate, is it possible to grant an end-user permission to
upload ISOs to specific data domains through the web interface without
granting an all-encompassing System permission?
Best wishes,
Lloyd Kamara
References:
[The first two are included insofar as they concern ISO upload via web]
https://bugzilla.redhat.com/show_bug.cgi?id=1530730
https://bugzilla.redhat.com/show_bug.cgi?id=1536826
[This one is included because I wonder if the testing requests
includes the ability for users to upload ISOs via the web GUI, not
just attach existing ISOs in data domains to VMs]
https://bugzilla.redhat.com/show_bug.cgi?id=1058798
5:17 a.m.
--Apple-Mail=_3ED090B1-056B-4680-A98D-16893F352163
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=us-ascii
On 3 Apr 2018, at 15:23, Lloyd Kamara <l.kamara(a)imperial.ac.uk>
wrote:
=20
Dear Sir/Madam,
=20
The ability to upload ISOs through the web interface and boot
VMs from them is a welcome addition in oVirt release 4.2.2.
I am grateful to the people behind the implementation of this.
=20
Consider a scenario in which you wish to allow *end-users*
to upload ISOs to one or more Data Domains. The users can
then use the uploaded ISOs to boot their VMs.
=20
Is it possible to grant a user permission to upload ISOs through
the web interface? I tried to to this under oVirt release 4.2.2
by doing the following:
=20
- adding the 'SuperUser' role to a target user for a specific
Data Domain, which enables the user to log onto the Administration =
Portal.
=20
- adding the 'DiskCreator' role to the same target user for the
same Data Domain, which, I would hope, would allow the user to
both create disks and upload ISOs within that Data Domain.
=20
Disk creation in the Data Domain for the target user works as =
expected;
ISO upload does not. A dialog appears with the message:
'Operation
Canceled Error while executing action: User is not authorized to
perform this action.'
=20
Here is the message that appears in /var/log/ovirt-engine/engine.log
when an attempt at uploading an ISO is made by the target user:
=20
=20
INFO
=
[org.ovirt.engine.core.bll.storage.disk.image.TransferImageStatusCommand]
(default task-40) [5b3fef06-49c8-4c34-81a3-a20fa691709a] No
permission
found for user 'a9fde4c3-97a3-4494-84f8-08041a16710c' or one of the
groups he is member of, when running action 'TransferImageStatus',
Required permissions are: Action type: 'USER' Action group:
'CREATE_DISK' Object type: 'System' Object ID:
'aaa00000-0000-0000-0000-123456789aaa'.
=20
=20
If one assigns the DiskCreator role System permission for the target
user then that user can upload ISOs without problem. Unfortunately,
the user can upload ISOs - and create disks - in *all* data domains.
=20
To re-iterate, is it possible to grant an end-user permission to
upload ISOs to specific data domains through the web interface without
granting an all-encompassing System permission?
it does sound like a bug to me. Can you open one with those details?
https://bugzilla.redhat.com/enter_bug.cgi?product=3Dovirt-engine =
<https://bugzilla.redhat.com/enter_bug.cgi?product=3Dovirt-engine>
Thanks,
michal
=20
=20
Best wishes,
Lloyd Kamara
=20
=20
References:
[The first two are included insofar as they concern ISO upload via =
web]
https://bugzilla.redhat.com/show_bug.cgi?id=3D1530730
=20
https://bugzilla.redhat.com/show_bug.cgi?id=3D1536826
=20
[This one is included because I wonder if the testing requests
includes the ability for users to upload ISOs via the web GUI, not
just attach existing ISOs in data domains to VMs]
=20
https://bugzilla.redhat.com/show_bug.cgi?id=3D1058798
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
=20
=20
--Apple-Mail=_3ED090B1-056B-4680-A98D-16893F352163
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
charset=us-ascii
<html><head><meta http-equiv=3D"Content-Type"
content=3D"text/html; =
charset=3Dus-ascii"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; line-break: after-white-space;"
class=3D""><br =
class=3D""><div><br class=3D""><blockquote
type=3D"cite" class=3D""><div =
class=3D"">On 3 Apr 2018, at 15:23, Lloyd Kamara <<a =
href=3D"mailto:l.kamara@imperial.ac.uk" =
class=3D"">l.kamara(a)imperial.ac.uk</a>&gt; wrote:</div><br
=
class=3D"Apple-interchange-newline"><div class=3D""><div
class=3D"">Dear =
Sir/Madam,<br class=3D""><br class=3D"">The ability to
upload ISOs =
through the web interface and boot<br class=3D"">VMs from them is a =
welcome addition in oVirt release 4.2.2.<br class=3D"">I am grateful to =
the people behind the implementation of this.<br class=3D""><br =
class=3D"">Consider a scenario in which you wish to allow *end-users*<br
=
class=3D"">to upload ISOs to one or more Data Domains. The users =
can<br class=3D"">then use the uploaded ISOs to boot their VMs.<br =
class=3D""><br class=3D"">Is it possible to grant a user
permission to =
upload ISOs through<br class=3D"">the web interface? I tried to
to =
this under oVirt release 4.2.2<br class=3D"">by doing the following:<br
=
class=3D""><br class=3D"">- adding the 'SuperUser'
role to a target user =
for a specific<br class=3D"">Data Domain, which enables the user to log =
onto the Administration Portal.<br class=3D""><br
class=3D"">- adding =
the 'DiskCreator' role to the same target user for the<br
class=3D"">same =
Data Domain, which, I would hope, would allow the user to<br =
class=3D"">both create disks and upload ISOs within that Data Domain.<br
=
class=3D""><br class=3D"">Disk creation in the Data Domain
for the =
target user works as expected;<br class=3D"">ISO upload does not. =
A dialog appears with the message: 'Operation<br
class=3D"">Canceled=
Error while executing action: User is not authorized to<br =
class=3D"">perform this action.'<br class=3D""><br
class=3D"">Here is =
the message that appears in /var/log/ovirt-engine/engine.log<br =
class=3D"">when an attempt at uploading an ISO is made by the target =
user:<br class=3D""><br class=3D""><br
class=3D"">INFO<br =
class=3D"">[org.ovirt.engine.core.bll.storage.disk.image.TransferImageStat=
usCommand]<br class=3D"">(default task-40) =
[5b3fef06-49c8-4c34-81a3-a20fa691709a] No permission<br class=3D"">found
=
for user 'a9fde4c3-97a3-4494-84f8-08041a16710c' or one of the<br =
class=3D"">groups he is member of, when running action =
'TransferImageStatus',<br class=3D"">Required permissions are:
Action =
type: 'USER' Action group:<br class=3D"">'CREATE_DISK'
Object type: =
'System' Object ID:<br =
class=3D"">'aaa00000-0000-0000-0000-123456789aaa'.<br
class=3D""><br =
class=3D""><br class=3D"">If one assigns the DiskCreator role
System =
permission for the target<br class=3D"">user then that user can upload =
ISOs without problem. Unfortunately,<br class=3D"">the user can
=
upload ISOs - and create disks - in *all* data domains.<br
class=3D""><br =
class=3D"">To re-iterate, is it possible to grant an end-user permission =
to<br class=3D"">upload ISOs to specific data domains through the web =
interface without<br class=3D"">granting an all-encompassing System =
permission?<br
class=3D""></div></div></blockquote><div><br =
class=3D""></div>it does sound like a bug to me. Can you open one with
=
those details?</div><div><a =
href=3D"https://bugzilla.redhat.com/enter_bug.cgi?product=3Dovirt-en... =
class=3D"">https://bugzilla.redhat.com/enter_bug.cgi?product...
e</a></div><div><br =
class=3D""></div><div>Thanks,</div><div>michal</div><div><blockquote
=
type=3D"cite" class=3D""><div class=3D""><div
class=3D""><br =
class=3D""><br class=3D"">Best wishes,<br
class=3D""> Lloyd =
Kamara<br class=3D""><br class=3D""><br
class=3D"">References:<br =
class=3D"">[The first two are included insofar as they concern ISO =
upload via web]<br class=3D""><a =
href=3D"https://bugzilla.redhat.com/show_bug.cgi?id=3D1530730" =
class=3D"">https://bugzilla.redhat.com/show_bug.cgi?id=3D153...
=
class=3D""><br =
class=3D"">https://bugzilla.redhat.com/show_bug.cgi?id=3D153... =
class=3D""><br class=3D"">[This one is included because I
wonder if the =
testing requests<br class=3D"">includes the ability for users to upload =
ISOs via the web GUI, not<br class=3D"">just attach existing ISOs in =
data domains to VMs]<br class=3D""><br =
class=3D"">https://bugzilla.redhat.com/show_bug.cgi?id=3D105... =
class=3D"">_______________________________________________<br =
class=3D"">Users mailing list<br
class=3D"">Users(a)ovirt.org<br =
class=3D"">http://lists.ovirt.org/mailman/listinfo/users<br
class=3D""><br=
class=3D""><br
class=3D""></div></div></blockquote></div><br =
class=3D""></body></html>=
--Apple-Mail=_3ED090B1-056B-4680-A98D-16893F352163--
9:44 a.m.
Dear Michal, you wrote:
it does sound like a bug to me. Can you open one with those details?
https://bugzilla.redhat.com/enter_bug.cgi?product=ovirt-engine
Duly done as Bug 1564509.
https://bugzilla.redhat.com/show_bug.cgi?id=1564509
Best wishes,
Lloyd Kamara
2453
days inactive
2456
days old
2 comments
2 participants
participants (2)
-
Lloyd Kamara -
Michal Skrivanek