--Apple-Mail=_3ED090B1-056B-4680-A98D-16893F352163 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii

On 3 Apr 2018, at 15:23, Lloyd Kamara <l.kamara@imperial.ac.uk> wrote: =20 Dear Sir/Madam, =20 The ability to upload ISOs through the web interface and boot VMs from them is a welcome addition in oVirt release 4.2.2. I am grateful to the people behind the implementation of this. =20 Consider a scenario in which you wish to allow *end-users* to upload ISOs to one or more Data Domains. The users can then use the uploaded ISOs to boot their VMs. =20 Is it possible to grant a user permission to upload ISOs through the web interface? I tried to to this under oVirt release 4.2.2 by doing the following: =20 - adding the 'SuperUser' role to a target user for a specific Data Domain, which enables the user to log onto the Administration = Portal. =20 - adding the 'DiskCreator' role to the same target user for the same Data Domain, which, I would hope, would allow the user to both create disks and upload ISOs within that Data Domain. =20 Disk creation in the Data Domain for the target user works as = expected; ISO upload does not. A dialog appears with the message: 'Operation Canceled Error while executing action: User is not authorized to perform this action.' =20 Here is the message that appears in /var/log/ovirt-engine/engine.log when an attempt at uploading an ISO is made by the target user: =20 =20 INFO = [org.ovirt.engine.core.bll.storage.disk.image.TransferImageStatusCommand] (default task-40) [5b3fef06-49c8-4c34-81a3-a20fa691709a] No permission found for user 'a9fde4c3-97a3-4494-84f8-08041a16710c' or one of the groups he is member of, when running action 'TransferImageStatus', Required permissions are: Action type: 'USER' Action group: 'CREATE_DISK' Object type: 'System' Object ID: 'aaa00000-0000-0000-0000-123456789aaa'. =20 =20 If one assigns the DiskCreator role System permission for the target user then that user can upload ISOs without problem. Unfortunately, the user can upload ISOs - and create disks - in *all* data domains. =20 To re-iterate, is it possible to grant an end-user permission to upload ISOs to specific data domains through the web interface without granting an all-encompassing System permission?

it does sound like a bug to me. Can you open one with those details? https://bugzilla.redhat.com/enter_bug.cgi?product=3Dovirt-engine = <https://bugzilla.redhat.com/enter_bug.cgi?product=3Dovirt-engine> Thanks, michal

=20 =20 Best wishes, Lloyd Kamara =20 =20 References: [The first two are included insofar as they concern ISO upload via = web] https://bugzilla.redhat.com/show_bug.cgi?id=3D1530730 =20 https://bugzilla.redhat.com/show_bug.cgi?id=3D1536826 =20 [This one is included because I wonder if the testing requests includes the ability for users to upload ISOs via the web GUI, not just attach existing ISOs in data domains to VMs] =20 https://bugzilla.redhat.com/show_bug.cgi?id=3D1058798 _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users =20 =20

--Apple-Mail=_3ED090B1-056B-4680-A98D-16893F352163 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii <html><head><meta http-equiv=3D"Content-Type" content=3D"text/html; = charset=3Dus-ascii"></head><body style=3D"word-wrap: break-word; = -webkit-nbsp-mode: space; line-break: after-white-space;" class=3D""><br = class=3D""><div><br class=3D""><blockquote type=3D"cite" class=3D""><div = class=3D"">On 3 Apr 2018, at 15:23, Lloyd Kamara <<a = href=3D"mailto:l.kamara@imperial.ac.uk" = class=3D"">l.kamara@imperial.ac.uk</a>> wrote:</div><br = class=3D"Apple-interchange-newline"><div class=3D""><div class=3D"">Dear = Sir/Madam,<br class=3D""><br class=3D"">The ability to upload ISOs = through the web interface and boot<br class=3D"">VMs from them is a = welcome addition in oVirt release 4.2.2.<br class=3D"">I am grateful to = the people behind the implementation of this.<br class=3D""><br = class=3D"">Consider a scenario in which you wish to allow *end-users*<br = class=3D"">to upload ISOs to one or more Data Domains.  The users = can<br class=3D"">then use the uploaded ISOs to boot their VMs.<br = class=3D""><br class=3D"">Is it possible to grant a user permission to = upload ISOs through<br class=3D"">the web interface?  I tried to to = this under oVirt release 4.2.2<br class=3D"">by doing the following:<br = class=3D""><br class=3D"">- adding the 'SuperUser' role to a target user = for a specific<br class=3D"">Data Domain, which enables the user to log = onto the Administration Portal.<br class=3D""><br class=3D"">- adding = the 'DiskCreator' role to the same target user for the<br class=3D"">same = Data Domain, which, I would hope, would allow the user to<br = class=3D"">both create disks and upload ISOs within that Data Domain.<br = class=3D""><br class=3D"">Disk creation in the Data Domain for the = target user works as expected;<br class=3D"">ISO upload does not. =  A dialog appears with the message: 'Operation<br class=3D"">Canceled=  Error while executing action: User is not authorized to<br = class=3D"">perform this action.'<br class=3D""><br class=3D"">Here is = the message that appears in /var/log/ovirt-engine/engine.log<br = class=3D"">when an attempt at uploading an ISO is made by the target = user:<br class=3D""><br class=3D""><br class=3D"">INFO<br = class=3D"">[org.ovirt.engine.core.bll.storage.disk.image.TransferImageStat= usCommand]<br class=3D"">(default task-40) = [5b3fef06-49c8-4c34-81a3-a20fa691709a] No permission<br class=3D"">found = for user 'a9fde4c3-97a3-4494-84f8-08041a16710c' or one of the<br = class=3D"">groups he is member of, when running action = 'TransferImageStatus',<br class=3D"">Required permissions are: Action = type: 'USER' Action group:<br class=3D"">'CREATE_DISK' Object type: = 'System'  Object ID:<br = class=3D"">'aaa00000-0000-0000-0000-123456789aaa'.<br class=3D""><br = class=3D""><br class=3D"">If one assigns the DiskCreator role System = permission for the target<br class=3D"">user then that user can upload = ISOs without problem.  Unfortunately,<br class=3D"">the user can = upload ISOs - and create disks - in *all* data domains.<br class=3D""><br = class=3D"">To re-iterate, is it possible to grant an end-user permission = to<br class=3D"">upload ISOs to specific data domains through the web = interface without<br class=3D"">granting an all-encompassing System = permission?<br class=3D""></div></div></blockquote><div><br = class=3D""></div>it does sound like a bug to me. Can you open one with = those details?</div><div><a = href=3D"https://bugzilla.redhat.com/enter_bug.cgi?product=3Dovirt-engine" = class=3D"">https://bugzilla.redhat.com/enter_bug.cgi?product=3Dovirt-engin= e</a></div><div><br = class=3D""></div><div>Thanks,</div><div>michal</div><div><blockquote = type=3D"cite" class=3D""><div class=3D""><div class=3D""><br = class=3D""><br class=3D"">Best wishes,<br class=3D"">  Lloyd = Kamara<br class=3D""><br class=3D""><br class=3D"">References:<br = class=3D"">[The first two are included insofar as they concern ISO = upload via web]<br class=3D""><a = href=3D"https://bugzilla.redhat.com/show_bug.cgi?id=3D1530730" = class=3D"">https://bugzilla.redhat.com/show_bug.cgi?id=3D1530730</a><br = class=3D""><br = class=3D"">https://bugzilla.redhat.com/show_bug.cgi?id=3D1536826<br = class=3D""><br class=3D"">[This one is included because I wonder if the = testing requests<br class=3D"">includes the ability for users to upload = ISOs via the web GUI, not<br class=3D"">just attach existing ISOs in = data domains to VMs]<br class=3D""><br = class=3D"">https://bugzilla.redhat.com/show_bug.cgi?id=3D1058798<br = class=3D"">_______________________________________________<br = class=3D"">Users mailing list<br class=3D"">Users@ovirt.org<br = class=3D"">http://lists.ovirt.org/mailman/listinfo/users<br class=3D""><br= class=3D""><br class=3D""></div></div></blockquote></div><br = class=3D""></body></html>= --Apple-Mail=_3ED090B1-056B-4680-A98D-16893F352163--