[ovirt-users] ISO uploading from GUI/REST with user permissions

Lloyd Kamara l.kamara at imperial.ac.uk
Tue Apr 3 13:23:01 UTC 2018 

Dear Sir/Madam,

The ability to upload ISOs through the web interface and boot
VMs from them is a welcome addition in oVirt release 4.2.2.
I am grateful to the people behind the implementation of this.

Consider a scenario in which you wish to allow *end-users*
to upload ISOs to one or more Data Domains.  The users can
then use the uploaded ISOs to boot their VMs.

Is it possible to grant a user permission to upload ISOs through
the web interface?  I tried to to this under oVirt release 4.2.2
by doing the following:

- adding the 'SuperUser' role to a target user for a specific
Data Domain, which enables the user to log onto the Administration Portal.

- adding the 'DiskCreator' role to the same target user for the
same Data Domain, which, I would hope, would allow the user to
both create disks and upload ISOs within that Data Domain.

Disk creation in the Data Domain for the target user works as expected;
ISO upload does not.  A dialog appears with the message: 'Operation
Canceled  Error while executing action: User is not authorized to
perform this action.'

Here is the message that appears in /var/log/ovirt-engine/engine.log
when an attempt at uploading an ISO is made by the target user:


INFO
[org.ovirt.engine.core.bll.storage.disk.image.TransferImageStatusCommand]
(default task-40) [5b3fef06-49c8-4c34-81a3-a20fa691709a] No permission
found for user 'a9fde4c3-97a3-4494-84f8-08041a16710c' or one of the
groups he is member of, when running action 'TransferImageStatus',
Required permissions are: Action type: 'USER' Action group:
'CREATE_DISK' Object type: 'System'  Object ID:
'aaa00000-0000-0000-0000-123456789aaa'.


If one assigns the DiskCreator role System permission for the target
user then that user can upload ISOs without problem.  Unfortunately,
the user can upload ISOs - and create disks - in *all* data domains.

To re-iterate, is it possible to grant an end-user permission to
upload ISOs to specific data domains through the web interface without
granting an all-encompassing System permission?


Best wishes,
  Lloyd Kamara


References:
[The first two are included insofar as they concern ISO upload via web]
https://bugzilla.redhat.com/show_bug.cgi?id=1530730

https://bugzilla.redhat.com/show_bug.cgi?id=1536826

[This one is included because I wonder if the testing requests
includes the ability for users to upload ISOs via the web GUI, not
just attach existing ISOs in data domains to VMs]

https://bugzilla.redhat.com/show_bug.cgi?id=1058798

More information about the Users mailing list