[ovirt-users] ISO uploading from GUI/REST with user permissions

Michal Skrivanek michal.skrivanek at redhat.com
Fri Apr 6 09:17:31 UTC 2018



> On 3 Apr 2018, at 15:23, Lloyd Kamara <l.kamara at imperial.ac.uk> wrote:
> 
> Dear Sir/Madam,
> 
> The ability to upload ISOs through the web interface and boot
> VMs from them is a welcome addition in oVirt release 4.2.2.
> I am grateful to the people behind the implementation of this.
> 
> Consider a scenario in which you wish to allow *end-users*
> to upload ISOs to one or more Data Domains.  The users can
> then use the uploaded ISOs to boot their VMs.
> 
> Is it possible to grant a user permission to upload ISOs through
> the web interface?  I tried to to this under oVirt release 4.2.2
> by doing the following:
> 
> - adding the 'SuperUser' role to a target user for a specific
> Data Domain, which enables the user to log onto the Administration Portal.
> 
> - adding the 'DiskCreator' role to the same target user for the
> same Data Domain, which, I would hope, would allow the user to
> both create disks and upload ISOs within that Data Domain.
> 
> Disk creation in the Data Domain for the target user works as expected;
> ISO upload does not.  A dialog appears with the message: 'Operation
> Canceled  Error while executing action: User is not authorized to
> perform this action.'
> 
> Here is the message that appears in /var/log/ovirt-engine/engine.log
> when an attempt at uploading an ISO is made by the target user:
> 
> 
> INFO
> [org.ovirt.engine.core.bll.storage.disk.image.TransferImageStatusCommand]
> (default task-40) [5b3fef06-49c8-4c34-81a3-a20fa691709a] No permission
> found for user 'a9fde4c3-97a3-4494-84f8-08041a16710c' or one of the
> groups he is member of, when running action 'TransferImageStatus',
> Required permissions are: Action type: 'USER' Action group:
> 'CREATE_DISK' Object type: 'System'  Object ID:
> 'aaa00000-0000-0000-0000-123456789aaa'.
> 
> 
> If one assigns the DiskCreator role System permission for the target
> user then that user can upload ISOs without problem.  Unfortunately,
> the user can upload ISOs - and create disks - in *all* data domains.
> 
> To re-iterate, is it possible to grant an end-user permission to
> upload ISOs to specific data domains through the web interface without
> granting an all-encompassing System permission?

it does sound like a bug to me. Can you open one with those details?
https://bugzilla.redhat.com/enter_bug.cgi?product=ovirt-engine <https://bugzilla.redhat.com/enter_bug.cgi?product=ovirt-engine>

Thanks,
michal
> 
> 
> Best wishes,
>  Lloyd Kamara
> 
> 
> References:
> [The first two are included insofar as they concern ISO upload via web]
> https://bugzilla.redhat.com/show_bug.cgi?id=1530730
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1536826
> 
> [This one is included because I wonder if the testing requests
> includes the ability for users to upload ISOs via the web GUI, not
> just attach existing ISOs in data domains to VMs]
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1058798
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20180406/8c7dc450/attachment.html>


More information about the Users mailing list