Oved Ourfali has uploaded a new change for review. Change subject: core: SuperUser of DataCenter X cannot approve a host under this Data Center ......................................................................
core: SuperUser of DataCenter X cannot approve a host under this Data Center This patch address the issue above, where you need the following permissions when approving a host, each from another command that is run in this flow: 1. ChangeVdsCluster (as we change the cluster) - checks for EDIT_HOST_CONFIGURATION action group both on the host, and the destination cluster 2. UpdateVds (as we can edit other stuff as well) - checks for EDIT_HOST_CONFIGURATION action group on the host 3. ApproveVdsCommand - checks for CREATE_HOST action group on the host itself, the cluster, the DC, or System (as I wrote above). This patch changes the requirement in #1 to include EDIT_HOST_CONFIGURATION on the host only if the host is NOT in a PendingApproval state, as in the PendingApproval state there might not be any permissions on the host, as the host is in the Default Cluster, and the user might not have permissions on it. Change-Id: Ia59a51e4e3ebf184e0672a077b6dc0d16e60eb8e Bug-Url: https://bugzilla.redhat.com/1090660 Signed-off-by: Oved Ourfali <oourf...@redhat.com> --- M backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/ChangeVDSClusterCommand.java 1 file changed, 12 insertions(+), 2 deletions(-) git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/49/27349/1 diff --git a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/ChangeVDSClusterCommand.java b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/ChangeVDSClusterCommand.java index 52b05d3..105895a 100644 --- a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/ChangeVDSClusterCommand.java +++ b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/ChangeVDSClusterCommand.java @@ -26,6 +26,8 @@ import org.ovirt.engine.core.common.businessentities.StoragePool; import org.ovirt.engine.core.common.businessentities.VDS; import org.ovirt.engine.core.common.businessentities.VDSGroup; +import org.ovirt.engine.core.common.businessentities.VDSStatus; +import org.ovirt.engine.core.common.businessentities.VdsDynamic; import org.ovirt.engine.core.common.businessentities.VdsStatic; import org.ovirt.engine.core.common.businessentities.network.Network; import org.ovirt.engine.core.common.businessentities.network.VdsNetworkInterface; @@ -287,8 +289,16 @@ @Override public List<PermissionSubject> getPermissionCheckSubjects() { - List<PermissionSubject> permissionList = new ArrayList<PermissionSubject>(2); - permissionList.add(new PermissionSubject(getParameters().getVdsId(), VdcObjectType.VDS, getActionType().getActionGroup())); + List<PermissionSubject> permissionList = new ArrayList<PermissionSubject>(); + VdsDynamic vdsDynamic = getVds().getDynamicData(); + + // If the state of the host is PendingApproval then we just check if the user has a permission on the destination cluster + // Otherwise we require adding this permission both on the host and on the cluster, and it is not really needed + // in order to approve a host + if (vdsDynamic != null && !VDSStatus.PendingApproval.equals(vdsDynamic.getStatus())) { + permissionList.add(new PermissionSubject(getParameters().getVdsId(), VdcObjectType.VDS, getActionType().getActionGroup())); + } + permissionList.add(new PermissionSubject(getParameters().getClusterId(), VdcObjectType.VdsGroups, getActionType().getActionGroup())); List<PermissionSubject> unmodifiableList = Collections.unmodifiableList(permissionList); return unmodifiableList; -- To view, visit http://gerrit.ovirt.org/27349 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ia59a51e4e3ebf184e0672a077b6dc0d16e60eb8e Gerrit-PatchSet: 1 Gerrit-Project: ovirt-engine Gerrit-Branch: ovirt-engine-3.4 Gerrit-Owner: Oved Ourfali <oourf...@redhat.com> _______________________________________________ Engine-patches mailing list Engine-patches@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-patches
