[Engine-patches] Change in ovirt-engine[master]: core: fix power user roles and GetAllVmPoolsAttachedToUser q...

Thu, 13 Sep 2012 05:57:01 -0700 

Oved Ourfali has uploaded a new change for review.

Change subject: core: fix power user roles and GetAllVmPoolsAttachedToUser query
......................................................................

core: fix power user roles and GetAllVmPoolsAttachedToUser query

Assigning user roles to System/DC/Cluster can cause weird behavior, as
user will be able to see all VMs under these objects, but when looking
at VM pools he won't be able to operate them.

In this patch we do the following:
1. Make PowerUser role contain the following action groups (and changes
the description accordingly):
* login
* create disk
* create VM
* create template

2. Mark it as "allow_viewing_children = false".
3. Fix the get pools query, to get the filtered pools from the correct
view.

Change-Id: I9acba40db76fbd5e8ffbeb1d615d4675b6903ccb
Signed-off-by: Oved Ourfali <oourf...@redhat.com>
---
M backend/manager/dbscripts/bookmarks_sp.sql
A backend/manager/dbscripts/upgrade/03_01_1390_update_power_user_role.sql
2 files changed, 14 insertions(+), 9 deletions(-)


  git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/85/7985/1

diff --git a/backend/manager/dbscripts/bookmarks_sp.sql 
b/backend/manager/dbscripts/bookmarks_sp.sql
index 6420bb2..f11cbe1 100644
--- a/backend/manager/dbscripts/bookmarks_sp.sql
+++ b/backend/manager/dbscripts/bookmarks_sp.sql
@@ -95,15 +95,7 @@
 BEGIN
       RETURN QUERY SELECT DISTINCT pools.*
        FROM vm_pools_view pools
-       WHERE exists (
-               SELECT *
-               from permissions_view perms 
-               WHERE perms.object_id in (
-                       SELECT * from
-                       fn_get_entity_parents(pools.vm_pool_id,5))
-               and perms.ad_element_id in (
-                               SELECT id from getUserAndGroupsById(v_user_id))
-               and perms.role_type = 2);
+    INNER JOIN user_vm_pool_permissions_view ON user_id = v_user_id AND 
entity_id = pools.vm_pool_id;
 END; $procedure$
 LANGUAGE plpgsql;
 
diff --git 
a/backend/manager/dbscripts/upgrade/03_01_1390_update_power_user_role.sql 
b/backend/manager/dbscripts/upgrade/03_01_1390_update_power_user_role.sql
new file mode 100644
index 0000000..851780f
--- /dev/null
+++ b/backend/manager/dbscripts/upgrade/03_01_1390_update_power_user_role.sql
@@ -0,0 +1,13 @@
+DELETE
+FROM roles_groups
+WHERE role_id = '00000000-0000-0000-0001-000000000002' -- PowerUser role
+AND action_group_id NOT IN (1300, -- LOGIN
+                            1, -- CREATE_VM
+                            200, -- CREATE_TEMPLATE
+                            1100 -- CREATE_DISK
+                           );
+
+UPDATE roles
+SET allows_viewing_children = false, description = 'User Role, allowed to 
create VMs, Templates and Disks'
+WHERE id = '00000000-0000-0000-0001-000000000002';
+


--
To view, visit http://gerrit.ovirt.org/7985
To unsubscribe, visit http://gerrit.ovirt.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I9acba40db76fbd5e8ffbeb1d615d4675b6903ccb
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Oved Ourfali <oourf...@redhat.com>
_______________________________________________
Engine-patches mailing list
Engine-patches@ovirt.org
http://lists.ovirt.org/mailman/listinfo/engine-patches

Reply via email to