[ovirt-users] api access with poweruser role

Jorick_Astrego · November 2, 2015, 9:41am

It appears the filtered tag doesn't get set. I'll continue on the
foreman list from now.

2015-11-02 10:29:17,126 DEBUG
[org.ovirt.engine.core.bll.aaa.LoginUserCommand]
(ajp--127.0.0.1-8702-9) Found permission
fbcb73a0-226e-49d4-9e7a-01c665127a07 for user when running
LoginUser, on Bottom with id bbb00000-0000-0000-0000-123456789bbb
2015-11-02 10:29:17,128 DEBUG
[org.ovirt.engine.core.bll.aaa.LoginBaseCommand]
(ajp--127.0.0.1-8702-9) Checking if user testuser is an admin,
result false
2015-11-02 10:29:17,129 INFO 
[org.ovirt.engine.core.bll.aaa.LoginUserCommand]
(ajp--127.0.0.1-8702-9) Running command: LoginUserCommand(LoginName
= null, ProfileName = netbulae.test, AuthRecord =
{Extkey[name=AAA_AUTHN_AUTH_RECORD_PRINCIPAL;type=class
java.lang.String;uuid=AAA_AUTHN_AUTH_RECORD_PRINCIPAL[c3498f07-11fe-464c-958c-8bd7490b119a];]=testuser},
IsAdmin = false, ActionType = LoginUser, AuthType = CREDENTIALS)
internal: false.
2015-11-02 10:29:17,132 TRACE
[org.ovirt.engine.core.bll.GetConfigurationValueQuery]
(ajp--127.0.0.1-8702-9) START, GetConfigurationValueQuery(version:
general, configuration value: ApplicationMode, refresh: false,
filtered: false), log id: 438b23b5
2015-11-02 10:29:17,134 TRACE
[org.ovirt.engine.core.bll.GetConfigurationValueQuery]
(ajp--127.0.0.1-8702-9) FINISH, GetConfigurationValueQuery, log id:
438b23b5
2015-11-02 10:29:17,134 TRACE
[org.ovirt.engine.core.bll.aaa.GetValueBySessionQuery]
(ajp--127.0.0.1-8702-9) START, GetValueBySessionQuery(refresh:
false, *filtered: false), *log id: 63d562b7
2015-11-02 10:29:17,135 TRACE
[org.ovirt.engine.core.bll.aaa.GetValueBySessionQuery]
(ajp--127.0.0.1-8702-9) FINISH, GetValueBySessionQuery, log id: 63d562b7
2015-11-02 10:29:17,136 TRACE
[org.ovirt.engine.core.bll.SearchQuery] (ajp--127.0.0.1-8702-9)
START, SearchQuery(search type: StoragePool, search pattern:
[Datacenter : ], case sensitive: true [from: 0, max: -1] refresh:
true, filtered: false), log id: 4e440f95
2015-11-02 10:29:17,138 ERROR
[org.ovirt.engine.core.bll.SearchQuery] (ajp--127.0.0.1-8702-9)
Query execution failed due to insufficient permissions.

I've updated Bug #6835: Unable to use RHEV/ovirt without admin permissions on the rhev cluster - Foreman

Met vriendelijke groet, With kind regards,

Jorick Astrego

Netbulae Virtualization Experts

···

On 10/29/2015 03:58 PM, Ondra Machacek wrote: > > > On 10/29/2015 03:56 PM, Ondra Machacek wrote: >> >> >> On 10/28/2015 11:29 AM, Jorick Astrego wrote: >>> >>> >>> On 10/26/2015 03:14 PM, Jorick Astrego wrote: >>>> >>>> >>>> On 10/26/2015 02:57 PM, Ondra Machacek wrote: >>>>> >>>>> >>>>> On 10/26/2015 02:53 PM, Jorick Astrego wrote: >>>>>> Hi, >>>>>> >>>>>> Currently I'm trying to add an ovirt compute resource in forman >>>>>> that is limited to the VM's of the user. >>>>>> >>>>>> When I give this user the PowerUser role, I cannot access the api: >>>>>> >>>>>> query execution failed due to insufficient permissions >>>>>> >>>>> >>>>> Are you sending header 'Filter: true' with the request ? >>>>> If your user is not admin(PowerUserRole is not admin role), >>>>> you have to use this header. >>>>> >>>>> >>>> >>> >>> Hmm, not much response on foreman-users.. >>> >>> I checked the code of fog in my foreman install ( >>> /opt/rh/ruby193/root/usr/share/gems/gems/fog-1.32.0/lib/fog/ovirt/compute.rb >>> ) and it appears to have the correct option merged: >>> >>> connection_opts[:filtered_api] = >>> options[:ovirt_filtered_api] >>> >>> >>> But I don't know what url the foreman actually generates, is there >>> any way to capture the login string? I tried setting some DEBUG >>> logging but don't get the output I'm looking for. >>> >>> >>> >>> >>> >> category="org.ovirt.engine.core.bll.aaa.LoginUserCommand"> >>> >>> >>> >> category="org.ovirt.engine.api.restapi.resource.AbstractBackendResource"> >>> >>> >>> >>> >> >> It depends what url foreman client access. But you can set: >> >> >> >> >> >> And then you will see what commands was queried with or without the >> filtered API. >> >> 2015-10-29 15:45:45,436 TRACE >> [org.ovirt.engine.core.bll.GetAllVmsQuery] (ajp-/127.0.0.1:8702-1) [] >> START, GetAllVmsQuery(VdcQueryParametersBase:{refresh='true', >> filtered='true'}), log id: 53b3c8b9 >> >> ^^ This is example of running 'Filter: true' on /api/vms (you can see >> filtered='true'). >

Tel: 053 20 30 270 	info@netbulae.eu 	Staalsteden 4-3A 	KvK 08198180
Fax: 053 20 30 271 	www.netbulae.eu 	7547 TA Enschede 	BTW NL821234584B01