[Engine-devel] Permissions involved in using REST API

Jonathan Daugherty jtd at galois.com
Wed Nov 6 23:34:01 UTC 2013 

Hi all,

I'm interested in setting up a non-administrative user account to be
used to access the oVirt REST API.  I have a user who is testing this
functionality by integrating some Vagrant-related software to talk to
oVirt.  The user's oVirt account is a non-admin account with enough
privileges to create and modify VMs on one of my clusters.

What we found is that the account is unable to make requests to, say,

  /api/vms

(he gets 401 or 404 responses) and instead gets a response indicating
that the account has "insufficient permissions."  My engine.log says of
the access only this:

  2013-11-06 14:50:28,158 ERROR
  [org.ovirt.engine.api.restapi.resource.AbstractBackendResource]
  (ajp--127.0.0.1-8702-13) Operation Failed: query execution faile
  d due to insufficient permissions.

and in server.log I have see Java tracebacks involving this[1]:

  2013-11-06 14:50:28,159 WARN
  [org.jboss.resteasy.core.SynchronousDispatcher]
  (ajp--127.0.0.1-8702-13) failed to execute:
  org.ovirt.engine.api.restapi.resource.BaseBackendResource$WebFaultException

Later we found that assigning an Admin role to the user's account at the
data center level with no permissions enabled permitted API access.  So
the user was able to make requests to /api/ URLs and get data and was
able to log into the oVirt administration portal but was unable to take
further action.

So my questions are:

 - Is this expected behavior?  Is there some smaller (less permissive)
   change in privileges I can use to bring about the same behavior?

 - Is there some place where such behavior is documented?  I couldn't
   find any.  The documentation on permissions on the RHEV docs only
   mentions the overall impact of using specific roles and permissions
   and says nothing about API access consequences or "Admin" roles with
   no permissions.

My initial assumption was that any user with credentials would be able
to make API requests, but that the corresponding API responses would be
filtered based on what the user had privileges to see just as with the
User Portal.

Thanks!

[1] A full trace can be found at http://pastebin.com/czcfQkYL

-- 
  Jonathan Daugherty
  Software Engineer
  Galois, Inc.

More information about the Devel mailing list