[Engine-devel] Permissions involved in using REST API

Oved Ourfalli ovedo at redhat.com
Thu Nov 7 08:26:42 UTC 2013



----- Original Message -----
> From: "Jonathan Daugherty" <jtd at galois.com>
> To: engine-devel at ovirt.org
> Cc: "Trevor Elliott" <trevor at galois.com>
> Sent: Thursday, November 7, 2013 1:34:01 AM
> Subject: [Engine-devel] Permissions involved in using REST API
> 
> Hi all,
> 
> I'm interested in setting up a non-administrative user account to be
> used to access the oVirt REST API.  I have a user who is testing this
> functionality by integrating some Vagrant-related software to talk to
> oVirt.  The user's oVirt account is a non-admin account with enough
> privileges to create and modify VMs on one of my clusters.
> 
> What we found is that the account is unable to make requests to, say,
> 
>   /api/vms
> 
> (he gets 401 or 404 responses) and instead gets a response indicating
> that the account has "insufficient permissions."  My engine.log says of
> the access only this:
> 
>   2013-11-06 14:50:28,158 ERROR
>   [org.ovirt.engine.api.restapi.resource.AbstractBackendResource]
>   (ajp--127.0.0.1-8702-13) Operation Failed: query execution faile
>   d due to insufficient permissions.
> 
> and in server.log I have see Java tracebacks involving this[1]:
> 
>   2013-11-06 14:50:28,159 WARN
>   [org.jboss.resteasy.core.SynchronousDispatcher]
>   (ajp--127.0.0.1-8702-13) failed to execute:
>   org.ovirt.engine.api.restapi.resource.BaseBackendResource$WebFaultException
> 
> Later we found that assigning an Admin role to the user's account at the
> data center level with no permissions enabled permitted API access.  So
> the user was able to make requests to /api/ URLs and get data and was
> able to log into the oVirt administration portal but was unable to take
> further action.
> 
> So my questions are:
> 
>  - Is this expected behavior?  Is there some smaller (less permissive)
>    change in privileges I can use to bring about the same behavior?
> 

Yes. That's the expected behavior. However, when accessing the API you can set the "filter" header parameter to "true", and that will get you to the user-level API.
Let me know if you need technical assistance with that.

>  - Is there some place where such behavior is documented?  I couldn't
>    find any.  The documentation on permissions on the RHEV docs only
>    mentions the overall impact of using specific roles and permissions
>    and says nothing about API access consequences or "Admin" roles with
>    no permissions.
> 

Unfortunately I didn't find any documentation on that on the ovirt wiki.
Michael - do you know if such documentation exists somewhere?


> My initial assumption was that any user with credentials would be able
> to make API requests, but that the corresponding API responses would be
> filtered based on what the user had privileges to see just as with the
> User Portal.
> 
> Thanks!
> 
> [1] A full trace can be found at http://pastebin.com/czcfQkYL
> 
> --
>   Jonathan Daugherty
>   Software Engineer
>   Galois, Inc.
> _______________________________________________
> Engine-devel mailing list
> Engine-devel at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/engine-devel
> 



More information about the Engine-devel mailing list