<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<br>
<div class="moz-cite-prefix">On 10/29/2015 03:58 PM, Ondra Machacek
wrote:<br>
</div>
<blockquote cite="mid:563233FE.1020708@redhat.com" type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
<br>
<br>
<div class="moz-cite-prefix">On 10/29/2015 03:56 PM, Ondra
Machacek wrote:<br>
</div>
<blockquote cite="mid:56323394.8050800@redhat.com" type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
<br>
<br>
<div class="moz-cite-prefix">On 10/28/2015 11:29 AM, Jorick
Astrego wrote:<br>
</div>
<blockquote cite="mid:5630A36D.6000202@netbulae.eu" type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
<br>
<br>
<div class="moz-cite-prefix">On 10/26/2015 03:14 PM, Jorick
Astrego wrote:<br>
</div>
<blockquote cite="mid:562E355D.4030201@netbulae.eu"
type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
<br>
<br>
<div class="moz-cite-prefix">On 10/26/2015 02:57 PM, Ondra
Machacek wrote:<br>
</div>
<blockquote cite="mid:562E3143.4010600@redhat.com"
type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
<br>
<br>
<div class="moz-cite-prefix">On 10/26/2015 02:53 PM,
Jorick Astrego wrote:<br>
</div>
<blockquote cite="mid:562E3075.5050203@netbulae.eu"
type="cite">
<meta http-equiv="content-type" content="text/html;
charset=windows-1252">
Hi,<br>
<br>
Currently I'm trying to add an ovirt compute resource in
forman that is limited to the VM's of the user. <br>
<br>
When I give this user the PowerUser role, I cannot
access the api:<br>
<br>
<blockquote>query execution failed due to insufficient
permissions<br>
</blockquote>
</blockquote>
<br>
Are you sending header 'Filter: true' with the request ?<br>
If your user is not admin(PowerUserRole is not admin
role),<br>
you have to use this header.<br>
<br>
<br>
</blockquote>
<br>
</blockquote>
<br>
Hmm, not much response on foreman-users.. <br>
<br>
I checked the code of fog in my foreman install (
/opt/rh/ruby193/root/usr/share/gems/gems/fog-1.32.0/lib/fog/ovirt/compute.rb
) and it appears to have the correct option merged:<br>
<br>
<blockquote> connection_opts[:filtered_api] =
options[:ovirt_filtered_api]<br>
<br>
<br>
</blockquote>
But I don't know what url the foreman actually generates, is
there any way to capture the login string? I tried setting
some DEBUG logging but don't get the output I'm looking for.<br>
<br>
<blockquote> <logger
category="org.ovirt.engine.core.bll.SearchQuery"><br>
<level name="DEBUG"/><br>
</logger><br>
<logger
category="org.ovirt.engine.core.bll.aaa.LoginUserCommand"><br>
<level name="DEBUG"/><br>
</logger><br>
<logger
category="org.ovirt.engine.api.restapi.resource.AbstractBackendResource"><br>
<level name="DEBUG"/><br>
</logger><br>
<br>
</blockquote>
<br>
</blockquote>
<br>
It depends what url foreman client access. But you can set:<br>
<br>
<logger category="org.ovirt.engine.core.bll"><br>
<level name="ALL"/><br>
</logger><br>
<br>
And then you will see what commands was queried with or without
the filtered API.<br>
<br>
2015-10-29 15:45:45,436 TRACE
[org.ovirt.engine.core.bll.GetAllVmsQuery]
(ajp-/127.0.0.1:8702-1) [] START,
GetAllVmsQuery(VdcQueryParametersBase:{refresh='true',
filtered='true'}), log id: 53b3c8b9<br>
<br>
^^ This is example of running 'Filter: true' on /api/vms (you
can see filtered='true').<br>
</blockquote>
<br>
</blockquote>
<br>
<br>
It appears the filtered tag doesn't get set. I'll continue on the
foreman list from now.<br>
<blockquote>2015-11-02 10:29:17,126 DEBUG
[org.ovirt.engine.core.bll.aaa.LoginUserCommand]
(ajp--127.0.0.1-8702-9) Found permission
fbcb73a0-226e-49d4-9e7a-01c665127a07 for user when running
LoginUser, on Bottom with id bbb00000-0000-0000-0000-123456789bbb<br>
2015-11-02 10:29:17,128 DEBUG
[org.ovirt.engine.core.bll.aaa.LoginBaseCommand]
(ajp--127.0.0.1-8702-9) Checking if user testuser is an admin,
result false<br>
2015-11-02 10:29:17,129 INFO
[org.ovirt.engine.core.bll.aaa.LoginUserCommand]
(ajp--127.0.0.1-8702-9) Running command:
LoginUserCommand(LoginName = null, ProfileName = netbulae.test,
AuthRecord =
{Extkey[name=AAA_AUTHN_AUTH_RECORD_PRINCIPAL;type=class
java.lang.String;uuid=AAA_AUTHN_AUTH_RECORD_PRINCIPAL[c3498f07-11fe-464c-958c-8bd7490b119a];]=testuser},
IsAdmin = false, ActionType = LoginUser, AuthType = CREDENTIALS)
internal: false.<br>
2015-11-02 10:29:17,132 TRACE
[org.ovirt.engine.core.bll.GetConfigurationValueQuery]
(ajp--127.0.0.1-8702-9) START, GetConfigurationValueQuery(version:
general, configuration value: ApplicationMode, refresh: false,
filtered: false), log id: 438b23b5<br>
2015-11-02 10:29:17,134 TRACE
[org.ovirt.engine.core.bll.GetConfigurationValueQuery]
(ajp--127.0.0.1-8702-9) FINISH, GetConfigurationValueQuery, log
id: 438b23b5<br>
2015-11-02 10:29:17,134 TRACE
[org.ovirt.engine.core.bll.aaa.GetValueBySessionQuery]
(ajp--127.0.0.1-8702-9) START, GetValueBySessionQuery(refresh:
false, <b>filtered: false), </b>log id: 63d562b7<br>
2015-11-02 10:29:17,135 TRACE
[org.ovirt.engine.core.bll.aaa.GetValueBySessionQuery]
(ajp--127.0.0.1-8702-9) FINISH, GetValueBySessionQuery, log id:
63d562b7<br>
2015-11-02 10:29:17,136 TRACE
[org.ovirt.engine.core.bll.SearchQuery] (ajp--127.0.0.1-8702-9)
START, SearchQuery(search type: StoragePool, search pattern:
[Datacenter : ], case sensitive: true [from: 0, max: -1] refresh:
true, filtered: false), log id: 4e440f95<br>
2015-11-02 10:29:17,138 ERROR
[org.ovirt.engine.core.bll.SearchQuery] (ajp--127.0.0.1-8702-9)
Query execution failed due to insufficient permissions.<br>
</blockquote>
I've updated <a class="moz-txt-link-freetext" href="http://projects.theforeman.org/issues/6835">http://projects.theforeman.org/issues/6835</a><br>
<br>
<BR />
<BR />
<b style="color:#604c78"></b><br><br><span style="color:#604c78;"><font color="000000"><span style="mso-fareast-language:en-gb;" lang="NL">Met vriendelijke groet, With kind regards,<br><br>Jorick Astrego<br></span></font></span><b style="color:#604c78"><br>Netbulae Virtualization Experts </b><br><hr style="border:none;border-top:1px solid #ccc;"><table style="width: 522px"><tbody><tr><td style="width: 130px;font-size: 10px">Tel: 053 20 30 270</td> <td style="width: 130px;font-size: 10px">info@netbulae.eu</td> <td style="width: 130px;font-size: 10px">Staalsteden 4-3A</td> <td style="width: 130px;font-size: 10px">KvK 08198180</td></tr><tr> <td style="width: 130px;font-size: 10px">Fax: 053 20 30 271</td> <td style="width: 130px;font-size: 10px">www.netbulae.eu</td> <td style="width: 130px;font-size: 10px">7547 TA Enschede</td> <td style="width: 130px;font-size: 10px">BTW NL821234584B01</td></tr></tbody></table><br><hr style="border:none;border-top:1px solid #ccc;"><BR />
</body>
</html>