[ovirt-users] Re: AffinityGroup API

So both of the user's roles are administrative, so please try to remove following line in your script: > conn_attr[:headers] = {'Filter' => true } This should be used only with roles which are not administrative, like UserVmManager, etc. On 11/27/18 1:21 PM, Staniforth, Paul wrote: > The user also has AffinityGroupManager role for the cluster this role > has permission Manipulate Affinity Groups. > > It is the same account that works when using the python SDK > > 2018-11-27 11:36:50,791Z INFO > [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default > task-5237) [b225cdb] Running command: CreateUserSessionCommand > internal: false. > 2018-11-27 11:36:50,988Z INFO > [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] > (default task-5229) [21e2d0fe] EVENT_ID: USER_VDC_LOGIN(30), User > secgen@internal-authz connecting from 'x.x.x.x' using session > 'mT2aF7+FziRwE3ZZ29y7y2QHidDX4aAquc5fwo5swyLVMxufAyF26JbmDNeN9ylob1+zSSH9JWu4bBDt2wdHGw==' > logged in. > 2018-11-27 11:36:51,081Z INFO > [org.ovirt.engine.core.sso.utils.AuthenticationUtils] (default > task-5233) [] User xxxx@internal successfully logged in with scopes: > ovirt-app-api ovirt-ext=token-in > fo:authz-search ovirt-ext=token-info:public-authz-search > ovirt-ext=token-info:validate ovirt-ext=token:passw..d-access > 2018-11-27 11:36:51,154Z INFO > [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default > task-5233) [1d0e61f8] Running command: CreateUserSessionCommand > internal: false. > 2018-11-27 11:36:51,604Z INFO > [org.ovirt.engine.core.bll.scheduling.commands.AddAffinityGroupCommand] > (default task-5233) [dd01962d-bead-499a-a31f-1ead974483ac] No > permission found for user 'd5b7e8f0-603e-47c5-a420-1f5f6834aa02' or > one of the groups he is member of, when running action > 'AddAffinityGroup', Required permissions are: Action type: 'ADMIN' > Action group: 'MANIPULATE_AFFINITY_GROUPS' Object type: 'Cluster' > Object ID: 'beac8771-1dbc-4046-99b1-c17d072fb27f'. > 2018-11-27 11:36:51,604Z WARN > [org.ovirt.engine.core.bll.scheduling.commands.AddAffinityGroupCommand] > (default task-5233) [dd01962d-bead-499a-a31f-1ead974483ac] Validation > of action 'AddAffinityGroup' failed for user xxxx@internal-authz. > Reasons: > VAR__TYPE__AFFINITY_GROUP,VAR__ACTION__ADD,USER_NOT_AUTHORIZED_TO_PERFORM_ACTION > 2018-11-27 11:36:51,606Z ERROR > [org.ovirt.engine.api.restapi.resource.AbstractBackendResource] > (default task-5233) [] Operation Failed: [User is not authorized to > perform this action.] > > Regards, > Paul S. > > > ________________________________ > From: Schreuders, Cliffe > Sent: 27 November 2018 11:55 > To: Ondra Machacek; Staniforth, Paul > Cc: Andrej Krejcir; users; Shaw, Thomas > Subject: Re: [ovirt-users] AffinityGroup API > > Hi Ondra, > > Thanks. Here is a sample script that illustrates the problem. The > same error occurs when adding a VM to an existing affinity group. > > Sample code: > require 'ovirtsdk4' > > conn_attr = {} > conn_attr[:url] = 'https://XXXX/ovirt-engine/api' > conn_attr[:username] = 'XXXX' > conn_attr[:passwxxd] = 'XXXX' > conn_attr[:debug] = true > conn_attr[:headers] = {'Filter' => true } > > ovirt_connection = OvirtSDK4::Connection.new(conn_attr) > vms_service = ovirt_connection.system_service.vms_service > clusters_service = ovirt_connection.system_service.clusters_service > cluster = clusters_service.list(search: 'name=Default')[0] > cluster_service = clusters_service.cluster_service(cluster.id) > cluster_affinitygroups_service = cluster_service.affinity_groups_service > > begin > affinity_group_name = "affinity_group_test123" > puts "Creating affinity group: #{affinity_group_name}" > > cluster_affinitygroups_service.add(OvirtSDK4::AffinityGroup.new( > name: affinity_group_name, > description: 'a description', > vms_rule: OvirtSDK4::AffinityRule.new( > enabled: true, > positive: true, > enforcing: true > ) > )) > rescue Exception => e > warn "Failed to create affinity group" > warn e.message > end > > Output: > cliffe@office:~/Code/ovirt_scripts$ ruby add_affinity_group.rb > Creating affinity group: affinity_group_test123 > Failed to create affinity group > Fault reason is "Operation Failed". Fault detail is "[User is not > authorized to perform this action.]". HTTP response code is 400. > > The user has ReadOnlyAdmin permissions. > > I would be happy to be told if I'm doing something wrong here, I > didn't find any ruby examples that worked with affinity groups. > > Paul could you please provide the engine.log entries? Thanks. > > Cheers, > > Cliffe. > > On 27/11/2018 10:04, Ondra Machacek wrote: > Can you please share the script? And also what's the permission of the > user you are executing the script. > > When see error 'User is not authorized to perform the action', we print > in engine.log, what's exactly wrong meaning we print what permissions > the user is missing in order to execute that action. So it may help you > find out what's wrong as well. > > On 11/26/18 5:35 PM, Schreuders, Cliffe wrote: > Yes, the related issue we came across was that when using the Ruby gem, > assigning a VM to an Affinity Group raises an exception that states the > User is not authorized to perform the action; however, using the same > account works fine from the Admin portal and carrying out the exact same > steps via the Python SDK works as expected. The end result is that we > ended up calling a Python script from our Ruby code just to set the > affinity group. > > Thanks, Paul. > > On 26/11/2018 12:11, Staniforth, Paul wrote: > Hi Andrej > > I believe they are using 4.2.5 they get a permission error although > they can use the python SDK with the same account. > > Paul S. > ________________________________________ > From: Ondra Machacek <omachace@redhat.com><mailto:omachace@redhat.com> > Sent: 26 November 2018 11:41 > To: Staniforth, Paul > Cc: Andrej Krejcir; users > Subject: Re: [ovirt-users] AffinityGroup API > > What version of the SDK do you use? > I can see it's supported in latest version. > > On 11/26/18 11:13 AM, Andrej Krejcir wrote: > Hi, > > I don't know much about ruby SDK. I think the SDKs for various languages > are generated from the API specification. > > Ondra, is this a bug in ruby SDK? > > > Andrej > > On Fri, 23 Nov 2018 at 18:06, Staniforth, Paul < > P.Staniforth@leedsbeckett.ac.uk<mailto:P.Staniforth@leedsbeckett.ac.uk>> > wrote: > > Hello Andrej, > > Also the Affinity Groups apparently aren't > available > in the Ruby SDK should I add this to the bug report? > > > Thanks, > > Paul S. > ------------------------------ > *From:* Andrej Krejcir <akrejcir@redhat.com><mailto:akrejcir@redhat.com> > *Sent:* 21 November 2018 13:32 > *To:* Staniforth, Paul > *Cc:* users > *Subject:* Re: [ovirt-users] AffinityGroup API > > Hi, > > Yes, the AffinityGroupHosts is missing. Can you please open a bug[1] > so we > can add it? > > As a workaround, the hosts can be modified by PUT request to the > AffinityGroup endpoint directly, for example: > > PUT /ovirt-engine/api/clusters/1234/affinitygroups/5678 > <affinity_group> > <hosts> > <host id="123456789"/> > <host id="987654321"/> > </hosts> > </affinity_group> > > However, this will replace all hosts in the affinity group with the > hosts > listed. > > > Best regards, > Andrej > > > [1] - https://bugzilla.redhat.com/enter_bug.cgi?product=ovirt-engine > > On Wed, 21 Nov 2018 at 13:26, > <p.staniforth@leedsbeckett.ac.uk><mailto:p.staniforth@leedsbeckett.ac.uk> > wrote: > > Hello, > When using the API to update an AffinityGroup there is a > AffinityGroupVm and AffinityGroupVms so I can add or remove VMs but > there > is no AffinityGroupHost or AffinityGroupHosts, therefore I can't add or > remove hosts. > > Thanks, > Paul S. > _______________________________________________ > Users mailing list -- users@ovirt.org<mailto:users@ovirt.org> > To unsubscribe send an email to > users-leave@ovirt.org<mailto:users-leave@ovirt.org> > Privacy Statement: https://www.ovirt.org/site/privacy-policy/ > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > https://lists.ovirt.org/archives/list/users@ovirt.org/message/BUMDJ34JRLD... > > > To view the terms under which this email is distributed, please go to:- > http://disclaimer.leedsbeckett.ac.uk/disclaimer/disclaimer.html > > > To view the terms under which this email is distributed, please go to:- > http://disclaimer.leedsbeckett.ac.uk/disclaimer/disclaimer.html > > > To view the terms under which this email is distributed, please go to:- > http://leedsbeckett.ac.uk/disclaimer/email/ >