Re: [Users] Authentication for REST APIs?

--Apple-Mail=_FBAAF558-58A9-43D9-B460-DA3E9D65E32B Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=iso-8859-1 =46rom the about box in the admin web app: oVirt Engine Version: 3.1.0-2.fc17 The curl command I send is: curl --cacert $CA_FILE -X GET -H "Filter: true" -u user@domain:password = https://$OVIRT/api/vms > uservms.xml=20 The output when my user's group has a DOMAIN_ADMIN role contains the xml = for the VMs. The output when the user's group has either a power user or = a regular user role contains the error response with a 401 unauthorized = error. I had lots of fun getting this server set up so it is possible I made a = mistake during installation, but it seems pretty functional right now. = Everything seems to be working but I haven't been able to to test out = how/if I can connect a new, non-portal client without having to add new = servlets. Brian On Oct 2, 2012, at 9:57 AM, Itamar Heim wrote: anything. If the user account is not an admin account, I get a 401 = status result. So my question still stands, can the REST API be used by = a mere, non-admin "mortal" or is it only for administrative functions? managed by ovirt. I can't use the user portal app. So I was trying to = use the REST APIs on behalf of a normal, non-admin user to get the list = of the authenticating user's VMs and their connection information. >=20 >=20 >>=20 >> Brian >>=20 >> On Oct 2, 2012, at 2:15 AM, Itamar Heim wrote: >>=20 >>> On 10/02/2012 06:28 AM, Brian Vetter wrote: >>>> I've done two different things. First, I associated one of my = groups in my directory with being a VMUser which gave members access to = a particular VM. If I login with one of those users via the User portal, = I can see their VM (or VMs if I do more than one). If I use the REST API = (or ovirt-shell) using this user's account and password, I get an = unauthorized error. role. If I add this other user to that group, when I login with that = user via the user portal, I see the advanced portal. If I use the = REST-API (using curl) or ovirt-shell and use the user's login = information, I now am authorized and see a list of VMs returned as XML = (in the case of curl). to the user that logged in. So this makes me think that either the REST = API for getting the APIs as suggested by the article is an = administrative API and there is either (a) a different rest API/uri that = returns the logged in user's vms (the list that would be returned to the = portal) or (b) no way to get a particular user's list of VMs = authenticated as the user. mode" via the filter header. http://[servername]:PORT/api/vms view the VMs? other user will require to have a proper permissions in order to view = these VMs information. I found that the REST APIs always returned an = authentication error if the account I had logged into was not an ovirt = administrator. I am guessing that either (a) I am using the wrong URL in = the REST api or (b) you must be some kind of admin to access the REST = APIs. I noticed the same behavior when I was using the ovirt-shell tool. http://wiki.ovirt.org/wiki/How_to_Connect_to_SPICE_Console_Without_Portal = to get the list of VMs (presumably for the user that is logging in), I = get an unauthorized error. If the user account I login with in the curl = or ovirt-shell connect statement is an admin, I get the list of VMs. am I using a url that requires admin privileges whereas some others = don't. And if it is the latter, is there somewhere that documents the = various rest api resources? For example, to go back to the "How to = connect to Spice console ..." article, how would one use the REST API to = fetch one's virtual machines, their status, and connection info for = them? --Apple-Mail=_FBAAF558-58A9-43D9-B460-DA3E9D65E32B Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=iso-8859-1 <html><head></head><body style=3D"word-wrap: break-word; = -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; = "><div><blockquote type=3D"cite"><div>3.1 added support for non admin to = use the api.<br>i.e., this should work.<br>which specific version are = you using?<br></div></blockquote><br></div>=46rom the about box in the = admin web app:<div><br></div><blockquote = class=3D"webkit-indent-blockquote" style=3D"margin: 0 0 0 40px; border: = none; padding: 0px;"><div><span class=3D"gwt-InlineLabel" style=3D"color: = rgb(0, 0, 0); font-family: 'Arial Unicode MS', Arial, sans-serif; = font-style: normal; font-variant: normal; font-weight: normal; = letter-spacing: normal; line-height: normal; orphans: 2; text-align: = -webkit-center; text-indent: 0px; text-transform: none; white-space: = normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; = -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); = ">oVirt Engine Version:</span><span style=3D"color: rgb(0, 0, 0); = font-family: 'Arial Unicode MS', Arial, sans-serif; font-style: normal; = font-variant: normal; font-weight: normal; letter-spacing: normal; = line-height: normal; orphans: 2; text-align: -webkit-center; = text-indent: 0px; text-transform: none; white-space: normal; widows: 2; = word-spacing: 0px; -webkit-text-size-adjust: auto; = -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); = display: inline !important; float: none; ">&nbsp;</span><span = class=3D"gwt-InlineLabel" style=3D"color: rgb(0, 0, 0); font-family: = 'Arial Unicode MS', Arial, sans-serif; font-style: normal; font-variant: = normal; font-weight: normal; letter-spacing: normal; line-height: = normal; orphans: 2; text-align: -webkit-center; text-indent: 0px; = text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; = -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; = background-color: rgb(255, 255, 255); = ">3.1.0-2.fc17</span></div></blockquote><div><br></div><div>The curl = command I send is:</div><div><br></div><blockquote = class=3D"webkit-indent-blockquote" style=3D"margin: 0 0 0 40px; border: = none; padding: 0px;"><div>curl --cacert $CA_FILE -X GET -H "Filter: = true" -u user@domain:password <a = href=3D"https://$OVIRT/api/vms">https://$OVIRT/api/vms</a> &gt; = uservms.xml&nbsp;</div></blockquote><div><br></div><div>The output when = my user's group has a DOMAIN_ADMIN role contains the xml for the VMs. = The output when the user's group has either a power user or a regular = user role contains the error response with a 401 unauthorized = error.</div><div><br></div><div>I had lots of fun getting this server = set up so it is possible I made a mistake during installation, but it = seems pretty functional right now. Everything seems to be working but I = haven't been able to to test out how/if I can connect a new, non-portal = client without having to add new = servlets.</div><div><br></div><div>Brian</div><div><br><div><div>On Oct = 2, 2012, at 9:57 AM, Itamar Heim wrote:</div><br = class=3D"Apple-interchange-newline"><blockquote type=3D"cite"><div>On = 10/02/2012 04:52 PM, Brian Vetter wrote:<br><blockquote = type=3D"cite">Adding the "Filter:true" header to the curl request = doesn't change anything. If the user account is not an admin account, I = get a 401 status result. So my question still stands, can the REST API = be used by a mere, non-admin "mortal" or is it only for administrative = functions?<brtype=3D"cite"><br></blockquote><blockquote type=3D"cite">I'm in the = process of trying to hook up a different client to a VM managed by = ovirt. I can't use the user portal app. So I was trying to use the REST = APIs on behalf of a normal, non-admin user to get the list of the = authenticating user's VMs and their connection = information.<br></blockquote><br>3.1 added support for non admin to use = the api.<br>i.e., this should work.<br>which specific version are you = using?<br><br><blockquote type=3D"cite"><brtype=3D"cite">Brian<brtype=3D"cite"><br></blockquote><blockquote type=3D"cite">On Oct 2, 2012, = at 2:15 AM, Itamar Heim wrote:<brtype=3D"cite"><br></blockquote><blockquote type=3D"cite"><blockquote = type=3D"cite">On 10/02/2012 06:28 AM, Brian Vetter = wrote:<br></blockquote></blockquote><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite">I've done two different things. = First, I associated one of my groups in my directory with being a VMUser = which gave members access to a particular VM. If I login with one of = those users via the User portal, I can see their VM (or VMs if I do more = than one). If I use the REST API (or ovirt-shell) using this user's = account and password, I get an unauthorized = error.<br></blockquote></blockquotetype=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><br></blockquote></blockquotetype=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite">Similarly, I have another group that is assigned the = DomainManager role. If I add this other user to that group, when I login = with that user via the user portal, I see the advanced portal. If I use = the REST-API (using curl) or ovirt-shell and use the user's login = information, I now am authorized and see a list of VMs returned as XML = (in the case of = curl).<br></blockquote></blockquotetype=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><br></blockquote></blockquotetype=3D"cite"><blockquote type=3D"cite"><blockquote type=3D"cite">That = said, I see all VMs in the system, not just the one assigned to the user = that logged in. So this makes me think that either the REST API for = getting the APIs as suggested by the article is an administrative API = and there is either (a) a different rest API/uri that returns the logged = in user's vms (the list that would be returned to the portal) or (b) no = way to get a particular user's list of VMs authenticated as the = user.<br></blockquote></blockquotetype=3D"cite"><blockquote = type=3D"cite"><br></blockquotetype=3D"cite"><blockquote type=3D"cite">you need to specify to the api = you want to view things in "user mode" via the filter = header.<br></blockquote></blockquote><blockquote type=3D"cite"><blockquote= type=3D"cite">Example:<br></blockquotetype=3D"cite"><blockquote type=3D"cite">curl -X GET -H "Filter: true" -u = user@domain:password <a = href=3D"http://[servername]:PORT/api/vms">http://[servername]:PORT/api/vms= </a><br></blockquote></blockquote><blockquote type=3D"cite"><blockquote = type=3D"cite"><br></blockquotetype=3D"cite"><blockquote = type=3D"cite"><br></blockquotetype=3D"cite"><blockquote = type=3D"cite"><br></blockquotetype=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><br></blockquote></blockquotetype=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite">Brian<br></blockquote></blockquotetype=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><br></blockquote></blockquotetype=3D"cite"><blockquote type=3D"cite"><blockquote type=3D"cite">On Oct = 1, 2012, at 10:49 PM, Yair Zaslavsky = wrote:<br></blockquote></blockquotetype=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><br></blockquote></blockquotetype=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite">Hi = Brian,<br></blockquote></blockquote></blockquotetype=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite">I looked at the wiki = -<br></blockquote></blockquote></blockquotetype=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite">I assume you're referring to the = "showVm" = part.<br></blockquote></blockquote></blockquotetype=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite">Have you assigned any = permissions to the user that is supposed to view the = VMs?<br></blockquote></blockquote></blockquotetype=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite">I assume you created the VMs = with the administrator user, so any other user will require to have a = proper permissions in order to view these = VMs<br></blockquote></blockquote></blockquotetype=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote = type=3D"cite"><br></blockquote></blockquote></blockquote></blockquote><blo= ckquote type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote = type=3D"cite">Yair<br></blockquote></blockquote></blockquote></blockquote>= <blockquote type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote = type=3D"cite"><br></blockquote></blockquote></blockquote></blockquote><blo= ckquote type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote = type=3D"cite"><br></blockquote></blockquote></blockquote></blockquote><blo= ckquote type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite">On 10/02/2012 05:09 AM, Brian = Vetter = wrote:<br></blockquote></blockquote></blockquotetype=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote type=3D"cite">I was = trying to use both the rest api to view a user's vm information. I found = that the REST APIs always returned an authentication error if the = account I had logged into was not an ovirt administrator. I am guessing = that either (a) I am using the wrong URL in the REST api or (b) you must = be some kind of admin to access the REST APIs. I noticed the same = behavior when I was using the ovirt-shell = tool.<br></blockquote></blockquote></blockquote></blockquote></blockquote>= <blockquote type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><br></blockquote></blockquote></blockquote></blockquote></bl= ockquote><blockquote type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote type=3D"cite">For = example, I was trying to follow the instructions in <a = href=3D"http://wiki.ovirt.org/wiki/How_to_Connect_to_SPICE_Console_W... _Portal">http://wiki.ovirt.org/wiki/How_to_Connect_to_SPICE_Conso... t_Portal</a> to get the list of VMs (presumably for the user that is = logging in), I get an unauthorized error. If the user account I login = with in the curl or ovirt-shell connect statement is an admin, I get the = list of = VMs.<br></blockquote></blockquote></blockquote></blockquote></blockquote><= blockquote type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><br></blockquote></blockquote></blockquote></blockquote></bl= ockquote><blockquote type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote type=3D"cite">So my = question here is does the REST-API need admin privileges or am I using a = url that requires admin privileges whereas some others don't. And if it = is the latter, is there somewhere that documents the various rest api = resources? For example, to go back to the "How to connect to Spice = console ..." article, how would one use the REST API to fetch one's = virtual machines, their status, and connection info for = them?<br></blockquote></blockquote></blockquote></blockquote></blockquote>= <blockquote type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><br></blockquote></blockquote></blockquote></blockquote></bl= ockquote><blockquote type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite">Thanks,<br></blockquote></blockquote></blockquote></blockquo= te></blockquote><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote = type=3D"cite"><br></blockquote></blockquote></blockquote></blockquote></bl= ockquote><blockquote type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite">Brian<br></blockquote></blockquote></blockquote></blockquote= type=3D"cite"><br></blockquote><br><br></div></blockquote></div><br></div>= </body></html>= --Apple-Mail=_FBAAF558-58A9-43D9-B460-DA3E9D65E32B--