1:04 p.m.
Can you please share the script? And also what's the permission of the
user you are executing the script.
When see error 'User is not authorized to perform the action', we print
in engine.log, what's exactly wrong meaning we print what permissions
the user is missing in order to execute that action. So it may help you
find out what's wrong as well.
On 11/26/18 5:35 PM, Schreuders, Cliffe wrote:
> Yes, the related issue we came across was that when using the Ruby gem,
> assigning a VM to an Affinity Group raises an exception that states the
> User is not authorized to perform the action; however, using the same
> account works fine from the Admin portal and carrying out the exact same
> steps via the Python SDK works as expected. The end result is that we
> ended up calling a Python script from our Ruby code just to set the
> affinity group.
>
> Thanks, Paul.
>
> On 26/11/2018 12:11, Staniforth, Paul wrote:
>> Hi Andrej
>>
>> I believe they are using 4.2.5 they get a permission error although they can use
the python SDK with the same account.
>>
>> Paul S.
>> ________________________________________
>> From: Ondra Machacek <omachace(a)redhat.com>
>> Sent: 26 November 2018 11:41
>> To: Staniforth, Paul
>> Cc: Andrej Krejcir; users
>> Subject: Re: [ovirt-users] AffinityGroup API
>>
>> What version of the SDK do you use?
>> I can see it's supported in latest version.
>>
>> On 11/26/18 11:13 AM, Andrej Krejcir wrote:
>>> Hi,
>>>
>>> I don't know much about ruby SDK. I think the SDKs for various languages
>>> are generated from the API specification.
>>>
>>> Ondra, is this a bug in ruby SDK?
>>>
>>>
>>> Andrej
>>>
>>> On Fri, 23 Nov 2018 at 18:06, Staniforth, Paul <
>>> P.Staniforth(a)leedsbeckett.ac.uk> wrote:
>>>
>>>> Hello Andrej,
>>>>
>>>> Also the Affinity Groups apparently aren't
available
>>>> in the Ruby SDK should I add this to the bug report?
>>>>
>>>>
>>>> Thanks,
>>>>
>>>> Paul S.
>>>> ------------------------------
>>>> *From:* Andrej Krejcir <akrejcir(a)redhat.com>
>>>> *Sent:* 21 November 2018 13:32
>>>> *To:* Staniforth, Paul
>>>> *Cc:* users
>>>> *Subject:* Re: [ovirt-users] AffinityGroup API
>>>>
>>>> Hi,
>>>>
>>>> Yes, the AffinityGroupHosts is missing. Can you please open a bug[1] so
we
>>>> can add it?
>>>>
>>>> As a workaround, the hosts can be modified by PUT request to the
>>>> AffinityGroup endpoint directly, for example:
>>>>
>>>> PUT /ovirt-engine/api/clusters/1234/affinitygroups/5678
>>>> <affinity_group>
>>>> <hosts>
>>>> <host id="123456789"/>
>>>> <host id="987654321"/>
>>>> </hosts>
>>>> </affinity_group>
>>>>
>>>> However, this will replace all hosts in the affinity group with the
hosts
>>>> listed.
>>>>
>>>>
>>>> Best regards,
>>>> Andrej
>>>>
>>>>
>>>> [1] - https://bugzilla.redhat.com/enter_bug.cgi?product=ovirt-engine
>>>>
>>>> On Wed, 21 Nov 2018 at 13:26, <p.staniforth(a)leedsbeckett.ac.uk>
wrote:
>>>>
>>>>> Hello,
>>>>> When using the API to update an AffinityGroup there is
a
>>>>> AffinityGroupVm and AffinityGroupVms so I can add or remove VMs but
there
>>>>> is no AffinityGroupHost or AffinityGroupHosts, therefore I can't
add or
>>>>> remove hosts.
>>>>>
>>>>> Thanks,
>>>>> Paul S.
>>>>> _______________________________________________
>>>>> Users mailing list -- users(a)ovirt.org
>>>>> To unsubscribe send an email to users-leave(a)ovirt.org
>>>>> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
>>>>> oVirt Code of Conduct:
>>>>> https://www.ovirt.org/community/about/community-guidelines/
>>>>> List Archives:
>>>>>
https://lists.ovirt.org/archives/list/users@ovirt.org/message/BUMDJ34JRLD...
>>>>>
>>>> To view the terms under which this email is distributed, please go to:-
>>>> http://disclaimer.leedsbeckett.ac.uk/disclaimer/disclaimer.html
>>>>
>>>>
> To view the terms under which this email is distributed, please go to:-
> http://disclaimer.leedsbeckett.ac.uk/disclaimer/disclaimer.html
>
6:28 p.m.
New subject: AffinityGroup API
Hi Ondra,
Thanks. Here is a sample script that illustrates the problem. The same error occurs when
adding a VM to an existing affinity group.
Sample code:
require 'ovirtsdk4'
conn_attr = {}
conn_attr[:url] = 'https://XXXX/ovirt-engine/api'
conn_attr[:username] = 'XXXX'
conn_attr[:password] = 'XXXX'
conn_attr[:debug] = true
conn_attr[:headers] = {'Filter' => true }
ovirt_connection = OvirtSDK4::Connection.new(conn_attr)
vms_service = ovirt_connection.system_service.vms_service
clusters_service = ovirt_connection.system_service.clusters_service
cluster = clusters_service.list(search: 'name=Default')[0]
cluster_service = clusters_service.cluster_service(cluster.id)
cluster_affinitygroups_service = cluster_service.affinity_groups_service
begin
affinity_group_name = "affinity_group_test123"
puts "Creating affinity group: #{affinity_group_name}"
cluster_affinitygroups_service.add(OvirtSDK4::AffinityGroup.new(
name: affinity_group_name,
description: 'a description',
vms_rule: OvirtSDK4::AffinityRule.new(
enabled: true,
positive: true,
enforcing: true
)
))
rescue Exception => e
warn "Failed to create affinity group"
warn e.message
end
Output:
cliffe@office:~/Code/ovirt_scripts$ ruby add_affinity_group.rb
Creating affinity group: affinity_group_test123
Failed to create affinity group
Fault reason is "Operation Failed". Fault detail is "[User is not
authorized to perform this action.]". HTTP response code is 400.
The user has ReadOnlyAdmin permissions.
I would be happy to be told if I'm doing something wrong here, I didn't find any
ruby examples that worked with affinity groups.
Paul could you please provide the engine.log entries? Thanks.
Cheers,
Cliffe.
On 27/11/2018 10:04, Ondra Machacek wrote:
Can you please share the script? And also what's the permission of the
user you are executing the script.
When see error 'User is not authorized to perform the action', we print
in engine.log, what's exactly wrong meaning we print what permissions
the user is missing in order to execute that action. So it may help you
find out what's wrong as well.
On 11/26/18 5:35 PM, Schreuders, Cliffe wrote:
Yes, the related issue we came across was that when using the Ruby gem,
assigning a VM to an Affinity Group raises an exception that states the
User is not authorized to perform the action; however, using the same
account works fine from the Admin portal and carrying out the exact same
steps via the Python SDK works as expected. The end result is that we
ended up calling a Python script from our Ruby code just to set the
affinity group.
Thanks, Paul.
On 26/11/2018 12:11, Staniforth, Paul wrote:
Hi Andrej
I believe they are using 4.2.5 they get a permission error although they can use the
python SDK with the same account.
Paul S.
________________________________________
From: Ondra Machacek <omachace@redhat.com><mailto:omachace@redhat.com>
Sent: 26 November 2018 11:41
To: Staniforth, Paul
Cc: Andrej Krejcir; users
Subject: Re: [ovirt-users] AffinityGroup API
What version of the SDK do you use?
I can see it's supported in latest version.
On 11/26/18 11:13 AM, Andrej Krejcir wrote:
Hi,
I don't know much about ruby SDK. I think the SDKs for various languages
are generated from the API specification.
Ondra, is this a bug in ruby SDK?
Andrej
On Fri, 23 Nov 2018 at 18:06, Staniforth, Paul <
P.Staniforth@leedsbeckett.ac.uk<mailto:P.Staniforth@leedsbeckett.ac.uk>> wrote:
Hello Andrej,
Also the Affinity Groups apparently aren't available
in the Ruby SDK should I add this to the bug report?
Thanks,
Paul S.
------------------------------
*From:* Andrej Krejcir <akrejcir@redhat.com><mailto:akrejcir@redhat.com>
*Sent:* 21 November 2018 13:32
*To:* Staniforth, Paul
*Cc:* users
*Subject:* Re: [ovirt-users] AffinityGroup API
Hi,
Yes, the AffinityGroupHosts is missing. Can you please open a bug[1] so we
can add it?
As a workaround, the hosts can be modified by PUT request to the
AffinityGroup endpoint directly, for example:
PUT /ovirt-engine/api/clusters/1234/affinitygroups/5678
<affinity_group>
<hosts>
<host id="123456789"/>
<host id="987654321"/>
</hosts>
</affinity_group>
However, this will replace all hosts in the affinity group with the hosts
listed.
Best regards,
Andrej
[1] - https://bugzilla.redhat.com/enter_bug.cgi?product=ovirt-engine
On Wed, 21 Nov 2018 at 13:26,
<p.staniforth@leedsbeckett.ac.uk><mailto:p.staniforth@leedsbeckett.ac.uk>
wrote:
Hello,
When using the API to update an AffinityGroup there is a
AffinityGroupVm and AffinityGroupVms so I can add or remove VMs but there
is no AffinityGroupHost or AffinityGroupHosts, therefore I can't add or
remove hosts.
Thanks,
Paul S.
_______________________________________________
Users mailing list -- users@ovirt.org<mailto:users@ovirt.org>
To unsubscribe send an email to
users-leave@ovirt.org<mailto:users-leave@ovirt.org>
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/BUMDJ34JRLD...
To view the terms under which this email is distributed, please go to:-
http://disclaimer.leedsbeckett.ac.uk/disclaimer/disclaimer.html
To view the terms under which this email is distributed, please go to:-
http://disclaimer.leedsbeckett.ac.uk/disclaimer/disclaimer.html
To view the terms under which this email is distributed, please go to:-
http://leedsbeckett.ac.uk/disclaimer/email/
3:21 p.m.
New subject: AffinityGroup API
The user also has AffinityGroupManager role for the cluster this role has permission
Manipulate Affinity Groups.
It is the same account that works when using the python SDK
2018-11-27 11:36:50,791Z INFO [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand]
(default task-5237) [b225cdb] Running command: CreateUserSessionCommand internal: false.
2018-11-27 11:36:50,988Z INFO
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-5229)
[21e2d0fe] EVENT_ID: USER_VDC_LOGIN(30), User secgen@internal-authz connecting from
'x.x.x.x' using session
'mT2aF7+FziRwE3ZZ29y7y2QHidDX4aAquc5fwo5swyLVMxufAyF26JbmDNeN9ylob1+zSSH9JWu4bBDt2wdHGw=='
logged in.
2018-11-27 11:36:51,081Z INFO [org.ovirt.engine.core.sso.utils.AuthenticationUtils]
(default task-5233) [] User xxxx@internal successfully logged in with scopes:
ovirt-app-api ovirt-ext=token-in
fo:authz-search ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate
ovirt-ext=token:passw..d-access
2018-11-27 11:36:51,154Z INFO [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand]
(default task-5233) [1d0e61f8] Running command: CreateUserSessionCommand internal: false.
2018-11-27 11:36:51,604Z INFO
[org.ovirt.engine.core.bll.scheduling.commands.AddAffinityGroupCommand] (default
task-5233) [dd01962d-bead-499a-a31f-1ead974483ac] No permission found for user
'd5b7e8f0-603e-47c5-a420-1f5f6834aa02' or one of the groups he is member of, when
running action 'AddAffinityGroup', Required permissions are: Action type:
'ADMIN' Action group: 'MANIPULATE_AFFINITY_GROUPS' Object type:
'Cluster' Object ID: 'beac8771-1dbc-4046-99b1-c17d072fb27f'.
2018-11-27 11:36:51,604Z WARN
[org.ovirt.engine.core.bll.scheduling.commands.AddAffinityGroupCommand] (default
task-5233) [dd01962d-bead-499a-a31f-1ead974483ac] Validation of action
'AddAffinityGroup' failed for user xxxx@internal-authz. Reasons:
VAR__TYPE__AFFINITY_GROUP,VAR__ACTION__ADD,USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
2018-11-27 11:36:51,606Z ERROR
[org.ovirt.engine.api.restapi.resource.AbstractBackendResource] (default task-5233) []
Operation Failed: [User is not authorized to perform this action.]
Regards,
Paul S.
________________________________
From: Schreuders, Cliffe
Sent: 27 November 2018 11:55
To: Ondra Machacek; Staniforth, Paul
Cc: Andrej Krejcir; users; Shaw, Thomas
Subject: Re: [ovirt-users] AffinityGroup API
Hi Ondra,
Thanks. Here is a sample script that illustrates the problem. The same error occurs when
adding a VM to an existing affinity group.
Sample code:
require 'ovirtsdk4'
conn_attr = {}
conn_attr[:url] = 'https://XXXX/ovirt-engine/api'
conn_attr[:username] = 'XXXX'
conn_attr[:passwxxd] = 'XXXX'
conn_attr[:debug] = true
conn_attr[:headers] = {'Filter' => true }
ovirt_connection = OvirtSDK4::Connection.new(conn_attr)
vms_service = ovirt_connection.system_service.vms_service
clusters_service = ovirt_connection.system_service.clusters_service
cluster = clusters_service.list(search: 'name=Default')[0]
cluster_service = clusters_service.cluster_service(cluster.id)
cluster_affinitygroups_service = cluster_service.affinity_groups_service
begin
affinity_group_name = "affinity_group_test123"
puts "Creating affinity group: #{affinity_group_name}"
cluster_affinitygroups_service.add(OvirtSDK4::AffinityGroup.new(
name: affinity_group_name,
description: 'a description',
vms_rule: OvirtSDK4::AffinityRule.new(
enabled: true,
positive: true,
enforcing: true
)
))
rescue Exception => e
warn "Failed to create affinity group"
warn e.message
end
Output:
cliffe@office:~/Code/ovirt_scripts$ ruby add_affinity_group.rb
Creating affinity group: affinity_group_test123
Failed to create affinity group
Fault reason is "Operation Failed". Fault detail is "[User is not
authorized to perform this action.]". HTTP response code is 400.
The user has ReadOnlyAdmin permissions.
I would be happy to be told if I'm doing something wrong here, I didn't find any
ruby examples that worked with affinity groups.
Paul could you please provide the engine.log entries? Thanks.
Cheers,
Cliffe.
On 27/11/2018 10:04, Ondra Machacek wrote:
Can you please share the script? And also what's the permission of the
user you are executing the script.
When see error 'User is not authorized to perform the action', we print
in engine.log, what's exactly wrong meaning we print what permissions
the user is missing in order to execute that action. So it may help you
find out what's wrong as well.
On 11/26/18 5:35 PM, Schreuders, Cliffe wrote:
Yes, the related issue we came across was that when using the Ruby gem,
assigning a VM to an Affinity Group raises an exception that states the
User is not authorized to perform the action; however, using the same
account works fine from the Admin portal and carrying out the exact same
steps via the Python SDK works as expected. The end result is that we
ended up calling a Python script from our Ruby code just to set the
affinity group.
Thanks, Paul.
On 26/11/2018 12:11, Staniforth, Paul wrote:
Hi Andrej
I believe they are using 4.2.5 they get a permission error although they can use the
python SDK with the same account.
Paul S.
________________________________________
From: Ondra Machacek <omachace@redhat.com><mailto:omachace@redhat.com>
Sent: 26 November 2018 11:41
To: Staniforth, Paul
Cc: Andrej Krejcir; users
Subject: Re: [ovirt-users] AffinityGroup API
What version of the SDK do you use?
I can see it's supported in latest version.
On 11/26/18 11:13 AM, Andrej Krejcir wrote:
Hi,
I don't know much about ruby SDK. I think the SDKs for various languages
are generated from the API specification.
Ondra, is this a bug in ruby SDK?
Andrej
On Fri, 23 Nov 2018 at 18:06, Staniforth, Paul <
P.Staniforth@leedsbeckett.ac.uk<mailto:P.Staniforth@leedsbeckett.ac.uk>> wrote:
Hello Andrej,
Also the Affinity Groups apparently aren't available
in the Ruby SDK should I add this to the bug report?
Thanks,
Paul S.
------------------------------
*From:* Andrej Krejcir <akrejcir@redhat.com><mailto:akrejcir@redhat.com>
*Sent:* 21 November 2018 13:32
*To:* Staniforth, Paul
*Cc:* users
*Subject:* Re: [ovirt-users] AffinityGroup API
Hi,
Yes, the AffinityGroupHosts is missing. Can you please open a bug[1] so we
can add it?
As a workaround, the hosts can be modified by PUT request to the
AffinityGroup endpoint directly, for example:
PUT /ovirt-engine/api/clusters/1234/affinitygroups/5678
<affinity_group>
<hosts>
<host id="123456789"/>
<host id="987654321"/>
</hosts>
</affinity_group>
However, this will replace all hosts in the affinity group with the hosts
listed.
Best regards,
Andrej
[1] - https://bugzilla.redhat.com/enter_bug.cgi?product=ovirt-engine
On Wed, 21 Nov 2018 at 13:26,
<p.staniforth@leedsbeckett.ac.uk><mailto:p.staniforth@leedsbeckett.ac.uk>
wrote:
Hello,
When using the API to update an AffinityGroup there is a
AffinityGroupVm and AffinityGroupVms so I can add or remove VMs but there
is no AffinityGroupHost or AffinityGroupHosts, therefore I can't add or
remove hosts.
Thanks,
Paul S.
_______________________________________________
Users mailing list -- users@ovirt.org<mailto:users@ovirt.org>
To unsubscribe send an email to users-leave@ovirt.org<mailto:users-leave@ovirt.org>
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/BUMDJ34JRLD...
To view the terms under which this email is distributed, please go to:-
http://disclaimer.leedsbeckett.ac.uk/disclaimer/disclaimer.html
To view the terms under which this email is distributed, please go to:-
http://disclaimer.leedsbeckett.ac.uk/disclaimer/disclaimer.html
To view the terms under which this email is distributed, please go to:-
http://leedsbeckett.ac.uk/disclaimer/email/
6:36 p.m.
New subject: AffinityGroup API
So both of the user's roles are administrative,
so please try to remove following line in your script:
conn_attr[:headers] = {'Filter' => true }
This should be used only with roles which are not administrative,
like UserVmManager, etc.
On 11/27/18 1:21 PM, Staniforth, Paul wrote:
> The user also has AffinityGroupManager role for the cluster this role has permission
Manipulate Affinity Groups.
>
> It is the same account that works when using the python SDK
>
> 2018-11-27 11:36:50,791Z INFO
[org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default task-5237) [b225cdb]
Running command: CreateUserSessionCommand internal: false.
> 2018-11-27 11:36:50,988Z INFO
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-5229)
[21e2d0fe] EVENT_ID: USER_VDC_LOGIN(30), User secgen@internal-authz connecting from
'x.x.x.x' using session
'mT2aF7+FziRwE3ZZ29y7y2QHidDX4aAquc5fwo5swyLVMxufAyF26JbmDNeN9ylob1+zSSH9JWu4bBDt2wdHGw=='
logged in.
> 2018-11-27 11:36:51,081Z INFO [org.ovirt.engine.core.sso.utils.AuthenticationUtils]
(default task-5233) [] User xxxx@internal successfully logged in with scopes:
ovirt-app-api ovirt-ext=token-in
> fo:authz-search ovirt-ext=token-info:public-authz-search
ovirt-ext=token-info:validate ovirt-ext=token:passw..d-access
> 2018-11-27 11:36:51,154Z INFO
[org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default task-5233) [1d0e61f8]
Running command: CreateUserSessionCommand internal: false.
> 2018-11-27 11:36:51,604Z INFO
[org.ovirt.engine.core.bll.scheduling.commands.AddAffinityGroupCommand] (default
task-5233) [dd01962d-bead-499a-a31f-1ead974483ac] No permission found for user
'd5b7e8f0-603e-47c5-a420-1f5f6834aa02' or one of the groups he is member of, when
running action 'AddAffinityGroup', Required permissions are: Action type:
'ADMIN' Action group: 'MANIPULATE_AFFINITY_GROUPS' Object type:
'Cluster' Object ID: 'beac8771-1dbc-4046-99b1-c17d072fb27f'.
> 2018-11-27 11:36:51,604Z WARN
[org.ovirt.engine.core.bll.scheduling.commands.AddAffinityGroupCommand] (default
task-5233) [dd01962d-bead-499a-a31f-1ead974483ac] Validation of action
'AddAffinityGroup' failed for user xxxx@internal-authz. Reasons:
VAR__TYPE__AFFINITY_GROUP,VAR__ACTION__ADD,USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
> 2018-11-27 11:36:51,606Z ERROR
[org.ovirt.engine.api.restapi.resource.AbstractBackendResource] (default task-5233) []
Operation Failed: [User is not authorized to perform this action.]
>
> Regards,
> Paul S.
>
>
> ________________________________
> From: Schreuders, Cliffe
> Sent: 27 November 2018 11:55
> To: Ondra Machacek; Staniforth, Paul
> Cc: Andrej Krejcir; users; Shaw, Thomas
> Subject: Re: [ovirt-users] AffinityGroup API
>
> Hi Ondra,
>
> Thanks. Here is a sample script that illustrates the problem. The same error occurs
when adding a VM to an existing affinity group.
>
> Sample code:
> require 'ovirtsdk4'
>
> conn_attr = {}
> conn_attr[:url] = 'https://XXXX/ovirt-engine/api'
> conn_attr[:username] = 'XXXX'
> conn_attr[:passwxxd] = 'XXXX'
> conn_attr[:debug] = true
> conn_attr[:headers] = {'Filter' => true }
>
> ovirt_connection = OvirtSDK4::Connection.new(conn_attr)
> vms_service = ovirt_connection.system_service.vms_service
> clusters_service = ovirt_connection.system_service.clusters_service
> cluster = clusters_service.list(search: 'name=Default')[0]
> cluster_service = clusters_service.cluster_service(cluster.id)
> cluster_affinitygroups_service = cluster_service.affinity_groups_service
>
> begin
> affinity_group_name = "affinity_group_test123"
> puts "Creating affinity group: #{affinity_group_name}"
>
> cluster_affinitygroups_service.add(OvirtSDK4::AffinityGroup.new(
> name: affinity_group_name,
> description: 'a description',
> vms_rule: OvirtSDK4::AffinityRule.new(
> enabled: true,
> positive: true,
> enforcing: true
> )
> ))
> rescue Exception => e
> warn "Failed to create affinity group"
> warn e.message
> end
>
> Output:
> cliffe@office:~/Code/ovirt_scripts$ ruby add_affinity_group.rb
> Creating affinity group: affinity_group_test123
> Failed to create affinity group
> Fault reason is "Operation Failed". Fault detail is "[User is not
authorized to perform this action.]". HTTP response code is 400.
>
> The user has ReadOnlyAdmin permissions.
>
> I would be happy to be told if I'm doing something wrong here, I didn't find
any ruby examples that worked with affinity groups.
>
> Paul could you please provide the engine.log entries? Thanks.
>
> Cheers,
>
> Cliffe.
>
> On 27/11/2018 10:04, Ondra Machacek wrote:
> Can you please share the script? And also what's the permission of the
> user you are executing the script.
>
> When see error 'User is not authorized to perform the action', we print
> in engine.log, what's exactly wrong meaning we print what permissions
> the user is missing in order to execute that action. So it may help you
> find out what's wrong as well.
>
> On 11/26/18 5:35 PM, Schreuders, Cliffe wrote:
> Yes, the related issue we came across was that when using the Ruby gem,
> assigning a VM to an Affinity Group raises an exception that states the
> User is not authorized to perform the action; however, using the same
> account works fine from the Admin portal and carrying out the exact same
> steps via the Python SDK works as expected. The end result is that we
> ended up calling a Python script from our Ruby code just to set the
> affinity group.
>
> Thanks, Paul.
>
> On 26/11/2018 12:11, Staniforth, Paul wrote:
> Hi Andrej
>
> I believe they are using 4.2.5 they get a permission error although they can use the
python SDK with the same account.
>
> Paul S.
> ________________________________________
> From: Ondra Machacek <omachace@redhat.com><mailto:omachace@redhat.com>
> Sent: 26 November 2018 11:41
> To: Staniforth, Paul
> Cc: Andrej Krejcir; users
> Subject: Re: [ovirt-users] AffinityGroup API
>
> What version of the SDK do you use?
> I can see it's supported in latest version.
>
> On 11/26/18 11:13 AM, Andrej Krejcir wrote:
> Hi,
>
> I don't know much about ruby SDK. I think the SDKs for various languages
> are generated from the API specification.
>
> Ondra, is this a bug in ruby SDK?
>
>
> Andrej
>
> On Fri, 23 Nov 2018 at 18:06, Staniforth, Paul <
> P.Staniforth@leedsbeckett.ac.uk<mailto:P.Staniforth@leedsbeckett.ac.uk>>
wrote:
>
> Hello Andrej,
>
> Also the Affinity Groups apparently aren't available
> in the Ruby SDK should I add this to the bug report?
>
>
> Thanks,
>
> Paul S.
> ------------------------------
> *From:* Andrej Krejcir <akrejcir@redhat.com><mailto:akrejcir@redhat.com>
> *Sent:* 21 November 2018 13:32
> *To:* Staniforth, Paul
> *Cc:* users
> *Subject:* Re: [ovirt-users] AffinityGroup API
>
> Hi,
>
> Yes, the AffinityGroupHosts is missing. Can you please open a bug[1] so we
> can add it?
>
> As a workaround, the hosts can be modified by PUT request to the
> AffinityGroup endpoint directly, for example:
>
> PUT /ovirt-engine/api/clusters/1234/affinitygroups/5678
> <affinity_group>
> <hosts>
> <host id="123456789"/>
> <host id="987654321"/>
> </hosts>
> </affinity_group>
>
> However, this will replace all hosts in the affinity group with the hosts
> listed.
>
>
> Best regards,
> Andrej
>
>
> [1] - https://bugzilla.redhat.com/enter_bug.cgi?product=ovirt-engine
>
> On Wed, 21 Nov 2018 at 13:26,
<p.staniforth@leedsbeckett.ac.uk><mailto:p.staniforth@leedsbeckett.ac.uk>
wrote:
>
> Hello,
> When using the API to update an AffinityGroup there is a
> AffinityGroupVm and AffinityGroupVms so I can add or remove VMs but there
> is no AffinityGroupHost or AffinityGroupHosts, therefore I can't add or
> remove hosts.
>
> Thanks,
> Paul S.
> _______________________________________________
> Users mailing list -- users@ovirt.org<mailto:users@ovirt.org>
> To unsubscribe send an email to
users-leave@ovirt.org<mailto:users-leave@ovirt.org>
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
>
https://lists.ovirt.org/archives/list/users@ovirt.org/message/BUMDJ34JRLD...
>
> To view the terms under which this email is distributed, please go to:-
> http://disclaimer.leedsbeckett.ac.uk/disclaimer/disclaimer.html
>
>
> To view the terms under which this email is distributed, please go to:-
> http://disclaimer.leedsbeckett.ac.uk/disclaimer/disclaimer.html
>
>
> To view the terms under which this email is distributed, please go to:-
> http://leedsbeckett.ac.uk/disclaimer/email/
>
12:32 p.m.
New subject: AffinityGroup API
Thank you! This has solved the issue.
Just to note that we make use of the oVirt API extensively, and until
now having filter=true hasn't stopped us from managing snapshots, nics,
disks, starting/stoping VMs, getting consoles, etc, etc, so it does seem
to be somewhat inconsistent behaviour. Perhaps this also explains why we
found the snapshot APIs raises exceptions that we found we can ignore,
since the operations actually succeed?
The same user account has not always had admin roles, so filter=true
used to be required for our use-cases.
Thanks again, Ondra. Much appreciated.
Cheers,
Cliffe.
On 27/11/2018 15:36, Ondra Machacek wrote:
So both of the user's roles are administrative,
so please try to remove following line in your script:
> conn_attr[:headers] = {'Filter' => true }
This should be used only with roles which are not administrative,
like UserVmManager, etc.
On 11/27/18 1:21 PM, Staniforth, Paul wrote:
> The user also has AffinityGroupManager role for the cluster this role
> has permission Manipulate Affinity Groups.
>
> It is the same account that works when using the python SDK
>
> 2018-11-27 11:36:50,791Z INFO
> [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default
> task-5237) [b225cdb] Running command: CreateUserSessionCommand
> internal: false.
> 2018-11-27 11:36:50,988Z INFO
> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> (default task-5229) [21e2d0fe] EVENT_ID: USER_VDC_LOGIN(30), User
> secgen@internal-authz connecting from 'x.x.x.x' using session
>
'mT2aF7+FziRwE3ZZ29y7y2QHidDX4aAquc5fwo5swyLVMxufAyF26JbmDNeN9ylob1+zSSH9JWu4bBDt2wdHGw=='
> logged in.
> 2018-11-27 11:36:51,081Z INFO
> [org.ovirt.engine.core.sso.utils.AuthenticationUtils] (default
> task-5233) [] User xxxx@internal successfully logged in with scopes:
> ovirt-app-api ovirt-ext=token-in
> fo:authz-search ovirt-ext=token-info:public-authz-search
> ovirt-ext=token-info:validate ovirt-ext=token:passw..d-access
> 2018-11-27 11:36:51,154Z INFO
> [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default
> task-5233) [1d0e61f8] Running command: CreateUserSessionCommand
> internal: false.
> 2018-11-27 11:36:51,604Z INFO
> [org.ovirt.engine.core.bll.scheduling.commands.AddAffinityGroupCommand]
> (default task-5233) [dd01962d-bead-499a-a31f-1ead974483ac] No
> permission found for user 'd5b7e8f0-603e-47c5-a420-1f5f6834aa02' or
> one of the groups he is member of, when running action
> 'AddAffinityGroup', Required permissions are: Action type: 'ADMIN'
> Action group: 'MANIPULATE_AFFINITY_GROUPS' Object type: 'Cluster'
> Object ID: 'beac8771-1dbc-4046-99b1-c17d072fb27f'.
> 2018-11-27 11:36:51,604Z WARN
> [org.ovirt.engine.core.bll.scheduling.commands.AddAffinityGroupCommand]
> (default task-5233) [dd01962d-bead-499a-a31f-1ead974483ac] Validation
> of action 'AddAffinityGroup' failed for user xxxx@internal-authz.
> Reasons:
> VAR__TYPE__AFFINITY_GROUP,VAR__ACTION__ADD,USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
> 2018-11-27 11:36:51,606Z ERROR
> [org.ovirt.engine.api.restapi.resource.AbstractBackendResource]
> (default task-5233) [] Operation Failed: [User is not authorized to
> perform this action.]
>
> Regards,
> Paul S.
>
>
> ________________________________
> From: Schreuders, Cliffe
> Sent: 27 November 2018 11:55
> To: Ondra Machacek; Staniforth, Paul
> Cc: Andrej Krejcir; users; Shaw, Thomas
> Subject: Re: [ovirt-users] AffinityGroup API
>
> Hi Ondra,
>
> Thanks. Here is a sample script that illustrates the problem. The
> same error occurs when adding a VM to an existing affinity group.
>
> Sample code:
> require 'ovirtsdk4'
>
> conn_attr = {}
> conn_attr[:url] = 'https://XXXX/ovirt-engine/api'
> conn_attr[:username] = 'XXXX'
> conn_attr[:passwxxd] = 'XXXX'
> conn_attr[:debug] = true
> conn_attr[:headers] = {'Filter' => true }
>
> ovirt_connection = OvirtSDK4::Connection.new(conn_attr)
> vms_service = ovirt_connection.system_service.vms_service
> clusters_service = ovirt_connection.system_service.clusters_service
> cluster = clusters_service.list(search: 'name=Default')[0]
> cluster_service = clusters_service.cluster_service(cluster.id)
> cluster_affinitygroups_service = cluster_service.affinity_groups_service
>
> begin
> affinity_group_name = "affinity_group_test123"
> puts "Creating affinity group: #{affinity_group_name}"
>
> cluster_affinitygroups_service.add(OvirtSDK4::AffinityGroup.new(
> name: affinity_group_name,
> description: 'a description',
> vms_rule: OvirtSDK4::AffinityRule.new(
> enabled: true,
> positive: true,
> enforcing: true
> )
> ))
> rescue Exception => e
> warn "Failed to create affinity group"
> warn e.message
> end
>
> Output:
> cliffe@office:~/Code/ovirt_scripts$ ruby add_affinity_group.rb
> Creating affinity group: affinity_group_test123
> Failed to create affinity group
> Fault reason is "Operation Failed". Fault detail is "[User is not
> authorized to perform this action.]". HTTP response code is 400.
>
> The user has ReadOnlyAdmin permissions.
>
> I would be happy to be told if I'm doing something wrong here, I
> didn't find any ruby examples that worked with affinity groups.
>
> Paul could you please provide the engine.log entries? Thanks.
>
> Cheers,
>
> Cliffe.
>
> On 27/11/2018 10:04, Ondra Machacek wrote:
> Can you please share the script? And also what's the permission of the
> user you are executing the script.
>
> When see error 'User is not authorized to perform the action', we print
> in engine.log, what's exactly wrong meaning we print what permissions
> the user is missing in order to execute that action. So it may help you
> find out what's wrong as well.
>
> On 11/26/18 5:35 PM, Schreuders, Cliffe wrote:
> Yes, the related issue we came across was that when using the Ruby gem,
> assigning a VM to an Affinity Group raises an exception that states the
> User is not authorized to perform the action; however, using the same
> account works fine from the Admin portal and carrying out the exact same
> steps via the Python SDK works as expected. The end result is that we
> ended up calling a Python script from our Ruby code just to set the
> affinity group.
>
> Thanks, Paul.
>
> On 26/11/2018 12:11, Staniforth, Paul wrote:
> Hi Andrej
>
> I believe they are using 4.2.5 they get a permission error although
> they can use the python SDK with the same account.
>
> Paul S.
> ________________________________________
> From: Ondra Machacek <omachace@redhat.com><mailto:omachace@redhat.com>
> Sent: 26 November 2018 11:41
> To: Staniforth, Paul
> Cc: Andrej Krejcir; users
> Subject: Re: [ovirt-users] AffinityGroup API
>
> What version of the SDK do you use?
> I can see it's supported in latest version.
>
> On 11/26/18 11:13 AM, Andrej Krejcir wrote:
> Hi,
>
> I don't know much about ruby SDK. I think the SDKs for various languages
> are generated from the API specification.
>
> Ondra, is this a bug in ruby SDK?
>
>
> Andrej
>
> On Fri, 23 Nov 2018 at 18:06, Staniforth, Paul <
> P.Staniforth@leedsbeckett.ac.uk<mailto:P.Staniforth@leedsbeckett.ac.uk>>
> wrote:
>
> Hello Andrej,
>
> Also the Affinity Groups apparently aren't
> available
> in the Ruby SDK should I add this to the bug report?
>
>
> Thanks,
>
> Paul S.
> ------------------------------
> *From:* Andrej Krejcir <akrejcir@redhat.com><mailto:akrejcir@redhat.com>
> *Sent:* 21 November 2018 13:32
> *To:* Staniforth, Paul
> *Cc:* users
> *Subject:* Re: [ovirt-users] AffinityGroup API
>
> Hi,
>
> Yes, the AffinityGroupHosts is missing. Can you please open a bug[1]
> so we
> can add it?
>
> As a workaround, the hosts can be modified by PUT request to the
> AffinityGroup endpoint directly, for example:
>
> PUT /ovirt-engine/api/clusters/1234/affinitygroups/5678
> <affinity_group>
> <hosts>
> <host id="123456789"/>
> <host id="987654321"/>
> </hosts>
> </affinity_group>
>
> However, this will replace all hosts in the affinity group with the
> hosts
> listed.
>
>
> Best regards,
> Andrej
>
>
> [1] - https://bugzilla.redhat.com/enter_bug.cgi?product=ovirt-engine
>
> On Wed, 21 Nov 2018 at 13:26,
>
<p.staniforth@leedsbeckett.ac.uk><mailto:p.staniforth@leedsbeckett.ac.uk>
> wrote:
>
> Hello,
> When using the API to update an AffinityGroup there is a
> AffinityGroupVm and AffinityGroupVms so I can add or remove VMs but
> there
> is no AffinityGroupHost or AffinityGroupHosts, therefore I can't add or
> remove hosts.
>
> Thanks,
> Paul S.
> _______________________________________________
> Users mailing list -- users@ovirt.org<mailto:users@ovirt.org>
> To unsubscribe send an email to
> users-leave@ovirt.org<mailto:users-leave@ovirt.org>
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
>
https://lists.ovirt.org/archives/list/users@ovirt.org/message/BUMDJ34JRLD...
>
>
> To view the terms under which this email is distributed, please go to:-
> http://disclaimer.leedsbeckett.ac.uk/disclaimer/disclaimer.html
>
>
> To view the terms under which this email is distributed, please go to:-
> http://disclaimer.leedsbeckett.ac.uk/disclaimer/disclaimer.html
>
>
> To view the terms under which this email is distributed, please go to:-
> http://leedsbeckett.ac.uk/disclaimer/email/
>
To view the terms under which this email is distributed, please go to:-
http://leedsbeckett.ac.uk/disclaimer/email/
2184
days inactive
2185
days old
4 comments
3 participants
participants (3)
-
Ondra Machacek -
Schreuders, Cliffe -
Staniforth, Paul