Re: [ovirt-users] api access with poweruser role

This is a multi-part message in MIME format. --------------010300080002000006010702 Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit On 10/28/2015 11:29 AM, Jorick Astrego wrote: It depends what url foreman client access. But you can set: <logger category="org.ovirt.engine.core.bll"> <level name="ALL"/> </logger> And then you will see what commands was queried with or without the filtered API. 2015-10-29 15:45:45,436 TRACE [org.ovirt.engine.core.bll.GetAllVmsQuery] (ajp-/127.0.0.1:8702-1) [] START, GetAllVmsQuery(VdcQueryParametersBase:{refresh='true', filtered='true'}), log id: 53b3c8b9 ^^ This is example of running 'Filter: true' on /api/vms (you can see filtered='true'). --------------010300080002000006010702 Content-Type: text/html; charset=windows-1252 Content-Transfer-Encoding: 8bit <html> <head> <meta content="text/html; charset=windows-1252" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> <br> <br> <div class="moz-cite-prefix">On 10/28/2015 11:29 AM, Jorick Astrego wrote:<br> </div> <blockquote cite="mid:5630A36D.6000202@netbulae.eu" type="cite"> <meta content="text/html; charset=windows-1252" http-equiv="Content-Type"> <br> <br> <div class="moz-cite-prefix">On 10/26/2015 03:14 PM, Jorick Astrego wrote:<br> </div> <blockquote cite="mid:562E355D.4030201@netbulae.eu" type="cite"> <meta content="text/html; charset=windows-1252" http-equiv="Content-Type"> <br> <br> <div class="moz-cite-prefix">On 10/26/2015 02:57 PM, Ondra Machacek wrote:<br> </div> <blockquote cite="mid:562E3143.4010600@redhat.com" type="cite"> <meta content="text/html; charset=windows-1252" http-equiv="Content-Type"> <br> <br> <div class="moz-cite-prefix">On 10/26/2015 02:53 PM, Jorick Astrego wrote:<br> </div> <blockquote cite="mid:562E3075.5050203@netbulae.eu" type="cite"> <meta http-equiv="content-type" content="text/html; charset=windows-1252"> Hi,<br> <br> Currently I'm trying to add an ovirt compute resource in forman that is limited to the VM's of the user. <br> <br> When I give this user the PowerUser role, I cannot access the api:<br> <br> <blockquote>query execution failed due to insufficient permissions<br> </blockquote> </blockquote> <br> Are you sending header 'Filter: true' with the request ?<br> If your user is not admin(PowerUserRole is not admin role),<br> you have to use this header.<br> <br> <br> </blockquote> <br> </blockquote> <br> Hmm, not much response on foreman-users.. <br> <br> I checked the code of fog in my foreman install ( /opt/rh/ruby193/root/usr/share/gems/gems/fog-1.32.0/lib/fog/ovirt/compute.rb ) and it appears to have the correct option merged:<br> <br> <blockquote>          connection_opts[:filtered_api]  = options[:ovirt_filtered_api]<br> <br> <br> </blockquote> But I don't know what url the foreman actually generates, is there any way to capture the login string? I tried setting some DEBUG logging but don't get the output I'm looking for.<br> <br> <blockquote>        &lt;logger category="org.ovirt.engine.core.bll.SearchQuery"&gt;<br>                 &lt;level name="DEBUG"/&gt;<br>         &lt;/logger&gt;<br>         &lt;logger category="org.ovirt.engine.core.bll.aaa.LoginUserCommand"&gt;<br>                 &lt;level name="DEBUG"/&gt;<br>         &lt;/logger&gt;<br>         &lt;logger category="org.ovirt.engine.api.restapi.resource.AbstractBackendResource"&gt;<br>                 &lt;level name="DEBUG"/&gt;<br>         &lt;/logger&gt;<br> <br> </blockquote> <br> </blockquote> <br> It depends what url foreman client access. But you can set:<br> <br> &lt;logger category="org.ovirt.engine.core.bll"&gt;<br>     &lt;level name="ALL"/&gt;<br> &lt;/logger&gt;<br> <br> And then you will see what commands was queried with or without the filtered API.<br> <br> 2015-10-29 15:45:45,436 TRACE [org.ovirt.engine.core.bll.GetAllVmsQuery] (ajp-/127.0.0.1:8702-1) [] START, GetAllVmsQuery(VdcQueryParametersBase:{refresh='true', filtered='true'}), log id: 53b3c8b9<br> <br> ^^ This is example of running 'Filter: true' on /api/vms (you can see filtered='true').<br> <br> <blockquote cite="mid:5630A36D.6000202@netbulae.eu" type="cite"> <blockquote><br> <br> </blockquote> <br> <br> <br> <br> <span style="color:#604c78;"><font color="000000"><span style="mso-fareast-language:en-gb;" lang="NL">Met vriendelijke groet, With kind regards,<br> <br> Jorick Astrego<br> </span></font></span><b style="color:#604c78"><br> Netbulae Virtualization Experts </b><br> <hr style="border:none;border-top:1px solid #ccc;"> <table style="width: 522px"> <tbody> <tr> <td style="width: 130px;font-size: 10px">Tel: 053 20 30 270</td> <td style="width: 130px;font-size: 10px"><a class="moz-txt-link-abbreviated" href="mailto:info@netbulae.eu">info@netbulae.eu</a></td> <td style="width: 130px;font-size: 10px">Staalsteden 4-3A</td> <td style="width: 130px;font-size: 10px">KvK 08198180</td> </tr> <tr> <td style="width: 130px;font-size: 10px">Fax: 053 20 30 271</td> <td style="width: 130px;font-size: 10px"><a class="moz-txt-link-abbreviated" href="http://www.netbulae.eu">www.netbulae.eu</a></td> <td style="width: 130px;font-size: 10px">7547 TA Enschede</td> <td style="width: 130px;font-size: 10px">BTW NL821234584B01</td> </tr> </tbody> </table> <br> <hr style="border:none;border-top:1px solid #ccc;"><br> <br> <fieldset class="mimeAttachmentHeader"></fieldset> <br> <pre wrap="">_______________________________________________ Users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Users@ovirt.org">Users@ovirt.org</a> <a class="moz-txt-link-freetext" href="http://lists.ovirt.org/mailman/listinfo/users">http://... </pre> </blockquote> <br> </body> </html> --------------010300080002000006010702--