The user also has AffinityGroupManager role for the cluster this role has permission Manipulate Affinity Groups.

It is the same account that works when using the python SDK 

2018-11-27 11:36:50,791Z INFO  [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default task-5237) [b225cdb] Running command: CreateUserSessionCommand internal: false.
2018-11-27 11:36:50,988Z INFO  [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-5229) [21e2d0fe] EVENT_ID: USER_VDC_LOGIN(30), User secgen@internal-authz connecting from 'x.x.x.x' using session 'mT2aF7+FziRwE3ZZ29y7y2QHidDX4aAquc5fwo5swyLVMxufAyF26JbmDNeN9ylob1+zSSH9JWu4bBDt2wdHGw==' logged in.
2018-11-27 11:36:51,081Z INFO  [org.ovirt.engine.core.sso.utils.AuthenticationUtils] (default task-5233) [] User xxxx@internal successfully logged in with scopes: ovirt-app-api ovirt-ext=token-in
fo:authz-search ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate ovirt-ext=token:passw..d-access
2018-11-27 11:36:51,154Z INFO  [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default task-5233) [1d0e61f8] Running command: CreateUserSessionCommand internal: false.
2018-11-27 11:36:51,604Z INFO  [org.ovirt.engine.core.bll.scheduling.commands.AddAffinityGroupCommand] (default task-5233) [dd01962d-bead-499a-a31f-1ead974483ac] No permission found for user 'd5b7e8f0-603e-47c5-a420-1f5f6834aa02' or one of the groups he is member of, when running action 'AddAffinityGroup', Required permissions are: Action type: 'ADMIN' Action group: 'MANIPULATE_AFFINITY_GROUPS' Object type: 'Cluster'  Object ID: 'beac8771-1dbc-4046-99b1-c17d072fb27f'.
2018-11-27 11:36:51,604Z WARN  [org.ovirt.engine.core.bll.scheduling.commands.AddAffinityGroupCommand] (default task-5233) [dd01962d-bead-499a-a31f-1ead974483ac] Validation of action 'AddAffinityGroup' failed for user xxxx@internal-authz. Reasons: VAR__TYPE__AFFINITY_GROUP,VAR__ACTION__ADD,USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
2018-11-27 11:36:51,606Z ERROR [org.ovirt.engine.api.restapi.resource.AbstractBackendResource] (default task-5233) [] Operation Failed: [User is not authorized to perform this action.]

Regards,
                Paul S.


From: Schreuders, Cliffe
Sent: 27 November 2018 11:55
To: Ondra Machacek; Staniforth, Paul
Cc: Andrej Krejcir; users; Shaw, Thomas
Subject: Re: [ovirt-users] AffinityGroup API
 
Hi Ondra,

Thanks. Here is a sample script that illustrates the problem. The same error occurs when adding a VM to an existing affinity group.

Sample code:
require 'ovirtsdk4'

conn_attr = {}
conn_attr[:url] = 'https://XXXX/ovirt-engine/api'
conn_attr[:username] = 'XXXX'
conn_attr[:passwxxd] = 'XXXX'
conn_attr[:debug] = true
conn_attr[:headers] = {'Filter' => true }

ovirt_connection = OvirtSDK4::Connection.new(conn_attr)
vms_service = ovirt_connection.system_service.vms_service
clusters_service = ovirt_connection.system_service.clusters_service
cluster = clusters_service.list(search: 'name=Default')[0]
cluster_service = clusters_service.cluster_service(cluster.id)
cluster_affinitygroups_service = cluster_service.affinity_groups_service

begin
  affinity_group_name = "affinity_group_test123"
  puts "Creating affinity group: #{affinity_group_name}"

  cluster_affinitygroups_service.add(OvirtSDK4::AffinityGroup.new(
     name: affinity_group_name,
     description: 'a description',
     vms_rule: OvirtSDK4::AffinityRule.new(
          enabled: true,
          positive: true,
          enforcing: true
     )
  ))
rescue Exception => e
  warn "Failed to create affinity group"
  warn e.message
end

Output:
cliffe@office:~/Code/ovirt_scripts$ ruby add_affinity_group.rb
Creating affinity group: affinity_group_test123
Failed to create affinity group
Fault reason is "Operation Failed". Fault detail is "[User is not authorized to perform this action.]". HTTP response code is 400.

The user has ReadOnlyAdmin permissions.

I would be happy to be told if I'm doing something wrong here, I didn't find any ruby examples that worked with affinity groups.

Paul could you please provide the engine.log entries? Thanks.

Cheers,

Cliffe.

On 27/11/2018 10:04, Ondra Machacek wrote:
Can you please share the script? And also what's the permission of the
user you are executing the script.

When see error 'User is not authorized to perform the action', we print
in engine.log, what's exactly wrong meaning we print what permissions
the user is missing in order to execute that action. So it may help you
find out what's wrong as well.

On 11/26/18 5:35 PM, Schreuders, Cliffe wrote:
Yes, the related issue we came across was that when using the Ruby gem,
assigning a VM to an Affinity Group raises an exception that states the
User is not authorized to perform the action; however, using the same
account works fine from the Admin portal and carrying out the exact same
steps via the Python SDK works as expected. The end result is that we
ended up calling a Python script from our Ruby code just to set the
affinity group.

Thanks, Paul.

On 26/11/2018 12:11, Staniforth, Paul wrote:
Hi Andrej

I believe they are using 4.2.5 they get a permission error although they can use the python SDK with the same account.

Paul S.
________________________________________
From: Ondra Machacek <omachace@redhat.com>
Sent: 26 November 2018 11:41
To: Staniforth, Paul
Cc: Andrej Krejcir; users
Subject: Re: [ovirt-users] AffinityGroup API

What version of the SDK do you use?
I can see it's supported in latest version.

On 11/26/18 11:13 AM, Andrej Krejcir wrote:
Hi,

I don't know much about ruby SDK. I think the SDKs for various languages
are generated from the API specification.

Ondra, is this a bug in ruby SDK?


Andrej

On Fri, 23 Nov 2018 at 18:06, Staniforth, Paul <
P.Staniforth@leedsbeckett.ac.uk> wrote:

Hello Andrej,

                        Also the Affinity Groups apparently aren't  available
in the Ruby SDK should I add this to the bug report?


Thanks,

                Paul S.
------------------------------
*From:* Andrej Krejcir <akrejcir@redhat.com>
*Sent:* 21 November 2018 13:32
*To:* Staniforth, Paul
*Cc:* users
*Subject:* Re: [ovirt-users] AffinityGroup API

Hi,

Yes, the AffinityGroupHosts is missing. Can you please open a bug[1] so we
can add it?

As a workaround, the hosts can be modified by PUT request to the
AffinityGroup endpoint directly, for example:

PUT /ovirt-engine/api/clusters/1234/affinitygroups/5678
<affinity_group>
       <hosts>
           <host id="123456789"/>
           <host id="987654321"/>
       </hosts>
</affinity_group>

However, this will replace all hosts in the affinity group with the hosts
listed.


Best regards,
Andrej


[1] - https://bugzilla.redhat.com/enter_bug.cgi?product=ovirt-engine

On Wed, 21 Nov 2018 at 13:26, <p.staniforth@leedsbeckett.ac.uk> wrote:

Hello,
             When using the API to update an AffinityGroup there is a
AffinityGroupVm and AffinityGroupVms so I can add or remove VMs but there
is no AffinityGroupHost or AffinityGroupHosts, therefore I can't add or
remove hosts.

Thanks,
                Paul S.
_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-leave@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/BUMDJ34JRLDHSE6CPUVZOD3I2TI2YBQD/

To view the terms under which this email is distributed, please go to:-
http://disclaimer.leedsbeckett.ac.uk/disclaimer/disclaimer.html


To view the terms under which this email is distributed, please go to:-
http://disclaimer.leedsbeckett.ac.uk/disclaimer/disclaimer.html


To view the terms under which this email is distributed, please go to:-
http://leedsbeckett.ac.uk/disclaimer/email/