Re: [Users] API read-only access / roles
----- Original Message -----
From: "Itamar Heim" <iheim(a)redhat.com>
To: "Sven Kieske" <S.Kieske(a)mittwald.de>, "Users(a)ovirt.org
List" <Users(a)ovirt.org>, "Yair Zaslavsky"
<yzaslavs(a)redhat.com>
Sent: Wednesday, March 26, 2014 12:46:28 PM
Subject: Re: [Users] API read-only access / roles
On 03/26/2014 06:39 AM, Sven Kieske wrote:
>
>
> Am 26.03.2014 11:21, schrieb Itamar Heim:
>> On 03/26/2014 06:16 AM, Sven Kieske wrote:
>>> Hi,
>>>
>>> as we now have setup ldap, now the question which
>>> never got answered in the first place:
>>>
>>> 1.
>>> which rights do I need for read only access?
>>>
>>> as stated in BZ just login rights won't suffice.
>>
>> an admin role with login? why not?
>> i thought we even pre-created such a default read only role by now:
>> Bug 1038222 - [RFE] Read Only Admin role in AP
>>
>> (and you can create one yourself in 3.3 as well iirc)
>>
> What would happen if I create this user myself
> and I want to upgrade to 3.4 somewhere in time?
>
> My guess would be the upgrade would fail if this
> user gets added automatically, because it is already
> there?
>
its not a user. its a system defined role.
you can create a user defined role (with a different name)
you should do this via the GUI in 3.3, not via the db (then the uuid
will be different as well, and no upgrade issues)
Regarding your upgrade question -
I would like to add that although we have a hard-coded internal admin user, your
"read only" user (that is, a user you assigned the role you created) is not a
hard coded one. I don't think we will go for a strategy of adding another
"hardcoded" user for read only , so you should not have upgrade issues.