This is a multi-part message in MIME format. --------------090003020906060406020408 Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit On 10/29/2015 03:56 PM, Ondra Machacek wrote:
On 10/28/2015 11:29 AM, Jorick Astrego wrote:
On 10/26/2015 03:14 PM, Jorick Astrego wrote:
On 10/26/2015 02:57 PM, Ondra Machacek wrote:
On 10/26/2015 02:53 PM, Jorick Astrego wrote:
Hi,
Currently I'm trying to add an ovirt compute resource in forman that is limited to the VM's of the user.
When I give this user the PowerUser role, I cannot access the api:
query execution failed due to insufficient permissions
Are you sending header 'Filter: true' with the request ? If your user is not admin(PowerUserRole is not admin role), you have to use this header.
Hmm, not much response on foreman-users..
I checked the code of fog in my foreman install ( /opt/rh/ruby193/root/usr/share/gems/gems/fog-1.32.0/lib/fog/ovirt/compute.rb ) and it appears to have the correct option merged:
connection_opts[:filtered_api] = options[:ovirt_filtered_api]
But I don't know what url the foreman actually generates, is there any way to capture the login string? I tried setting some DEBUG logging but don't get the output I'm looking for.
<logger category="org.ovirt.engine.core.bll.SearchQuery"> <level name="DEBUG"/> </logger> <logger category="org.ovirt.engine.core.bll.aaa.LoginUserCommand"> <level name="DEBUG"/> </logger> <logger category="org.ovirt.engine.api.restapi.resource.AbstractBackendResource"> <level name="DEBUG"/> </logger>
It depends what url foreman client access. But you can set:
<logger category="org.ovirt.engine.core.bll"> <level name="ALL"/> </logger>
And then you will see what commands was queried with or without the filtered API.
2015-10-29 15:45:45,436 TRACE [org.ovirt.engine.core.bll.GetAllVmsQuery] (ajp-/127.0.0.1:8702-1) [] START, GetAllVmsQuery(VdcQueryParametersBase:{refresh='true', filtered='true'}), log id: 53b3c8b9
^^ This is example of running 'Filter: true' on /api/vms (you can see filtered='true').
But maybe it would be easier to use tcpdump, or some apache module to dump headers.
Met vriendelijke groet, With kind regards,
Jorick Astrego * Netbulae Virtualization Experts * ------------------------------------------------------------------------ Tel: 053 20 30 270 info@netbulae.eu Staalsteden 4-3A KvK 08198180 Fax: 053 20 30 271 www.netbulae.eu 7547 TA Enschede BTW NL821234584B01
------------------------------------------------------------------------
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
--------------090003020906060406020408 Content-Type: text/html; charset=windows-1252 Content-Transfer-Encoding: 8bit <html> <head> <meta content="text/html; charset=windows-1252" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> <br> <br> <div class="moz-cite-prefix">On 10/29/2015 03:56 PM, Ondra Machacek wrote:<br> </div> <blockquote cite="mid:56323394.8050800@redhat.com" type="cite"> <meta content="text/html; charset=windows-1252" http-equiv="Content-Type"> <br> <br> <div class="moz-cite-prefix">On 10/28/2015 11:29 AM, Jorick Astrego wrote:<br> </div> <blockquote cite="mid:5630A36D.6000202@netbulae.eu" type="cite"> <meta content="text/html; charset=windows-1252" http-equiv="Content-Type"> <br> <br> <div class="moz-cite-prefix">On 10/26/2015 03:14 PM, Jorick Astrego wrote:<br> </div> <blockquote cite="mid:562E355D.4030201@netbulae.eu" type="cite"> <meta content="text/html; charset=windows-1252" http-equiv="Content-Type"> <br> <br> <div class="moz-cite-prefix">On 10/26/2015 02:57 PM, Ondra Machacek wrote:<br> </div> <blockquote cite="mid:562E3143.4010600@redhat.com" type="cite"> <meta content="text/html; charset=windows-1252" http-equiv="Content-Type"> <br> <br> <div class="moz-cite-prefix">On 10/26/2015 02:53 PM, Jorick Astrego wrote:<br> </div> <blockquote cite="mid:562E3075.5050203@netbulae.eu" type="cite"> <meta http-equiv="content-type" content="text/html; charset=windows-1252"> Hi,<br> <br> Currently I'm trying to add an ovirt compute resource in forman that is limited to the VM's of the user. <br> <br> When I give this user the PowerUser role, I cannot access the api:<br> <br> <blockquote>query execution failed due to insufficient permissions<br> </blockquote> </blockquote> <br> Are you sending header 'Filter: true' with the request ?<br> If your user is not admin(PowerUserRole is not admin role),<br> you have to use this header.<br> <br> <br> </blockquote> <br> </blockquote> <br> Hmm, not much response on foreman-users.. <br> <br> I checked the code of fog in my foreman install ( /opt/rh/ruby193/root/usr/share/gems/gems/fog-1.32.0/lib/fog/ovirt/compute.rb ) and it appears to have the correct option merged:<br> <br> <blockquote> connection_opts[:filtered_api] = options[:ovirt_filtered_api]<br> <br> <br> </blockquote> But I don't know what url the foreman actually generates, is there any way to capture the login string? I tried setting some DEBUG logging but don't get the output I'm looking for.<br> <br> <blockquote> <logger category="org.ovirt.engine.core.bll.SearchQuery"><br> <level name="DEBUG"/><br> </logger><br> <logger category="org.ovirt.engine.core.bll.aaa.LoginUserCommand"><br> <level name="DEBUG"/><br> </logger><br> <logger category="org.ovirt.engine.api.restapi.resource.AbstractBackendResource"><br> <level name="DEBUG"/><br> </logger><br> <br> </blockquote> <br> </blockquote> <br> It depends what url foreman client access. But you can set:<br> <br> <logger category="org.ovirt.engine.core.bll"><br> <level name="ALL"/><br> </logger><br> <br> And then you will see what commands was queried with or without the filtered API.<br> <br> 2015-10-29 15:45:45,436 TRACE [org.ovirt.engine.core.bll.GetAllVmsQuery] (ajp-/127.0.0.1:8702-1) [] START, GetAllVmsQuery(VdcQueryParametersBase:{refresh='true', filtered='true'}), log id: 53b3c8b9<br> <br> ^^ This is example of running 'Filter: true' on /api/vms (you can see filtered='true').<br> </blockquote> <br> But maybe it would be easier to use tcpdump, or some apache module to dump headers.<br> <br> <blockquote cite="mid:56323394.8050800@redhat.com" type="cite"> <br> <blockquote cite="mid:5630A36D.6000202@netbulae.eu" type="cite"> <blockquote><br> <br> </blockquote> <br> <br> <br> <br> <span style="color:#604c78;"><font color="000000"><span style="mso-fareast-language:en-gb;" lang="NL">Met vriendelijke groet, With kind regards,<br> <br> Jorick Astrego<br> </span></font></span><b style="color:#604c78"><br> Netbulae Virtualization Experts </b><br> <hr style="border:none;border-top:1px solid #ccc;"> <table style="width: 522px"> <tbody> <tr> <td style="width: 130px;font-size: 10px">Tel: 053 20 30 270</td> <td style="width: 130px;font-size: 10px"><a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:info@netbulae.eu"><a class="moz-txt-link-abbreviated" href="mailto:info@netbulae.eu">info@netbulae.eu</a></a></td> <td style="width: 130px;font-size: 10px">Staalsteden 4-3A</td> <td style="width: 130px;font-size: 10px">KvK 08198180</td> </tr> <tr> <td style="width: 130px;font-size: 10px">Fax: 053 20 30 271</td> <td style="width: 130px;font-size: 10px"><a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="http://www.netbulae.eu"><a class="moz-txt-link-abbreviated" href="http://www.netbulae.eu">www.netbulae.eu</a></a></td> <td style="width: 130px;font-size: 10px">7547 TA Enschede</td> <td style="width: 130px;font-size: 10px">BTW NL821234584B01</td> </tr> </tbody> </table> <br> <hr style="border:none;border-top:1px solid #ccc;"><br> <br> <fieldset class="mimeAttachmentHeader"></fieldset> <br> <pre wrap="">_______________________________________________ Users mailing list <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Users@ovirt.org">Users@ovirt.org</a> <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.ovirt.org/mailman/listinfo/users">http://lists.ovirt.org/mailman/listinfo/users</a> </pre> </blockquote> <br> <br> <fieldset class="mimeAttachmentHeader"></fieldset> <br> <pre wrap="">_______________________________________________ Users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Users@ovirt.org">Users@ovirt.org</a> <a class="moz-txt-link-freetext" href="http://lists.ovirt.org/mailman/listinfo/users">http://lists.ovirt.org/mailman/listinfo/users</a> </pre> </blockquote> <br> </body> </html> --------------090003020906060406020408--