--Apple-Mail=_C446C6FD-E578-458C-8521-3EA4DD1025A4 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=iso-8859-1 The "error: 'str' object has no attribute 'product_info'" was a red = herring (mistyped url). The 401 errors for non-admins though is still = quite real. Detailed response inside ... On Oct 2, 2012, at 1:48 PM, Michael Pasternak wrote:
I also tried a simple connect to the home of the ovirt server in the = ovirt-shell: =20 [oVirt shell (disconnected)]# connect https://ovirtserver <user> = <pass> =20 error: 'str' object has no attribute 'product_info' =20
Hi Brian, =20 On 10/02/2012 05:52 PM, Brian Vetter wrote: this could happen if you trying connect to SSL site via HTTP protocol, btw what sdk/cli version you're using [1]? latest sdk/cli protects = against this. =20 [1] run 'info' command in cli
As to your question: =20
i think you should get an empty list and not a 401 in any case, = but just to make sure - you have the user role on a specific VM and you = don't see it? =20 =20 Yes, I believe this is true. If the same user logs into the user =
As this turned out, the problem was due to a bad url (transposed = characters). Once fixed, I'm back to the 401 error condition. portal, he can see the VM and start/stop it. =46rom the ovirt admin = portal, I see the following permissions
for the VM: =20 does this user has any other role/s besides UserRole?
No, the only role it is given is UserRole. Here is how it was applied: 1) The user was created in my directory server (that was added to the = ovirt manager during setup). 2) After creating a new desktop VM, I selected the VM, selected its = Permissions tab, and then added the user with the role 'UserRole' to the = VM. This was all done in the ovirt-manager web app. 3) I then login to the user portal with that user account name. After = refreshing the VM list (a very minor bug), I see the VM that was = assigned to the user. 4) When using the ovirt-shell command, the connect command fails with an = error 401 as in the following text: [oVirt shell (disconnected)]# connect https://ovirt-serveri/ 'xxx@yyyy' = 'pword' error: Unauthorized, [Errno: 401] 5) If I add the "DatacenterAdmin" role, the connect command works. 6) Similarly, if I use curl, I get the same HTTPS Status 401 error. # curl --cacert $CA_FILE -X GET -H "Filter: true" -u xxx@yyyy:pword = https://ovirtserver/api/vms > uservms.xml=20 # cat uservms.xml <html><head><title>JBoss Web/7.0.0.SNAPSHOT - Error = report</title><style><!--H1 = {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;= font-size:22px;} H2 = {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;= font-size:16px;} H3 = {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;= font-size:14px;} BODY = {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} = B = {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;= } P = {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-siz= e:12px;}A {color : black;}A.name {color : black;}HR {color : = #525D76;}--></style> </head><body><h1>HTTP Status 401 - </h1><HR = size=3D"1" noshade=3D"noshade"><p><b>type</b> Status = report</p><p><b>message</b> <u></u></p><p><b>description</b> <u>This = request requires HTTP authentication ().</u></p><HR size=3D"1" = noshade=3D"noshade"><h3>JBoss = Web/7.0.0.SNAPSHOT</h3></body></html>[bjv@eos ~]$ 7) I see the following when I use ovirt -d and do the connect: send: 'GET /api HTTP/1.1\r\nHost: eos.testcloud.com\r\nAccept-Encoding: = identity\r\nPrefer: persistent-auth\r\nContent-type: = application/xml\r\nAuthorization: Basic = Ymp2ZXR0ZXJAZHJvaWRjbG91ZC5tb2JpOmxvc3QrZm91bmQ=3D\r\n\r\n' reply: 'HTTP/1.1 401 Unauthorized\r\n' header: Date: Wed, 03 Oct 2012 03:24:53 GMT header: Set-Cookie: JSESSIONID=3Dn3Ex3mxsvzTEM3rlkiHa85mP.undefined; = Path=3D/api; Secure header: WWW-Authenticate: Basic realm=3D"ENGINE" header: Content-Type: text/html;charset=3Dutf-8 header: Content-Length: 962 header: Connection: close Clearly, the ovirt-shell and curl are making the same request and = getting the same error response. The engine.log file in /var/log/ovirt-engine has the following after I = try to connect: 2012-10-02 22:28:37,489 INFO = [org.ovirt.engine.core.bll.LoginAdminUserCommand] (ajp--0.0.0.0-8009-3) = Checking if user bjvetter is an admin, result false 2012-10-02 22:28:37,490 WARN = [org.ovirt.engine.core.bll.LoginAdminUserCommand] (ajp--0.0.0.0-8009-3) = CanDoAction of action LoginAdminUser failed. = Reasons:USER_NOT_AUTHORIZED_TO_PERFORM_ACTION 2012-10-02 22:28:37,491 INFO = [org.ovirt.engine.api.restapi.security.auth.LoginValidator] = (ajp--0.0.0.0-8009-3) Login failure, user: bjvetter domain: = my.testcloud.com reason: [USER_NOT_AUTHORIZED_TO_PERFORM_ACTION] So based upon what I see in this log file, it would seem that the = connect API wants to make sure that I am an admin and not a regular = user. Which gets me back to my original question: Do the REST API and the = ovirt-shell require admin privileges or is there a separate uri = namespace for regular users to make requests? Or perhaps more direct, = should https://$ovirt-server/api/vms be accessible to non-admins or is = there a different url a non-admin should use? Brian --Apple-Mail=_C446C6FD-E578-458C-8521-3EA4DD1025A4 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=iso-8859-1 <html><head></head><body style=3D"word-wrap: break-word; = -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; = "><div>The "error: 'str' object has no attribute 'product_info'" was a = red herring (mistyped url). The 401 errors for non-admins though is = still quite real.</div><div><br></div>Detailed response inside = ...<div><br><div><div>On Oct 2, 2012, at 1:48 PM, Michael Pasternak = wrote:</div><br class=3D"Apple-interchange-newline"><blockquote = type=3D"cite"><div>Hi Brian,<br><br>On 10/02/2012 05:52 PM, Brian Vetter = wrote:<br><blockquote type=3D"cite">I also tried a simple connect to the = home of the ovirt server in the ovirt-shell:<br></blockquote><blockquote = type=3D"cite"><br></blockquote><blockquote type=3D"cite"> = [oVirt shell (disconnected)]# connect <a = href=3D"https://ovirtserver">https://ovirtserver</a> <user> = <pass><br></blockquote><blockquote = type=3D"cite"><br></blockquote><blockquote type=3D"cite"> = error: 'str' object has no attribute = 'product_info'<br></blockquote><br>this could happen if you trying = connect to SSL site via HTTP protocol,<br>btw what sdk/cli version = you're using [1]? latest sdk/cli protects against<br>this.<br><br>[1] = run 'info' command in cli<br></div></blockquote><div><br></div><div>As = this turned out, the problem was due to a bad url (transposed = characters). Once fixed, I'm back to the 401 error = condition.</div></div><div><br><blockquote type=3D"cite"><div><blockquote = type=3D"cite">As to your question:<br></blockquote><blockquote = type=3D"cite"><br></blockquote><blockquote type=3D"cite"><blockquote = type=3D"cite"> i think you should get an empty list = and not a 401 in any case, but just to make sure - you have the user = role on a specific VM and you don't see = it?<br></blockquote></blockquote><blockquote = type=3D"cite"><br></blockquote><blockquote = type=3D"cite"><br></blockquote><blockquote type=3D"cite">Yes, I believe = this is true. If the same user logs into the user portal, he can see the = VM and start/stop it. =46rom the ovirt admin portal, I see the following = permissions<br></blockquote><blockquote type=3D"cite">for the = VM:<br></blockquote><br>does this user has any other role/s besides = UserRole?</div></blockquote><div><br></div><div>No, the only role it is = given is UserRole. Here is how it was = applied:</div><div><br></div><div>1) The user was created in my = directory server (that was added to the ovirt manager during = setup).</div><div>2) After creating a new desktop VM, I selected the VM, = selected its Permissions tab, and then added the user with the role = 'UserRole' to the VM. This was all done in the ovirt-manager web = app.</div><div>3) I then login to the user portal with that user account = name. After refreshing the VM list (a very minor bug), I see the VM that = was assigned to the user.</div><div>4) When using the ovirt-shell = command, the connect command fails with an error 401 as in the following = text:</div><div><br></div></div></div><blockquote = class=3D"webkit-indent-blockquote" style=3D"margin: 0 0 0 40px; border: = none; padding: 0px;"><div><div><div><div>[oVirt shell (disconnected)]# = connect <a href=3D"https://ovirt-serveri/">https://ovirt-serveri/</a> = 'xxx@yyyy' = 'pword'</div></div></div></div><div><div><div><div><br></div></div></div><= /div><div><div><div><div>error: Unauthorized, [Errno: = 401]</div></div></div></div></blockquote><div><div>5) If I add the = "DatacenterAdmin" role, the connect command works.</div><div>6) = Similarly, if I use curl, I get the same HTTPS Status 401 = error.</div><div><br></div></div><blockquote = class=3D"webkit-indent-blockquote" style=3D"margin: 0 0 0 40px; border: = none; padding: 0px;"><div><div># curl --cacert $CA_FILE -X GET -H = "Filter: true" -u xxx@yyyy:pword <a = href=3D"https://ovirtserver/api/vms">https://ovirtserver/api/vms</a> = > uservms.xml </div></div></blockquote><blockquote = class=3D"webkit-indent-blockquote" style=3D"margin: 0 0 0 40px; border: = none; padding: 0px;"><div><div><div># cat = uservms.xml</div></div></div><div><div><div><html><head><ti= tle>JBoss Web/7.0.0.SNAPSHOT - Error = report</title><style><!--H1 = {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;= font-size:22px;} H2 = {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;= font-size:16px;} H3 = {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;= font-size:14px;} BODY = {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} = B = {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;= } P = {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-siz= e:12px;}A {color : black;}A.name {color : black;}HR {color : = #525D76;}--></style> </head><body><h1>HTTP = Status 401 - </h1><HR size=3D"1" = noshade=3D"noshade"><p><b>type</b> Status = report</p><p><b>message</b> = <u></u></p><p><b>description</b> = <u>This request requires HTTP authentication = ().</u></p><HR size=3D"1" = noshade=3D"noshade"><h3>JBoss = Web/7.0.0.SNAPSHOT</h3></body></html>[bjv@eos = ~]$</div></div></div></blockquote><div><br></div><div>7) I see the = following when I use ovirt -d and do the = connect:</div><div><br></div><blockquote = class=3D"webkit-indent-blockquote" style=3D"margin: 0 0 0 40px; border: = none; padding: 0px;"><div><div>send: 'GET /api HTTP/1.1\r\nHost: <a = href=3D"http://eos.testcloud.com">eos.testcloud.com</a>\r\nAccept-Encoding= : identity\r\nPrefer: persistent-auth\r\nContent-type: = application/xml\r\nAuthorization: Basic = Ymp2ZXR0ZXJAZHJvaWRjbG91ZC5tb2JpOmxvc3QrZm91bmQ=3D\r\n\r\n'</div></div><di= v><div>reply: 'HTTP/1.1 401 = Unauthorized\r\n'</div></div><div><div>header: Date: Wed, 03 Oct 2012 = 03:24:53 GMT</div></div><div><div>header: Set-Cookie: = JSESSIONID=3Dn3Ex3mxsvzTEM3rlkiHa85mP.undefined; Path=3D/api; = Secure</div></div><div><div>header: WWW-Authenticate: Basic = realm=3D"ENGINE"</div></div><div><div>header: Content-Type: = text/html;charset=3Dutf-8</div></div><div><div>header: Content-Length: = 962</div></div><div><div>header: Connection: = close</div></div></blockquote><div><br></div><div>Clearly, the = ovirt-shell and curl are making the same request and getting the same = error response.</div><div><br></div><div>The engine.log file in = /var/log/ovirt-engine has the following after I try to = connect:</div><div><br></div><blockquote = class=3D"webkit-indent-blockquote" style=3D"margin: 0 0 0 40px; border: = none; padding: 0px;"><div><div>2012-10-02 22:28:37,489 INFO = [org.ovirt.engine.core.bll.LoginAdminUserCommand] = (ajp--0.0.0.0-8009-3) <font class=3D"Apple-style-span" = color=3D"#b61810"><b>Checking if user bjvetter is an admin, result = false</b></font></div></div><div><div>2012-10-02 22:28:37,490 WARN = [org.ovirt.engine.core.bll.LoginAdminUserCommand] = (ajp--0.0.0.0-8009-3) CanDoAction of action LoginAdminUser failed. = Reasons:USER_NOT_AUTHORIZED_TO_PERFORM_ACTION</div></div><div><div>2012-10= -02 22:28:37,491 INFO = [org.ovirt.engine.api.restapi.security.auth.LoginValidator] = (ajp--0.0.0.0-8009-3) Login failure, user: bjvetter domain: <a = href=3D"http://my.testcloud.com">my.testcloud.com</a> reason: = [USER_NOT_AUTHORIZED_TO_PERFORM_ACTION]</div></div></blockquote><div><br><= /div><div>So based upon what I see in this log file, it would seem that = the connect API wants to make sure that I am an admin and not a regular = user.</div><div><br></div>Which gets me back to my original question: Do = the REST API and the ovirt-shell require admin privileges or is there a = separate uri namespace for regular users to make requests? Or perhaps = more direct, should <a = href=3D"https://$ovirt-server/api/vms">https://$ovirt-server/api/vms</a> = be accessible to non-admins or is there a different url a non-admin = should = use?<div><br></div><div>Brian</div><div><div><br></div></div></body></html=
=
--Apple-Mail=_C446C6FD-E578-458C-8521-3EA4DD1025A4--