6:40 a.m.
--Apple-Mail=_C446C6FD-E578-458C-8521-3EA4DD1025A4
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=iso-8859-1
The "error: 'str' object has no attribute 'product_info'" was a
red =
herring (mistyped url). The 401 errors for non-admins though is still =
quite real.
Detailed response inside ...
On Oct 2, 2012, at 1:48 PM, Michael Pasternak wrote:
Hi Brian,
=20
On 10/02/2012 05:52 PM, Brian Vetter wrote:
> I also tried a simple connect to the home of the ovirt server in the =
ovirt-shell:
>=20
> [oVirt shell (disconnected)]# connect https://ovirtserver <user> =
<pass>
>=20
> error: 'str' object has no attribute 'product_info'
=20
this could happen if you trying connect to SSL site via HTTP protocol,
btw what sdk/cli version you're using [1]? latest sdk/cli protects =
against
this.
=20
[1] run 'info' command in cli
As this turned out, the problem was due to a bad url (transposed =
characters). Once fixed, I'm back to the 401 error condition.
> As to your question:
>=20
>> i think you should get an empty list and not a 401 in any case, =
but
just to make sure - you have the user role on a specific VM and you =
don't see it?
>=20
>=20
> Yes, I believe this is true. If the same user logs into the user =
portal, he
can see the VM and start/stop it. =46rom the ovirt admin =
portal, I see the following permissions
> for the VM:
=20
does this user has any other role/s besides UserRole?
No, the only role it is given is UserRole. Here is how it was applied:
1) The user was created in my directory server (that was added to the =
ovirt manager during setup).
2) After creating a new desktop VM, I selected the VM, selected its =
Permissions tab, and then added the user with the role 'UserRole' to the =
VM. This was all done in the ovirt-manager web app.
3) I then login to the user portal with that user account name. After =
refreshing the VM list (a very minor bug), I see the VM that was =
assigned to the user.
4) When using the ovirt-shell command, the connect command fails with an =
error 401 as in the following text:
[oVirt shell (disconnected)]# connect https://ovirt-serveri/ 'xxx@yyyy' =
'pword'
error: Unauthorized, [Errno: 401]
5) If I add the "DatacenterAdmin" role, the connect command works.
6) Similarly, if I use curl, I get the same HTTPS Status 401 error.
# curl --cacert $CA_FILE -X GET -H "Filter: true" -u xxx@yyyy:pword =
https://ovirtserver/api/vms > uservms.xml=20
# cat uservms.xml
<html><head><title>JBoss Web/7.0.0.SNAPSHOT - Error =
report</title><style><!--H1 =
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;=
font-size:22px;} H2 =
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;=
font-size:16px;} H3 =
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;=
font-size:14px;} BODY =
{font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} =
B =
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;=
} P =
{font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-siz=
e:12px;}A {color : black;}A.name {color : black;}HR {color : =
#525D76;}--></style> </head><body><h1>HTTP Status 401 -
</h1><HR =
size=3D"1" noshade=3D"noshade"><p><b>type</b>
Status =
report</p><p><b>message</b>
<u></u></p><p><b>description</b> <u>This =
request requires HTTP authentication ().</u></p><HR size=3D"1" =
noshade=3D"noshade"><h3>JBoss =
Web/7.0.0.SNAPSHOT</h3></body></html>[bjv@eos ~]$
7) I see the following when I use ovirt -d and do the connect:
send: 'GET /api HTTP/1.1\r\nHost: eos.testcloud.com\r\nAccept-Encoding: =
identity\r\nPrefer: persistent-auth\r\nContent-type: =
application/xml\r\nAuthorization: Basic =
Ymp2ZXR0ZXJAZHJvaWRjbG91ZC5tb2JpOmxvc3QrZm91bmQ=3D\r\n\r\n'
reply: 'HTTP/1.1 401 Unauthorized\r\n'
header: Date: Wed, 03 Oct 2012 03:24:53 GMT
header: Set-Cookie: JSESSIONID=3Dn3Ex3mxsvzTEM3rlkiHa85mP.undefined; =
Path=3D/api; Secure
header: WWW-Authenticate: Basic realm=3D"ENGINE"
header: Content-Type: text/html;charset=3Dutf-8
header: Content-Length: 962
header: Connection: close
Clearly, the ovirt-shell and curl are making the same request and =
getting the same error response.
The engine.log file in /var/log/ovirt-engine has the following after I =
try to connect:
2012-10-02 22:28:37,489 INFO =
[org.ovirt.engine.core.bll.LoginAdminUserCommand] (ajp--0.0.0.0-8009-3) =
Checking if user bjvetter is an admin, result false
2012-10-02 22:28:37,490 WARN =
[org.ovirt.engine.core.bll.LoginAdminUserCommand] (ajp--0.0.0.0-8009-3) =
CanDoAction of action LoginAdminUser failed. =
Reasons:USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
2012-10-02 22:28:37,491 INFO =
[org.ovirt.engine.api.restapi.security.auth.LoginValidator] =
(ajp--0.0.0.0-8009-3) Login failure, user: bjvetter domain: =
my.testcloud.com reason: [USER_NOT_AUTHORIZED_TO_PERFORM_ACTION]
So based upon what I see in this log file, it would seem that the =
connect API wants to make sure that I am an admin and not a regular =
user.
Which gets me back to my original question: Do the REST API and the =
ovirt-shell require admin privileges or is there a separate uri =
namespace for regular users to make requests? Or perhaps more direct, =
should https://$ovirt-server/api/vms be accessible to non-admins or is =
there a different url a non-admin should use?
Brian
--Apple-Mail=_C446C6FD-E578-458C-8521-3EA4DD1025A4
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
charset=iso-8859-1
<html><head></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; =
"><div>The "error: 'str' object has no attribute
'product_info'" was a =
red herring (mistyped url). The 401 errors for non-admins though is =
still quite real.</div><div><br></div>Detailed response inside =
...<div><br><div><div>On Oct 2, 2012, at 1:48 PM, Michael
Pasternak =
wrote:</div><br class=3D"Apple-interchange-newline"><blockquote
=
type=3D"cite"><div>Hi Brian,<br><br>On 10/02/2012 05:52 PM,
Brian Vetter =
wrote:<br><blockquote type=3D"cite">I also tried a simple connect to
the =
home of the ovirt server in the ovirt-shell:<br></blockquote><blockquote =
type=3D"cite"><br></blockquote><blockquote
type=3D"cite"> =
[oVirt shell (disconnected)]# connect <a =
href=3D"https://ovirtserver">https://ovirtserver</a>
<user> =
<pass><br></blockquote><blockquote =
type=3D"cite"><br></blockquote><blockquote
type=3D"cite"> =
error: 'str' object has no attribute =
'product_info'<br></blockquote><br>this could happen if you
trying =
connect to SSL site via HTTP protocol,<br>btw what sdk/cli version =
you're using [1]? latest sdk/cli protects
against<br>this.<br><br>[1] =
run 'info' command in
cli<br></div></blockquote><div><br></div><div>As
=
this turned out, the problem was due to a bad url (transposed =
characters). Once fixed, I'm back to the 401 error =
condition.</div></div><div><br><blockquote
type=3D"cite"><div><blockquote =
type=3D"cite">As to your question:<br></blockquote><blockquote
=
type=3D"cite"><br></blockquote><blockquote
type=3D"cite"><blockquote =
type=3D"cite"> i think you should get an empty
list =
and not a 401 in any case, but just to make sure - you have the user =
role on a specific VM and you don't see =
it?<br></blockquote></blockquote><blockquote =
type=3D"cite"><br></blockquote><blockquote =
type=3D"cite"><br></blockquote><blockquote
type=3D"cite">Yes, I believe =
this is true. If the same user logs into the user portal, he can see the =
VM and start/stop it. =46rom the ovirt admin portal, I see the following =
permissions<br></blockquote><blockquote type=3D"cite">for the
=
VM:<br></blockquote><br>does this user has any other role/s besides =
UserRole?</div></blockquote><div><br></div><div>No,
the only role it is =
given is UserRole. Here is how it was =
applied:</div><div><br></div><div>1) The user was created in
my =
directory server (that was added to the ovirt manager during =
setup).</div><div>2) After creating a new desktop VM, I selected the VM, =
selected its Permissions tab, and then added the user with the role =
'UserRole' to the VM. This was all done in the ovirt-manager web =
app.</div><div>3) I then login to the user portal with that user account =
name. After refreshing the VM list (a very minor bug), I see the VM that =
was assigned to the user.</div><div>4) When using the ovirt-shell =
command, the connect command fails with an error 401 as in the following =
text:</div><div><br></div></div></div><blockquote
=
class=3D"webkit-indent-blockquote" style=3D"margin: 0 0 0 40px; border: =
none; padding: 0px;"><div><div><div><div>[oVirt shell
(disconnected)]# =
connect <a
href=3D"https://ovirt-serveri/">https://ovirt-serveri/</a> =
'xxx@yyyy' =
'pword'</div></div></div></div><div><div><div><div><br></div></div></div><=
/div><div><div><div><div>error: Unauthorized, [Errno: =
401]</div></div></div></div></blockquote><div><div>5)
If I add the =
"DatacenterAdmin" role, the connect command works.</div><div>6) =
Similarly, if I use curl, I get the same HTTPS Status 401 =
error.</div><div><br></div></div><blockquote =
class=3D"webkit-indent-blockquote" style=3D"margin: 0 0 0 40px; border: =
none; padding: 0px;"><div><div># curl --cacert $CA_FILE -X GET -H =
"Filter: true" -u xxx@yyyy:pword <a =
href=3D"https://ovirtserver/api/vms">https://ovirtserver/api/vms</a> =
> uservms.xml </div></div></blockquote><blockquote =
class=3D"webkit-indent-blockquote" style=3D"margin: 0 0 0 40px; border: =
none; padding: 0px;"><div><div><div># cat =
uservms.xml</div></div></div><div><div><div><html><head><ti=
tle>JBoss Web/7.0.0.SNAPSHOT - Error =
report</title><style><!--H1 =
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;=
font-size:22px;} H2 =
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;=
font-size:16px;} H3 =
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;=
font-size:14px;} BODY =
{font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} =
B =
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;=
} P =
{font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-siz=
e:12px;}A {color : black;}A.name {color : black;}HR {color : =
#525D76;}--></style>
</head><body><h1>HTTP =
Status 401 - </h1><HR size=3D"1" =
noshade=3D"noshade"><p><b>type</b>
Status =
report</p><p><b>message</b> =
<u></u></p><p><b>description</b>
=
<u>This request requires HTTP authentication =
().</u></p><HR size=3D"1" =
noshade=3D"noshade"><h3>JBoss =
Web/7.0.0.SNAPSHOT</h3></body></html>[bjv@eos =
~]$</div></div></div></blockquote><div><br></div><div>7)
I see the =
following when I use ovirt -d and do the =
connect:</div><div><br></div><blockquote =
class=3D"webkit-indent-blockquote" style=3D"margin: 0 0 0 40px; border: =
none; padding: 0px;"><div><div>send: 'GET /api HTTP/1.1\r\nHost:
<a =
href=3D"http://eos.testcloud.com">eos.testcloud.com</a>\r\nAccept-Encoding=
: identity\r\nPrefer: persistent-auth\r\nContent-type: =
application/xml\r\nAuthorization: Basic =
Ymp2ZXR0ZXJAZHJvaWRjbG91ZC5tb2JpOmxvc3QrZm91bmQ=3D\r\n\r\n'</div></div><di=
v><div>reply: 'HTTP/1.1 401 =
Unauthorized\r\n'</div></div><div><div>header: Date: Wed, 03
Oct 2012 =
03:24:53 GMT</div></div><div><div>header: Set-Cookie: =
JSESSIONID=3Dn3Ex3mxsvzTEM3rlkiHa85mP.undefined; Path=3D/api; =
Secure</div></div><div><div>header: WWW-Authenticate: Basic =
realm=3D"ENGINE"</div></div><div><div>header:
Content-Type: =
text/html;charset=3Dutf-8</div></div><div><div>header:
Content-Length: =
962</div></div><div><div>header: Connection: =
close</div></div></blockquote><div><br></div><div>Clearly,
the =
ovirt-shell and curl are making the same request and getting the same =
error response.</div><div><br></div><div>The engine.log file
in =
/var/log/ovirt-engine has the following after I try to =
connect:</div><div><br></div><blockquote =
class=3D"webkit-indent-blockquote" style=3D"margin: 0 0 0 40px; border: =
none; padding: 0px;"><div><div>2012-10-02 22:28:37,489 INFO =
[org.ovirt.engine.core.bll.LoginAdminUserCommand] =
(ajp--0.0.0.0-8009-3) <font class=3D"Apple-style-span" =
color=3D"#b61810"><b>Checking if user bjvetter is an admin, result =
false</b></font></div></div><div><div>2012-10-02
22:28:37,490 WARN =
[org.ovirt.engine.core.bll.LoginAdminUserCommand] =
(ajp--0.0.0.0-8009-3) CanDoAction of action LoginAdminUser failed. =
Reasons:USER_NOT_AUTHORIZED_TO_PERFORM_ACTION</div></div><div><div>2012-10=
-02 22:28:37,491 INFO =
[org.ovirt.engine.api.restapi.security.auth.LoginValidator] =
(ajp--0.0.0.0-8009-3) Login failure, user: bjvetter domain: <a =
href=3D"http://my.testcloud.com">my.testcloud.com</a> reason: =
[USER_NOT_AUTHORIZED_TO_PERFORM_ACTION]</div></div></blockquote><div><br><=
/div><div>So based upon what I see in this log file, it would seem that =
the connect API wants to make sure that I am an admin and not a regular =
user.</div><div><br></div>Which gets me back to my original
question: Do =
the REST API and the ovirt-shell require admin privileges or is there a =
separate uri namespace for regular users to make requests? Or perhaps =
more direct, should <a =
href=3D"https://$ovirt-server/api/vms">https://$ovirt-server/api/vms</a>
=
be accessible to non-admins or is there a different url a non-admin =
should =
use?<div><br></div><div>Brian</div><div><div><br></div></div></body></html=
=
--Apple-Mail=_C446C6FD-E578-458C-8521-3EA4DD1025A4--