[Users] API read-only access / roles

I'm working on (Zabbix) monitoring through the RESTful API. Which role should I assign to the monitoring user? The user only needs read access to the data but it looks like I nead to assign at least an "Admin" role to the user to be able to read data through the API. For this I've created a "AdminLoginOnly" role that only has System->Configure System->Login Permissions access. Is this the way to go for this king of configuration? Or is there a way to further minimize the permissions of this user? Another issue is that a "Login" event is generated every time the user connects through the API. This makes the "Events" pane less useful / readable. Is there a way to disable this for some users/roles?

On Mon, 2013-11-18 at 16:46 +0100, Sander Grendelman wrote:
I'm working on (Zabbix) monitoring through the RESTful API.
Very nice - do you use my check_rhev3 Nagios plugin (https://github.com/ovido/check_rhev3) or are you working on your own script?
Which role should I assign to the monitoring user?
The user only needs read access to the data but it looks like I nead to assign at least an "Admin" role to the user to be able to read data through the API.
For this I've created a "AdminLoginOnly" role that only has System->Configure System->Login Permissions access.
Is this the way to go for this king of configuration? Or is there a way to further minimize the permissions of this user?
I create a custom role with these permissions for Nagios monitoring, too. I was thinking that in oVirt 3.3 there should be a predefined viewers-role, but can't find it in my setup :(
Another issue is that a "Login" event is generated every time the user connects through the API. This makes the "Events" pane less useful / readable. Is there a way to disable this for some users/roles?
It depends if you have your own script or check_rhev3: - check_rhev3 1.2: use option -o - check_rhev3 1.3: you should not see any login information in this version anymore - custom script: see this page on information how to use the JSESSIONID cookie: http://www.ovirt.org/Features/RESTSessionManagement Regards, René
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users

On Mon, Nov 18, 2013 at 5:18 PM, René Koch (ovido) <r.koch@ovido.at> wrote:
Very nice - do you use my check_rhev3 Nagios plugin (https://github.com/ovido/check_rhev3) or are you working on your own script?
At the moment: both. The problem with using Nagios scripts in Zabbix is that the trigger/alarm decision is made in different places. In Nagios this is done in the check scripts / on the "client" side while Zabbix mainly collects data and fires triggers if certain conditions in that data are met. New(er) Zabbix versions also have a feature called "low level discovery" that automatically creates items. It also seems that there is better RESTful/ovirt API support in python so I'm giving that a try too. Although perl is usually my poison of choice too ;)
For this I've created a "AdminLoginOnly" role that only has System->Configure System->Login Permissions access.
Is this the way to go for this king of configuration? Or is there a way to further minimize the permissions of this user?
I create a custom role with these permissions for Nagios monitoring, too. I was thinking that in oVirt 3.3 there should be a predefined viewers-role, but can't find it in my setup :(
OK, that would have been nice, do you have any history on this one?
Another issue is that a "Login" event is generated every time the user connects through the API. This makes the "Events" pane less useful / readable. Is there a way to disable this for some users/roles?
It depends if you have your own script or check_rhev3: - check_rhev3 1.2: use option -o - check_rhev3 1.3: you should not see any login information in this version anymore - custom script: see this page on information how to use the JSESSIONID cookie: http://www.ovirt.org/Features/RESTSessionManagement
Thanks for the info I'll look into this. It does make the logic in the script a bit harder because you have to store the sessionid somewhere and check if the session is still valid.

On Tue, 2013-11-19 at 09:55 +0100, Sander Grendelman wrote:
On Mon, Nov 18, 2013 at 5:18 PM, René Koch (ovido) <r.koch@ovido.at> wrote:
Very nice - do you use my check_rhev3 Nagios plugin (https://github.com/ovido/check_rhev3) or are you working on your own script?
At the moment: both. The problem with using Nagios scripts in Zabbix is that the trigger/alarm decision is made in different places. In Nagios this is done in the check scripts / on the "client" side while Zabbix mainly collects data and fires triggers if certain conditions in that data are met.
Yes that's true. Maybe adding a Zabbix compatibility mode for check_rhev3 could also be an option where no decisions about the status is done in the script so you can let Zabbix triggers handle this? Anyway I think you're much more experienced with Zabbix then I am, so you properly know better what's the best solution for monitoring oVirt with Zabbix...
New(er) Zabbix versions also have a feature called "low level discovery" that automatically creates items.
It also seems that there is better RESTful/ovirt API support in python so I'm giving that a try too. Although perl is usually my poison of choice too ;)
Yes, the Python SDK is really good. But as I'm more experienced with Perl I don't use it often...
For this I've created a "AdminLoginOnly" role that only has System->Configure System->Login Permissions access.
Is this the way to go for this king of configuration? Or is there a way to further minimize the permissions of this user?
I create a custom role with these permissions for Nagios monitoring, too. I was thinking that in oVirt 3.3 there should be a predefined viewers-role, but can't find it in my setup :(
OK, that would have been nice, do you have any history on this one?
Another issue is that a "Login" event is generated every time the user connects through the API. This makes the "Events" pane less useful / readable. Is there a way to disable this for some users/roles?
It depends if you have your own script or check_rhev3: - check_rhev3 1.2: use option -o - check_rhev3 1.3: you should not see any login information in this version anymore - custom script: see this page on information how to use the JSESSIONID cookie: http://www.ovirt.org/Features/RESTSessionManagement
Thanks for the info I'll look into this.
It does make the logic in the script a bit harder because you have to store the sessionid somewhere and check if the session is still valid.
I'm not sure if Session management works out of the box in Python SDK (I think so), so maybe the Python SDK can be the best solution when starting new scripts for Zabbix... Regards, René

This is a cryptographically signed message in MIME format. --------------ms070705090600000805070308 Content-Type: multipart/mixed; boundary="------------080209010809060200080006" This is a multi-part message in MIME format. --------------080209010809060200080006 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable Hello Sander, where can I find more informations about your zabbix monitoring plugin?=20 We are using zabbix and also rhev and ovirt so I can (and would like to) = test it. thanks Jiri Dne 18.11.2013 16:46, Sander Grendelman napsal(a):
I'm working on (Zabbix) monitoring through the RESTful API.
Which role should I assign to the monitoring user?
The user only needs read access to the data but it looks like I nead to assign at least an "Admin" role to the user to be able to read data through the API.
For this I've created a "AdminLoginOnly" role that only has System->Configure System->Login Permissions access.
Is this the way to go for this king of configuration? Or is there a way to further minimize the permissions of this user?
Another issue is that a "Login" event is generated every time the user connects through the API. This makes the "Events" pane less useful / readable. Is there a way to disable this for some users/roles? _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
--------------080209010809060200080006 Content-Type: text/x-vcard; charset=utf-8; name="jiri_slezka.vcf" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="jiri_slezka.vcf" YmVnaW46dmNhcmQNCmZuO3F1b3RlZC1wcmludGFibGU6SW5nLiBKaT1DNT05OT1DMz1BRCBT bD1DMz1BOT1DNT1CRWthDQpuO3F1b3RlZC1wcmludGFibGU7cXVvdGVkLXByaW50YWJsZTpT bD1DMz1BOT1DNT1CRWthO0ppPUM1PTk5PUMzPUFEDQpvcmc7cXVvdGVkLXByaW50YWJsZTtx dW90ZWQtcHJpbnRhYmxlOlNsZXpzaz1DMz1BMSB1bml2ZXJ6aXRhIHYgT3Bhdj1DND05QjtD ZW50cnVtIGluZm9ybWE9QzQ9OERuPUMzPUFEY2ggdGVjaG5vbG9naT1DMz1BRA0KYWRyO3F1 b3RlZC1wcmludGFibGU7cXVvdGVkLXByaW50YWJsZTpOYSBSeWJuPUMzPUFEPUM0PThEa3Ug MTs7Q0lULCBTbGV6c2s9QzM9QTEgdW5pdmVyeml0YSB2IE9wYXY9QzQ9OUI7T3BhdmE7Ozc0 NjAxO0N6ZWNoIFJlcHVibGljDQplbWFpbDtpbnRlcm5ldDpqaXJpLnNsZXprYUBzbHUuY3oN CnRpdGxlO3F1b3RlZC1wcmludGFibGU6U3ByPUMzPUExdmNlIHM9QzM9QUR0PUM0PTlCIGEg YXBsaWthYz1DMz1BRA0KdGVsO3dvcms6KzQyMCA1NTMgNjg0IDY5Ng0KeC1tb3ppbGxhLWh0 bWw6RkFMU0UNCnVybDpodHRwOi8vd3d3LnNsdS5jeg0KdmVyc2lvbjoyLjENCmVuZDp2Y2Fy ZA0KDQo= --------------080209010809060200080006-- --------------ms070705090600000805070308 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: Elektronicky podpis S/MIME MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJZjCC BJswggODoAMCAQICEFVyFjoambpWOjuqgDsl/VswDQYJKoZIhvcNAQEFBQAwOzELMAkGA1UE BhMCTkwxDzANBgNVBAoTBlRFUkVOQTEbMBkGA1UEAxMSVEVSRU5BIFBlcnNvbmFsIENBMB4X DTEyMTEyNzAwMDAwMFoXDTE0MTEyNzIzNTk1OVowZTELMAkGA1UEBhMCQ1oxJTAjBgNVBAoM HFNsZXpza8OhIHVuaXZlcnppdGEgdiBPcGF2xJsxGDAWBgNVBAMMD0ppxZnDrSBTbMOpxb5r YTEVMBMGCSqGSIb3DQEJAhYGc2xlemthMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC AQEAtbqepY7nJ2kyAZxv/HS4tUEyXDh2ovWpQEI3triEqomfGE0aOqkHB0j/z2Oq0IeC+U91 TIpAoTPP+7fYR5rpcTfWPOW745RW4rJ6lj57Y+ZSqY0ID9vHe2nBxSnY2mWGIg///MWSbWrX Pbsxoemn6rb5ZP/1W9oPbkdTI3omEsdX2JlLbjYG3tcwxMvvQUMz3XEXMPz/Vi4SsG+1N49X C+Qw/KI9tYoUqVDZPTQhS4S/zu/ediv2ZH7MwIWo23lhkFU83fDtrpgwsrjIgfHNqIhak0Ly EuiQlxQGrvBplO29S1odQlJBIOpNQU99DElbtNRb1O3LFAUw4dTjMe7ObwIDAQABo4IBbzCC AWswHwYDVR0jBBgwFoAUY01DWhlIP8RGwQK6v+4O5YK3ZqYwHQYDVR0OBBYEFGLVBIcIvL2c hB6HdEbdqflwgrTTMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQG CCsGAQUFBwMEBggrBgEFBQcDAjAYBgNVHSAEETAPMA0GCysGAQQBsjEBAgIdMD8GA1UdHwQ4 MDYwNKAyoDCGLmh0dHA6Ly9jcmwudGNzLnRlcmVuYS5vcmcvVEVSRU5BUGVyc29uYWxDQS5j cmwwcgYIKwYBBQUHAQEEZjBkMDoGCCsGAQUFBzAChi5odHRwOi8vY3J0LnRjcy50ZXJlbmEu b3JnL1RFUkVOQVBlcnNvbmFsQ0EuY3J0MCYGCCsGAQUFBzABhhpodHRwOi8vb2NzcC50Y3Mu dGVyZW5hLm9yZzAdBgNVHREEFjAUgRJqaXJpLnNsZXprYUBzbHUuY3owDQYJKoZIhvcNAQEF BQADggEBAAXIoOnvYifhjAyW1oALfQSl8UemLGYSXiOsoosWx/2yG2/WlULU1lyqOkqztden dQdt5JZ1Y91HFWRmGGyq+a5kZseYRcpRxEKhJtLngrA24arcvouC/1Wev0RO4d0CKQa/wuC5 yfXIqhn60XJh51mHtbZ4k0jY+U/eNhTWns2Q0NZbR+u3SMrQRa31Df0wmMJvnZkd7cqKF3ur 543ojxAlIVDEUanWPndyljm4ZlAUxmwfmYTd0fRbCl+pDNG+gJnXQO6uvt/yoKNxAaBBFwh0 zmj8k6dCrcpeOKXw+T2mqjSO+6SQBQugGeOSxZA8gZ7rUtf6oNnIZwfxyqoHTVQwggTDMIID q6ADAgECAhBz/lf637jFCIF7Zrlr8C3vMA0GCSqGSIb3DQEBBQUAMIGuMQswCQYDVQQGEwJV UzELMAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wHAYDVQQKExVUaGUg VVNFUlRSVVNUIE5ldHdvcmsxITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTE2 MDQGA1UEAxMtVVROLVVTRVJGaXJzdC1DbGllbnQgQXV0aGVudGljYXRpb24gYW5kIEVtYWls MB4XDTA5MDUxODAwMDAwMFoXDTI4MTIzMTIzNTk1OVowOzELMAkGA1UEBhMCTkwxDzANBgNV BAoTBlRFUkVOQTEbMBkGA1UEAxMSVEVSRU5BIFBlcnNvbmFsIENBMIIBIjANBgkqhkiG9w0B AQEFAAOCAQ8AMIIBCgKCAQEAyBXZ9TNqI6GQDc+7BUTDqx9KNYUaIYWgT/jwQOJKQ5v+W7Gw v7RX3HWAQUtkGvbbT2+P0CVFNfnqy0r6+9rT7UWIEZQ25MyoDe/FPTftFnvjwpWeWDN/Ivv4 /+zmvtuuCmUlIofab4SLRuhAhig/v1YI4krpg6LpIvst+rYoH5HBw3H7U8ArTqQMoW6dVe3s 4SSHOgjiDRzkxE3Qyyf6hGTm0ZedViRbk7spLkPiQWo94kpl/JpfWoaHvIfHeYCWmVHGkA9k kZl9EN2sLAMq4Xhk/s49TvQrUBFL0VjUmwPwf/U7U7BTQ/vFL8QEKRo6rNdV6dEOldE7MX94 T64pLQIDAQABo4IBTTCCAUkwHwYDVR0jBBgwFoAUiYJnfcSdJnAAS7RQSHzePa4Ebn0wHQYD VR0OBBYEFGNNQ1oZSD/ERsECur/uDuWCt2amMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8E CDAGAQH/AgEAMBgGA1UdIAQRMA8wDQYLKwYBBAGyMQECAh0wWAYDVR0fBFEwTzBNoEugSYZH aHR0cDovL2NybC51c2VydHJ1c3QuY29tL1VUTi1VU0VSRmlyc3QtQ2xpZW50QXV0aGVudGlj YXRpb25hbmRFbWFpbC5jcmwwbwYIKwYBBQUHAQEEYzBhMDgGCCsGAQUFBzAChixodHRwOi8v Y3J0LnVzZXJ0cnVzdC5jb20vVVROQUFBQ2xpZW50X0NBLmNydDAlBggrBgEFBQcwAYYZaHR0 cDovL29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0BAQUFAAOCAQEABiupUy8T3Fw5FsyG n15Me3L77I1Vil6aCv9TTHb0Bj1Qz1fwos+vmYyq/qAZdj6ZAzL6dYM4irtrmqUME7LUG3bm lC5nmFnjkWwCkJqcyGBLVavKiFqNK+VplQMH0dQO/CQiLlmxY6Rf7dkjcuSczjpcbB9PqQDJ Hf76f0Utti6E3Q8noFkYTtV2JUX0mSZ522+fI/dDuysPBKOBJiy3ezX5PXdfQCHmfx2lllq9 0MsWOmy7YYuK/QQ5RArLLOHLzi4QmBrb4JPtSWRkCCCft6NQ8KLdyrTGfAw9514V3CeG5Do7 UloXq6kGUyudCXNkHAHD/TDShwNv5BUDejlfaDGCAwcwggMDAgEBME8wOzELMAkGA1UEBhMC TkwxDzANBgNVBAoTBlRFUkVOQTEbMBkGA1UEAxMSVEVSRU5BIFBlcnNvbmFsIENBAhBVchY6 Gpm6Vjo7qoA7Jf1bMAkGBSsOAwIaBQCgggGNMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEw HAYJKoZIhvcNAQkFMQ8XDTE0MDIyMDEzMDkxM1owIwYJKoZIhvcNAQkEMRYEFBDQvQMlS1nr QQqxP3za3P0WhytWMF4GCSsGAQQBgjcQBDFRME8wOzELMAkGA1UEBhMCTkwxDzANBgNVBAoT BlRFUkVOQTEbMBkGA1UEAxMSVEVSRU5BIFBlcnNvbmFsIENBAhBVchY6Gpm6Vjo7qoA7Jf1b MGAGCyqGSIb3DQEJEAILMVGgTzA7MQswCQYDVQQGEwJOTDEPMA0GA1UEChMGVEVSRU5BMRsw GQYDVQQDExJURVJFTkEgUGVyc29uYWwgQ0ECEFVyFjoambpWOjuqgDsl/VswbAYJKoZIhvcN AQkPMV8wXTALBglghkgBZQMEASowCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3 DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDANBgkqhkiG 9w0BAQEFAASCAQBNGwF1rIa/IuTrPTkmDRvptYurVZABxDrPrd7Cf7sYbTlbBM1nDxzen4qQ EWukLPwMDKEiI6kykk9o/wji+khCYMiywOx7MxBLhvnKdqurYh0iwriBYVA99RaJoHaIiOv7 OSuY0BEzvJDVDNVircigsabLLMERyOYmvBK4+MRnhIV1QBDqfv/nalxRpMMK68wtqsQV+JGN Am0pDus1nQi9DzrMxA2kerDf9xZXblZkl0ebCc2lJ0/Z4oUgLXAaJIpXx/EKxOnfWvDymKIL 6uiVSdZMaAYohR/OMJXpDkWYU2QXKv25ehruJ9K5cc//aeCT06s7Bk+WlLuGtA/cHCK/AAAA AAAA --------------ms070705090600000805070308--
participants (3)
-
Jiří Sléžka
-
René Koch (ovido)
-
Sander Grendelman