
Hello, OVirt community! I have some problems in understanding with OVirt (v 3.6.0) API. I'm trying to create user with specifying his roles, by using such signature in POST call: <user>
<user_name>testuser@saml-auth</user_name>
<roles>
<role id="some_role_id1"/>
<role id="some_role_id2"/>
<role id="some_role_id3"/>
</roles>
</user>
The user is created but without the roles. The next issues, that I encountered is associated with updating of existing user (adding the roles to him). I am trying to do PUT call on .../ovirt-engine/api/users/long_user_id/roles : <role id="some_role_id1"/> But this doesn't work. Please, give we insight in what I am doing wrong. ------------- Sincerely, Konstantin Klymuk.

On 07/25/2016 08:43 AM, Костя Климук wrote:
Hello, OVirt community!
I have some problems in understanding with OVirt (v 3.6.0) API. I'm trying to create user with specifying his roles, by using such signature in POST call:
<user>
<user_name>testuser@saml-auth</user_name>
<roles>
<role id="some_role_id1"/>
<role id="some_role_id2"/>
<role id="some_role_id3"/>
</roles>
</user>
The user is created but without the roles. The next issues, that I encountered is associated with updating of existing user (adding the roles to him). I am trying to do PUT call on .../ovirt-engine/api/users/long_user_id/roles :
<role id="some_role_id1"/>
But this doesn't work. Please, give we insight in what I am doing wrong.
In order to do this you first need to add the user, as you did, but without the roles (if you include then they will just be ignored): POST /ovirt-engine/api/users <user> <user_name>testuser@saml-auth</user_name> </user> This will return you the added user, including the an identifier: <user id="the_user_id" href="..."> ... </user> But you can't directly add role to an user, because there isn't really a direct relationship between users and roles. Instead you need to add "permissions", and each permission is composed of an user, a role and an object. For example, if you want to add to that user the role "ClusterAdmin" role for a specific cluster: POST /ovirt-engine/api/users/the_user_id/permissions <permission> <role id="the_role_id"/> <cluster id="the_cluster_id"/> </permission> Alternatively, you can also add the permission using the collection of the object. For example: POST /ovirt-engine/api/clusters/the_cluster_id/permissions <permission> <role id="the_role_id"/> <user id="the_user_id"/> </permission> The /users/the_user_id/roles has a rather strange meaning, it displays (read only) the roles of the permissions corresponding to the "system" object. You should probably avoid it completely, and we should probably remove it. -- Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta 3ºD, 28016 Madrid, Spain Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.
participants (2)
-
Juan Hernández
-
Костя Климук