I've done two different things. First, I associated one of my groups in my directory with being a VMUser which gave members access to a particular VM. If I login with one of those users via the User portal, I can see their VM (or VMs if I do more than one). If I use the REST API (or ovirt-shell) using this user's account and password, I get an unauthorized error. Similarly, I have another group that is assigned the DomainManager role. If I add this other user to that group, when I login with that user via the user portal, I see the advanced portal. If I use the REST-API (using curl) or ovirt-shell and use the user's login information, I now am authorized and see a list of VMs returned as XML (in the case of curl). That said, I see all VMs in the system, not just the one assigned to the user that logged in. So this makes me think that either the REST API for getting the APIs as suggested by the article is an administrative API and there is either (a) a different rest API/uri that returns the logged in user's vms (the list that would be returned to the portal) or (b) no way to get a particular user's list of VMs authenticated as the user. Brian On Oct 1, 2012, at 10:49 PM, Yair Zaslavsky wrote:

Hi Brian, I looked at the wiki - I assume you're referring to the "showVm" part. Have you assigned any permissions to the user that is supposed to view the VMs? I assume you created the VMs with the administrator user, so any other user will require to have a proper permissions in order to view these VMs

Yair

On 10/02/2012 05:09 AM, Brian Vetter wrote:

...

I was trying to use both the rest api to view a user's vm information. I found that the REST APIs always returned an authentication error if the account I had logged into was not an ovirt administrator. I am guessing that either (a) I am using the wrong URL in the REST api or (b) you must be some kind of admin to access the REST APIs. I noticed the same behavior when I was using the ovirt-shell tool.

For example, I was trying to follow the instructions in http://wiki.ovirt.org/wiki/How_to_Connect_to_SPICE_Console_Without_Portal to get the list of VMs (presumably for the user that is logging in), I get an unauthorized error. If the user account I login with in the curl or ovirt-shell connect statement is an admin, I get the list of VMs.

So my question here is does the REST-API need admin privileges or am I using a url that requires admin privileges whereas some others don't. And if it is the latter, is there somewhere that documents the various rest api resources? For example, to go back to the "How to connect to Spice console ..." article, how would one use the REST API to fetch one's virtual machines, their status, and connection info for them?

Thanks,

Brian

_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users

----- Original Message -----

From: "Itamar Heim" <iheim@redhat.com> To: "Brian Vetter" <bjvetter@gmail.com> Cc: users@ovirt.org Sent: Tuesday, October 2, 2012 3:15:34 AM Subject: Re: [Users] Authentication for REST APIs?

On 10/02/2012 06:28 AM, Brian Vetter wrote:

...

I've done two different things. First, I associated one of my groups in my directory with being a VMUser which gave members access to a particular VM. If I login with one of those users via the User portal, I can see their VM (or VMs if I do more than one). If I use the REST API (or ovirt-shell) using this user's account and password, I get an unauthorized error.

Similarly, I have another group that is assigned the DomainManager role. If I add this other user to that group, when I login with that user via the user portal, I see the advanced portal. If I use the REST-API (using curl) or ovirt-shell and use the user's login information, I now am authorized and see a list of VMs returned as XML (in the case of curl).

That said, I see all VMs in the system, not just the one assigned to the user that logged in. So this makes me think that either the REST API for getting the APIs as suggested by the article is an administrative API and there is either (a) a different rest API/uri that returns the logged in user's vms (the list that would be returned to the portal) or (b) no way to get a particular user's list of VMs authenticated as the user.

you need to specify to the api you want to view things in "user mode" via the filter header. Example: curl -X GET -H "Filter: true" -u user@domain:password http://[servername]:PORT/api/vms

Yes, and if using the SDK set filter=true when calling the API constructor (is there a reason filtered isn't the default? Wouldn't this suit both uses - admin/non-admin - better?). Steve

Adding the "Filter:true" header to the curl request doesn't change anything. If the user account is not an admin account, I get a 401 status result. So my question still stands, can the REST API be used by a mere, non-admin "mortal" or is it only for administrative functions? I'm in the process of trying to hook up a different client to a VM managed by ovirt. I can't use the user portal app. So I was trying to use the REST APIs on behalf of a normal, non-admin user to get the list of the authenticating user's VMs and their connection information. Brian On Oct 2, 2012, at 2:15 AM, Itamar Heim wrote:

On 10/02/2012 06:28 AM, Brian Vetter wrote:

...

I've done two different things. First, I associated one of my groups in my directory with being a VMUser which gave members access to a particular VM. If I login with one of those users via the User portal, I can see their VM (or VMs if I do more than one). If I use the REST API (or ovirt-shell) using this user's account and password, I get an unauthorized error.

Similarly, I have another group that is assigned the DomainManager role. If I add this other user to that group, when I login with that user via the user portal, I see the advanced portal. If I use the REST-API (using curl) or ovirt-shell and use the user's login information, I now am authorized and see a list of VMs returned as XML (in the case of curl).

That said, I see all VMs in the system, not just the one assigned to the user that logged in. So this makes me think that either the REST API for getting the APIs as suggested by the article is an administrative API and there is either (a) a different rest API/uri that returns the logged in user's vms (the list that would be returned to the portal) or (b) no way to get a particular user's list of VMs authenticated as the user.

you need to specify to the api you want to view things in "user mode" via the filter header. Example: curl -X GET -H "Filter: true" -u user@domain:password http://[servername]:PORT/api/vms

...

Brian

On Oct 1, 2012, at 10:49 PM, Yair Zaslavsky wrote:

...

Hi Brian, I looked at the wiki - I assume you're referring to the "showVm" part. Have you assigned any permissions to the user that is supposed to view the VMs? I assume you created the VMs with the administrator user, so any other user will require to have a proper permissions in order to view these VMs

Yair

On 10/02/2012 05:09 AM, Brian Vetter wrote:

...

I was trying to use both the rest api to view a user's vm information. I found that the REST APIs always returned an authentication error if the account I had logged into was not an ovirt administrator. I am guessing that either (a) I am using the wrong URL in the REST api or (b) you must be some kind of admin to access the REST APIs. I noticed the same behavior when I was using the ovirt-shell tool.

For example, I was trying to follow the instructions in http://wiki.ovirt.org/wiki/How_to_Connect_to_SPICE_Console_Without_Portal to get the list of VMs (presumably for the user that is logging in), I get an unauthorized error. If the user account I login with in the curl or ovirt-shell connect statement is an admin, I get the list of VMs.

So my question here is does the REST-API need admin privileges or am I using a url that requires admin privileges whereas some others don't. And if it is the latter, is there somewhere that documents the various rest api resources? For example, to go back to the "How to connect to Spice console ..." article, how would one use the REST API to fetch one's virtual machines, their status, and connection info for them?

Thanks,

Brian

--Apple-Mail=_FBAAF558-58A9-43D9-B460-DA3E9D65E32B Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=iso-8859-1

3.1 added support for non admin to use the api. i.e., this should work. which specific version are you using?

On 10/02/2012 04:52 PM, Brian Vetter wrote:

...

Adding the "Filter:true" header to the curl request doesn't change = anything. If the user account is not an admin account, I get a 401 = status result. So my question still stands, can the REST API be used by = a mere, non-admin "mortal" or is it only for administrative functions? =20 I'm in the process of trying to hook up a different client to a VM = managed by ovirt. I can't use the user portal app. So I was trying to = use the REST APIs on behalf of a normal, non-admin user to get the list = of the authenticating user's VMs and their connection information. =20 3.1 added support for non admin to use the api. i.e., this should work. which specific version are you using? =20 =20 Brian =20 On Oct 2, 2012, at 2:15 AM, Itamar Heim wrote: =20

...

On 10/02/2012 06:28 AM, Brian Vetter wrote:

...

I've done two different things. First, I associated one of my = groups in my directory with being a VMUser which gave members access to = a particular VM. If I login with one of those users via the User portal, = I can see their VM (or VMs if I do more than one). If I use the REST API = (or ovirt-shell) using this user's account and password, I get an = unauthorized error. =20 Similarly, I have another group that is assigned the DomainManager = role. If I add this other user to that group, when I login with that = user via the user portal, I see the advanced portal. If I use the = REST-API (using curl) or ovirt-shell and use the user's login = information, I now am authorized and see a list of VMs returned as XML = (in the case of curl). =20 That said, I see all VMs in the system, not just the one assigned = to the user that logged in. So this makes me think that either the REST = API for getting the APIs as suggested by the article is an = administrative API and there is either (a) a different rest API/uri that = returns the logged in user's vms (the list that would be returned to the =

...

...

=20 you need to specify to the api you want to view things in "user = mode" via the filter header. Example: curl -X GET -H "Filter: true" -u user@domain:password = http://[servername]:PORT/api/vms =20 =20 =20

...

=20 Brian =20 On Oct 1, 2012, at 10:49 PM, Yair Zaslavsky wrote: =20

...

Hi Brian, I looked at the wiki - I assume you're referring to the "showVm" part. Have you assigned any permissions to the user that is supposed to = view the VMs? I assume you created the VMs with the administrator user, so any = other user will require to have a proper permissions in order to view =

...

...

...

...

=20 Yair =20 =20 On 10/02/2012 05:09 AM, Brian Vetter wrote:

...

I was trying to use both the rest api to view a user's vm = information. I found that the REST APIs always returned an = authentication error if the account I had logged into was not an ovirt = administrator. I am guessing that either (a) I am using the wrong URL in =

...

...

...

...

...

=20 For example, I was trying to follow the instructions in = http://wiki.ovirt.org/wiki/How_to_Connect_to_SPICE_Console_Without_Portal = to get the list of VMs (presumably for the user that is logging in), I = get an unauthorized error. If the user account I login with in the curl = or ovirt-shell connect statement is an admin, I get the list of VMs. =20 So my question here is does the REST-API need admin privileges or = am I using a url that requires admin privileges whereas some others = don't. And if it is the latter, is there somewhere that documents the = various rest api resources? For example, to go back to the "How to = connect to Spice console ..." article, how would one use the REST API to = fetch one's virtual machines, their status, and connection info for =

=46rom the about box in the admin web app: oVirt Engine Version: 3.1.0-2.fc17 The curl command I send is: curl --cacert $CA_FILE -X GET -H "Filter: true" -u user@domain:password = https://$OVIRT/api/vms > uservms.xml=20 The output when my user's group has a DOMAIN_ADMIN role contains the xml = for the VMs. The output when the user's group has either a power user or = a regular user role contains the error response with a 401 unauthorized = error. I had lots of fun getting this server set up so it is possible I made a = mistake during installation, but it seems pretty functional right now. = Everything seems to be working but I haven't been able to to test out = how/if I can connect a new, non-portal client without having to add new = servlets. Brian On Oct 2, 2012, at 9:57 AM, Itamar Heim wrote: portal) or (b) no way to get a particular user's list of VMs = authenticated as the user. these VMs the REST api or (b) you must be some kind of admin to access the REST = APIs. I noticed the same behavior when I was using the ovirt-shell tool. them?

...

...

...

...

...

=20 Thanks, =20 Brian =20 =20 =20

--Apple-Mail=_FBAAF558-58A9-43D9-B460-DA3E9D65E32B Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=iso-8859-1 <html><head></head><body style=3D"word-wrap: break-word; = -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; = "><div><blockquote type=3D"cite"><div>3.1 added support for non admin to = use the api.<br>i.e., this should work.<br>which specific version are = you using?<br></div></blockquote><br></div>=46rom the about box in the = admin web app:<div><br></div><blockquote = class=3D"webkit-indent-blockquote" style=3D"margin: 0 0 0 40px; border: = none; padding: 0px;"><div><span class=3D"gwt-InlineLabel" style=3D"color: = rgb(0, 0, 0); font-family: 'Arial Unicode MS', Arial, sans-serif; = font-style: normal; font-variant: normal; font-weight: normal; = letter-spacing: normal; line-height: normal; orphans: 2; text-align: = -webkit-center; text-indent: 0px; text-transform: none; white-space: = normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; = -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); = ">oVirt Engine Version:</span><span style=3D"color: rgb(0, 0, 0); = font-family: 'Arial Unicode MS', Arial, sans-serif; font-style: normal; = font-variant: normal; font-weight: normal; letter-spacing: normal; = line-height: normal; orphans: 2; text-align: -webkit-center; = text-indent: 0px; text-transform: none; white-space: normal; widows: 2; = word-spacing: 0px; -webkit-text-size-adjust: auto; = -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); = display: inline !important; float: none; "> </span><span = class=3D"gwt-InlineLabel" style=3D"color: rgb(0, 0, 0); font-family: = 'Arial Unicode MS', Arial, sans-serif; font-style: normal; font-variant: = normal; font-weight: normal; letter-spacing: normal; line-height: = normal; orphans: 2; text-align: -webkit-center; text-indent: 0px; = text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; = -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; = background-color: rgb(255, 255, 255); = ">3.1.0-2.fc17</span></div></blockquote><div><br></div><div>The curl = command I send is:</div><div><br></div><blockquote = class=3D"webkit-indent-blockquote" style=3D"margin: 0 0 0 40px; border: = none; padding: 0px;"><div>curl --cacert $CA_FILE -X GET -H "Filter: = true" -u user@domain:password <a = href=3D"https://$OVIRT/api/vms">https://$OVIRT/api/vms</a> > = uservms.xml </div></blockquote><div><br></div><div>The output when = my user's group has a DOMAIN_ADMIN role contains the xml for the VMs. = The output when the user's group has either a power user or a regular = user role contains the error response with a 401 unauthorized = error.</div><div><br></div><div>I had lots of fun getting this server = set up so it is possible I made a mistake during installation, but it = seems pretty functional right now. Everything seems to be working but I = haven't been able to to test out how/if I can connect a new, non-portal = client without having to add new = servlets.</div><div><br></div><div>Brian</div><div><br><div><div>On Oct = 2, 2012, at 9:57 AM, Itamar Heim wrote:</div><br = class=3D"Apple-interchange-newline"><blockquote type=3D"cite"><div>On = 10/02/2012 04:52 PM, Brian Vetter wrote:<br><blockquote = type=3D"cite">Adding the "Filter:true" header to the curl request = doesn't change anything. If the user account is not an admin account, I = get a 401 status result. So my question still stands, can the REST API = be used by a mere, non-admin "mortal" or is it only for administrative = functions?<br></blockquote><blockquote = type=3D"cite"><br></blockquote><blockquote type=3D"cite">I'm in the = process of trying to hook up a different client to a VM managed by = ovirt. I can't use the user portal app. So I was trying to use the REST = APIs on behalf of a normal, non-admin user to get the list of the = authenticating user's VMs and their connection = information.<br></blockquote><br>3.1 added support for non admin to use = the api.<br>i.e., this should work.<br>which specific version are you = using?<br><br><blockquote type=3D"cite"><br></blockquote><blockquote = type=3D"cite">Brian<br></blockquote><blockquote = type=3D"cite"><br></blockquote><blockquote type=3D"cite">On Oct 2, 2012, = at 2:15 AM, Itamar Heim wrote:<br></blockquote><blockquote = type=3D"cite"><br></blockquote><blockquote type=3D"cite"><blockquote = type=3D"cite">On 10/02/2012 06:28 AM, Brian Vetter = wrote:<br></blockquote></blockquote><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite">I've done two different things. = First, I associated one of my groups in my directory with being a VMUser = which gave members access to a particular VM. If I login with one of = those users via the User portal, I can see their VM (or VMs if I do more = than one). If I use the REST API (or ovirt-shell) using this user's = account and password, I get an unauthorized = error.<br></blockquote></blockquote></blockquote><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><br></blockquote></blockquote></blockquote><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite">Similarly, I have another group that is assigned the = DomainManager role. If I add this other user to that group, when I login = with that user via the user portal, I see the advanced portal. If I use = the REST-API (using curl) or ovirt-shell and use the user's login = information, I now am authorized and see a list of VMs returned as XML = (in the case of = curl).<br></blockquote></blockquote></blockquote><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><br></blockquote></blockquote></blockquote><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote type=3D"cite">That = said, I see all VMs in the system, not just the one assigned to the user = that logged in. So this makes me think that either the REST API for = getting the APIs as suggested by the article is an administrative API = and there is either (a) a different rest API/uri that returns the logged = in user's vms (the list that would be returned to the portal) or (b) no = way to get a particular user's list of VMs authenticated as the = user.<br></blockquote></blockquote></blockquote><blockquote = type=3D"cite"><blockquote = type=3D"cite"><br></blockquote></blockquote><blockquote = type=3D"cite"><blockquote type=3D"cite">you need to specify to the api = you want to view things in "user mode" via the filter = header.<br></blockquote></blockquote><blockquote type=3D"cite"><blockquote= type=3D"cite">Example:<br></blockquote></blockquote><blockquote = type=3D"cite"><blockquote type=3D"cite">curl -X GET -H "Filter: true" -u = user@domain:password <a = href=3D"http://[servername]:PORT/api/vms">http://[servername]:PORT/api/vms= </a><br></blockquote></blockquote><blockquote type=3D"cite"><blockquote = type=3D"cite"><br></blockquote></blockquote><blockquote = type=3D"cite"><blockquote = type=3D"cite"><br></blockquote></blockquote><blockquote = type=3D"cite"><blockquote = type=3D"cite"><br></blockquote></blockquote><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><br></blockquote></blockquote></blockquote><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite">Brian<br></blockquote></blockquote></blockquote><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><br></blockquote></blockquote></blockquote><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote type=3D"cite">On Oct = 1, 2012, at 10:49 PM, Yair Zaslavsky = wrote:<br></blockquote></blockquote></blockquote><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><br></blockquote></blockquote></blockquote><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite">Hi = Brian,<br></blockquote></blockquote></blockquote></blockquote><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite">I looked at the wiki = -<br></blockquote></blockquote></blockquote></blockquote><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite">I assume you're referring to the = "showVm" = part.<br></blockquote></blockquote></blockquote></blockquote><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite">Have you assigned any = permissions to the user that is supposed to view the = VMs?<br></blockquote></blockquote></blockquote></blockquote><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite">I assume you created the VMs = with the administrator user, so any other user will require to have a = proper permissions in order to view these = VMs<br></blockquote></blockquote></blockquote></blockquote><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote = type=3D"cite"><br></blockquote></blockquote></blockquote></blockquote><blo= ckquote type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote = type=3D"cite">Yair<br></blockquote></blockquote></blockquote></blockquote>= <blockquote type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote = type=3D"cite"><br></blockquote></blockquote></blockquote></blockquote><blo= ckquote type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote = type=3D"cite"><br></blockquote></blockquote></blockquote></blockquote><blo= ckquote type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite">On 10/02/2012 05:09 AM, Brian = Vetter = wrote:<br></blockquote></blockquote></blockquote></blockquote><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote type=3D"cite">I was = trying to use both the rest api to view a user's vm information. I found = that the REST APIs always returned an authentication error if the = account I had logged into was not an ovirt administrator. I am guessing = that either (a) I am using the wrong URL in the REST api or (b) you must = be some kind of admin to access the REST APIs. I noticed the same = behavior when I was using the ovirt-shell = tool.<br></blockquote></blockquote></blockquote></blockquote></blockquote>= <blockquote type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><br></blockquote></blockquote></blockquote></blockquote></bl= ockquote><blockquote type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote type=3D"cite">For = example, I was trying to follow the instructions in <a = href=3D"http://wiki.ovirt.org/wiki/How_to_Connect_to_SPICE_Console_Without= _Portal">http://wiki.ovirt.org/wiki/How_to_Connect_to_SPICE_Console_Withou= t_Portal</a> to get the list of VMs (presumably for the user that is = logging in), I get an unauthorized error. If the user account I login = with in the curl or ovirt-shell connect statement is an admin, I get the = list of = VMs.<br></blockquote></blockquote></blockquote></blockquote></blockquote><= blockquote type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><br></blockquote></blockquote></blockquote></blockquote></bl= ockquote><blockquote type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote type=3D"cite">So my = question here is does the REST-API need admin privileges or am I using a = url that requires admin privileges whereas some others don't. And if it = is the latter, is there somewhere that documents the various rest api = resources? For example, to go back to the "How to connect to Spice = console ..." article, how would one use the REST API to fetch one's = virtual machines, their status, and connection info for = them?<br></blockquote></blockquote></blockquote></blockquote></blockquote>= <blockquote type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><br></blockquote></blockquote></blockquote></blockquote></bl= ockquote><blockquote type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite">Thanks,<br></blockquote></blockquote></blockquote></blockquo= te></blockquote><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote = type=3D"cite"><br></blockquote></blockquote></blockquote></blockquote></bl= ockquote><blockquote type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite">Brian<br></blockquote></blockquote></blockquote></blockquote=

</blockquote><blockquote = type=3D"cite"><br></blockquote><br><br></div></blockquote></div><br></div>= </body></html>=

--Apple-Mail=_FBAAF558-58A9-43D9-B460-DA3E9D65E32B--

--Apple-Mail=_4EAD8554-0B0E-4319-812F-9E0B82F673A7 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=iso-8859-1 I also tried a simple connect to the home of the ovirt server in the = ovirt-shell: [oVirt shell (disconnected)]# connect https://ovirtserver <user> <pass> error: 'str' object has no attribute 'product_info' [oVirt shell (disconnected)]#=20 So this happens without trying to get to the api/vms. As to your question:

i think you should get an empty list and not a 401 in any case, but = just to make sure - you have the user role on a specific VM and you = don't see it?

On 10/02/2012 05:20 PM, Brian Vetter wrote:

...

...

3.1 added support for non admin to use the api. i.e., this should work. which specific version are you using? =20 =46rom the about box in the admin web app: =20 oVirt Engine Version:3.1.0-2.fc17 =20 =20 The curl command I send is: =20 curl --cacert $CA_FILE -X GET -H "Filter: true" -u user@domain:password https://$OVIRT/api/vms > uservms.xml =20 =20 The output when my user's group has a DOMAIN_ADMIN role contains the = xml for the VMs. The output when the user's group has either a power user = or a regular user role contains the error response with a 401 = unauthorized error. =20 I had lots of fun getting this server set up so it is possible I made = a mistake during installation, but it seems pretty functional right = now. Everything seems to be working but I haven't been able to to test out how/if I can connect a new, non-portal client without having to add = new servlets. =20 i think you should get an empty list and not a 401 in any case, but = just to make sure - you have the user role on a specific VM and you = don't see it? michael - thoughts? maybe this was fixed post ovirt 3.1 fedora release? =20 =20 Brian =20 On Oct 2, 2012, at 9:57 AM, Itamar Heim wrote: =20 On 10/02/2012 04:52 PM, Brian Vetter wrote:

...

Adding the "Filter:true" header to the curl request doesn't change anything. If the user account is not an admin account, I get a 401 status result. So my question still stands, can the REST API be = used by a mere, non-admin "mortal" or is it only for administrative = functions? =20 I'm in the process of trying to hook up a different client to a VM managed by ovirt. I can't use the user portal app. So I was trying = to use the REST APIs on behalf of a normal, non-admin user to get the list of the authenticating user's VMs and their connection = information. =20 3.1 added support for non admin to use the api. i.e., this should work. which specific version are you using? =20 =20 Brian =20 On Oct 2, 2012, at 2:15 AM, Itamar Heim wrote: =20

...

On 10/02/2012 06:28 AM, Brian Vetter wrote:

...

I've done two different things. First, I associated one of my groups in my directory with being a VMUser which gave members access to a particular VM. If I login with one of those users via the User portal, I can see their VM (or VMs if I do more than = one). If I use the REST API (or ovirt-shell) using this user's account and password, I get an unauthorized error. =20 Similarly, I have another group that is assigned the = DomainManager role. If I add this other user to that group, when I login with that user via the user portal, I see the advanced portal. If I = use the REST-API (using curl) or ovirt-shell and use the user's login information, I now am authorized and see a list of VMs returned = as XML (in the case of curl). =20 That said, I see all VMs in the system, not just the one assigned to the user that logged in. So this makes me think that either =

...

...

...

...

...

REST API for getting the APIs as suggested by the article is an administrative API and there is either (a) a different rest = API/uri that returns the logged in user's vms (the list that would be returned to the portal) or (b) no way to get a particular user's list of VMs authenticated as the user. =20 you need to specify to the api you want to view things in "user mode" via the filter header. Example: curl -X GET -H "Filter: true" -u user@domain:password http://[servername]:PORT/api/vms =20 =20 =20 =20 Brian =20 On Oct 1, 2012, at 10:49 PM, Yair Zaslavsky wrote: =20 > Hi Brian, > I looked at the wiki - > I assume you're referring to the "showVm" part. > Have you assigned any permissions to the user that is supposed = to > view the VMs? > I assume you created the VMs with the administrator user, so any > other user will require to have a proper permissions in order to > view these VMs >=20 > Yair >=20 >=20 > On 10/02/2012 05:09 AM, Brian Vetter wrote: >> I was trying to use both the rest api to view a user's vm >> information. I found that the REST APIs always returned an >> authentication error if the account I had logged into was not = an >> ovirt administrator. I am guessing that either (a) I am using =

Yes, I believe this is true. If the same user logs into the user portal, = he can see the VM and start/stop it. =46rom the ovirt admin portal, I = see the following permissions for the VM: User Role Brian Vetter (bjvetter@domain) UserRole Brian On Oct 2, 2012, at 10:27 AM, Itamar Heim wrote: the the

...

...

...

...

...

>> wrong URL in the REST api or (b) you must be some kind of admin >> to access the REST APIs. I noticed the same behavior when I was >> using the ovirt-shell tool. >>=20 >> For example, I was trying to follow the instructions in >> = http://wiki.ovirt.org/wiki/How_to_Connect_to_SPICE_Console_Without_Portal >> to get the list of VMs (presumably for the user that is logging >> in), I get an unauthorized error. If the user account I login >> with in the curl or ovirt-shell connect statement is an admin, = I >> get the list of VMs. >>=20 >> So my question here is does the REST-API need admin privileges = or >> am I using a url that requires admin privileges whereas some >> others don't. And if it is the latter, is there somewhere that >> documents the various rest api resources? For example, to go = back >> to the "How to connect to Spice console ..." article, how would >> one use the REST API to fetch one's virtual machines, their >> status, and connection info for them? >>=20 >> Thanks, >>=20 >> Brian =20 =20 =20 =20 =20 =20

<blockquote type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><br></blockquote></blockquote></blockquote></blockquote></bl= ockquote><blockquote type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite">Similarly, I have another group that is assigned the = DomainManager<br></blockquote></blockquote></blockquote></blockquote></blo= ckquote><blockquote type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote type=3D"cite">role. = If I add this other user to that group, when I login = with<br></blockquote></blockquote></blockquote></blockquote></blockquote><=

<blockquote type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><br></blockquote></blockquote></blockquote></blockquote></bl= ockquote><blockquote type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote type=3D"cite">That = said, I see all VMs in the system, not just the one = assigned<br></blockquote></blockquote></blockquote></blockquote></blockquo= te><blockquote type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote type=3D"cite">to the = user that logged in. So this makes me think that either =

<blockquote type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote type=3D"cite">list = of VMs authenticated as the = user.<br></blockquote></blockquote></blockquote></blockquote></blockquote>= <blockquote type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote = type=3D"cite"><br></blockquote></blockquote></blockquote></blockquote><blo= ckquote type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite">you need to specify to the api = you want to view things in = "user<br></blockquote></blockquote></blockquote></blockquote><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite">mode" via the filter =

</blockquote><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote = type=3D"cite"><br></blockquote></blockquote></blockquote></blockquote></bl= ockquote><blockquote type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote type=3D"cite">On Oct = 1, 2012, at 10:49 PM, Yair Zaslavsky = wrote:<br></blockquote></blockquote></blockquote></blockquote></blockquote= <blockquote type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><br></blockquote></blockquote></blockquote></blockquote></bl= ockquote><blockquote type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite">Hi = Brian,<br></blockquote></blockquote></blockquote></blockquote></blockquote= </blockquote><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote type=3D"cite">I = looked at the wiki = -<br></blockquote></blockquote></blockquote></blockquote></blockquote></bl= ockquote><blockquote type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite">I assume you're referring to the = "showVm" =

</blockquote><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite">I was trying to use both the = rest api to view a user's = vm<br></blockquote></blockquote></blockquote></blockquote></blockquote></b= lockquote></blockquote><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite">information. I found that the = REST APIs always returned = an<br></blockquote></blockquote></blockquote></blockquote></blockquote></b= lockquote></blockquote><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite">authentication error if the = account I had logged into was not = an<br></blockquote></blockquote></blockquote></blockquote></blockquote></b= lockquote></blockquote><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite">ovirt administrator. I am = guessing that either (a) I am using =

--Apple-Mail=_4EAD8554-0B0E-4319-812F-9E0B82F673A7 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=iso-8859-1 <html><head></head><body style=3D"word-wrap: break-word; = -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">I = also tried a simple connect to the home of the ovirt server in the = ovirt-shell:<div><br></div><blockquote class=3D"webkit-indent-blockquote" = style=3D"margin: 0 0 0 40px; border: none; padding: = 0px;"><div><div>[oVirt shell (disconnected)]# connect <a = href=3D"https://ovirtserver">https://ovirtserver</a> <user> = <pass></div></div><div><div><br></div></div><div><div>error: 'str' = object has no attribute = 'product_info'</div></div><div><br></div><div><div>[oVirt shell = (disconnected)]# </div></div></blockquote><div><div><br></div></div><= div>So this happens without trying to get to the = api/vms.</div><div><br></div><div>As to your question:</div><blockquote = class=3D"webkit-indent-blockquote" style=3D"margin: 0 0 0 40px; border: = none; padding: 0px;"><div><blockquote type=3D"cite"><div>i think you = should get an empty list and not a 401 in any case, but just to make = sure - you have the user role on a specific VM and you don't see = it?</div></blockquote></div></blockquote><div><br></div><div>Yes, I = believe this is true. If the same user logs into the user portal, he can = see the VM and start/stop it. =46rom the ovirt admin portal, I see the = following permissions for the VM:</div><div><br></div><div><b>User<span = class=3D"Apple-tab-span" style=3D"white-space:pre"> = </span>Role</b></div><div>Brian Vetter = (bjvetter@domain)<span class=3D"Apple-tab-span" style=3D"white-space:pre">= = </span>UserRole</div><div><br></div><div>Brian</div><div><br></div><div><d= iv><div>On Oct 2, 2012, at 10:27 AM, Itamar Heim wrote:</div><br = class=3D"Apple-interchange-newline"><blockquote type=3D"cite"><div>On = 10/02/2012 05:20 PM, Brian Vetter wrote:<br><blockquote = type=3D"cite"><blockquote type=3D"cite">3.1 added support for non admin = to use the api.<br></blockquote></blockquote><blockquote = type=3D"cite"><blockquote type=3D"cite">i.e., this should = work.<br></blockquote></blockquote><blockquote type=3D"cite"><blockquote = type=3D"cite">which specific version are you = using?<br></blockquote></blockquote><blockquote = type=3D"cite"><br></blockquote><blockquote type=3D"cite"> =46rom the = about box in the admin web app:<br></blockquote><blockquote = type=3D"cite"><br></blockquote><blockquote type=3D"cite"> =    oVirt Engine = Version:3.1.0-2.fc17<br></blockquote><blockquote = type=3D"cite"><br></blockquote><blockquote = type=3D"cite"><br></blockquote><blockquote type=3D"cite">The curl = command I send is:<br></blockquote><blockquote = type=3D"cite"><br></blockquote><blockquote type=3D"cite"> =    curl --cacert $CA_FILE -X GET -H "Filter: true" = -u<br></blockquote><blockquote type=3D"cite"> =    user@domain:password <a = href=3D"https://$OVIRT/api/vms">https://$OVIRT/api/vms</a> > = uservms.xml<br></blockquote><blockquote = type=3D"cite"><br></blockquote><blockquote = type=3D"cite"><br></blockquote><blockquote type=3D"cite">The output when = my user's group has a DOMAIN_ADMIN role contains the = xml<br></blockquote><blockquote type=3D"cite">for the VMs. The output = when the user's group has either a power user = or<br></blockquote><blockquote type=3D"cite">a regular user role = contains the error response with a 401 = unauthorized<br></blockquote><blockquote = type=3D"cite">error.<br></blockquote><blockquote = type=3D"cite"><br></blockquote><blockquote type=3D"cite">I had lots of = fun getting this server set up so it is possible I made = a<br></blockquote><blockquote type=3D"cite">mistake during installation, = but it seems pretty functional right now.<br></blockquote><blockquote = type=3D"cite">Everything seems to be working but I haven't been able to = to test out<br></blockquote><blockquote type=3D"cite">how/if I can = connect a new, non-portal client without having to add = new<br></blockquote><blockquote = type=3D"cite">servlets.<br></blockquote><br>i think you should get an = empty list and not a 401 in any case, but just to make sure - you have = the user role on a specific VM and you don't see it?<br>michael - = thoughts?<br>maybe this was fixed post ovirt 3.1 fedora = release?<br><br><blockquote type=3D"cite"><br></blockquote><blockquote = type=3D"cite">Brian<br></blockquote><blockquote = type=3D"cite"><br></blockquote><blockquote type=3D"cite">On Oct 2, 2012, = at 9:57 AM, Itamar Heim wrote:<br></blockquote><blockquote = type=3D"cite"><br></blockquote><blockquote type=3D"cite"><blockquote = type=3D"cite">On 10/02/2012 04:52 PM, Brian Vetter = wrote:<br></blockquote></blockquote><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite">Adding the "Filter:true" header = to the curl request doesn't = change<br></blockquote></blockquote></blockquote><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite">anything. If the user account is not an admin account, I = get a 401<br></blockquote></blockquote></blockquote><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote type=3D"cite">status = result. So my question still stands, can the REST API be = used<br></blockquote></blockquote></blockquote><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote type=3D"cite">by a = mere, non-admin "mortal" or is it only for administrative = functions?<br></blockquote></blockquote></blockquote><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><br></blockquote></blockquote></blockquote><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote type=3D"cite">I'm in = the process of trying to hook up a different client to a = VM<br></blockquote></blockquote></blockquote><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote type=3D"cite">managed = by ovirt. I can't use the user portal app. So I was trying = to<br></blockquote></blockquote></blockquote><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote type=3D"cite">use = the REST APIs on behalf of a normal, non-admin user to get = the<br></blockquote></blockquote></blockquote><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote type=3D"cite">list = of the authenticating user's VMs and their connection = information.<br></blockquote></blockquote></blockquote><blockquote = type=3D"cite"><blockquote = type=3D"cite"><br></blockquote></blockquote><blockquote = type=3D"cite"><blockquote type=3D"cite">3.1 added support for non admin = to use the api.<br></blockquote></blockquote><blockquote = type=3D"cite"><blockquote type=3D"cite">i.e., this should = work.<br></blockquote></blockquote><blockquote type=3D"cite"><blockquote = type=3D"cite">which specific version are you = using?<br></blockquote></blockquote><blockquote type=3D"cite"><blockquote = type=3D"cite"><br></blockquote></blockquote><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><br></blockquote></blockquote></blockquote><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite">Brian<br></blockquote></blockquote></blockquote><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><br></blockquote></blockquote></blockquote><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote type=3D"cite">On Oct = 2, 2012, at 2:15 AM, Itamar Heim = wrote:<br></blockquote></blockquote></blockquote><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><br></blockquote></blockquote></blockquote><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite">On 10/02/2012 06:28 AM, Brian = Vetter = wrote:<br></blockquote></blockquote></blockquote></blockquote><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote type=3D"cite">I've = done two different things. First, I associated one of = my<br></blockquote></blockquote></blockquote></blockquote></blockquote><bl= ockquote type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote type=3D"cite">groups = in my directory with being a VMUser which gave = members<br></blockquote></blockquote></blockquote></blockquote></blockquot= e><blockquote type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote type=3D"cite">access = to a particular VM. If I login with one of those users = via<br></blockquote></blockquote></blockquote></blockquote></blockquote><b= lockquote type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote type=3D"cite">the = User portal, I can see their VM (or VMs if I do more than = one).<br></blockquote></blockquote></blockquote></blockquote></blockquote>= <blockquote type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote type=3D"cite">If I = use the REST API (or ovirt-shell) using this user's = account<br></blockquote></blockquote></blockquote></blockquote></blockquot= e><blockquote type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote type=3D"cite">and = password, I get an unauthorized = error.<br></blockquote></blockquote></blockquote></blockquote></blockquote= blockquote type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote type=3D"cite">that = user via the user portal, I see the advanced portal. If I = use<br></blockquote></blockquote></blockquote></blockquote></blockquote><b= lockquote type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote type=3D"cite">the = REST-API (using curl) or ovirt-shell and use the user's = login<br></blockquote></blockquote></blockquote></blockquote></blockquote>= <blockquote type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite">information, I now am authorized and see a list of VMs = returned = as<br></blockquote></blockquote></blockquote></blockquote></blockquote><bl= ockquote type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote type=3D"cite">XML = (in the case of = curl).<br></blockquote></blockquote></blockquote></blockquote></blockquote= the<br></blockquote></blockquote></blockquote></blockquote></blockquote><b= lockquote type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote type=3D"cite">REST = API for getting the APIs as suggested by the article is = an<br></blockquote></blockquote></blockquote></blockquote></blockquote><bl= ockquote type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite">administrative API and there is either (a) a different = rest = API/uri<br></blockquote></blockquote></blockquote></blockquote></blockquot= e><blockquote type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote type=3D"cite">that = returns the logged in user's vms (the list that would = be<br></blockquote></blockquote></blockquote></blockquote></blockquote><bl= ockquote type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote type=3D"cite">returned= to the portal) or (b) no way to get a particular = user's<br></blockquote></blockquote></blockquote></blockquote></blockquote= header.<br></blockquote></blockquote></blockquote></blockquote><blockquote= type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote = type=3D"cite">Example:<br></blockquote></blockquote></blockquote></blockqu= ote><blockquote type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite">curl -X GET -H "Filter: true" -u = user@domain:password<br></blockquote></blockquote></blockquote></blockquot= e><blockquote type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><a = href=3D"http://[servername]:PORT/api/vms">http://[servername]:PORT/api/vms= </a><br></blockquote></blockquote></blockquote></blockquote><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote = type=3D"cite"><br></blockquote></blockquote></blockquote></blockquote><blo= ckquote type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote = type=3D"cite"><br></blockquote></blockquote></blockquote></blockquote><blo= ckquote type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote = type=3D"cite"><br></blockquote></blockquote></blockquote></blockquote><blo= ckquote type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><br></blockquote></blockquote></blockquote></blockquote></bl= ockquote><blockquote type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite">Brian<br></blockquote></blockquote></blockquote></blockquote= part.<br></blockquote></blockquote></blockquote></blockquote></blockquote>= </blockquote><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote type=3D"cite">Have = you assigned any permissions to the user that is supposed = to<br></blockquote></blockquote></blockquote></blockquote></blockquote></b= lockquote><blockquote type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite">view the = VMs?<br></blockquote></blockquote></blockquote></blockquote></blockquote><= /blockquote><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote type=3D"cite">I = assume you created the VMs with the administrator user, so = any<br></blockquote></blockquote></blockquote></blockquote></blockquote></= blockquote><blockquote type=3D"cite"><blockquote type=3D"cite"><blockquote= type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite">other user will require to have = a proper permissions in order = to<br></blockquote></blockquote></blockquote></blockquote></blockquote></b= lockquote><blockquote type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite">view these = VMs<br></blockquote></blockquote></blockquote></blockquote></blockquote></= blockquote><blockquote type=3D"cite"><blockquote type=3D"cite"><blockquote= type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote = type=3D"cite"><br></blockquote></blockquote></blockquote></blockquote></bl= ockquote></blockquote><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite">Yair<br></blockquote></blockquote></blockquote></blockquote>= </blockquote></blockquote><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><br></blockquote></blockquote></blockquote></blockquote></bl= ockquote></blockquote><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><br></blockquote></blockquote></blockquote></blockquote></bl= ockquote></blockquote><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote type=3D"cite">On = 10/02/2012 05:09 AM, Brian Vetter = wrote:<br></blockquote></blockquote></blockquote></blockquote></blockquote= the<br></blockquote></blockquote></blockquote></blockquote></blockquote></= blockquote></blockquote><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite">wrong URL in the REST api or (b) = you must be some kind of = admin<br></blockquote></blockquote></blockquote></blockquote></blockquote>= </blockquote></blockquote><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite">to access the REST APIs. I = noticed the same behavior when I = was<br></blockquote></blockquote></blockquote></blockquote></blockquote></= blockquote></blockquote><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite">using the ovirt-shell = tool.<br></blockquote></blockquote></blockquote></blockquote></blockquote>= </blockquote></blockquote><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote = type=3D"cite"><br></blockquote></blockquote></blockquote></blockquote></bl= ockquote></blockquote></blockquote><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite">For example, I was trying to = follow the instructions = in<br></blockquote></blockquote></blockquote></blockquote></blockquote></b= lockquote></blockquote><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><a = href=3D"http://wiki.ovirt.org/wiki/How_to_Connect_to_SPICE_Console_Without= _Portal">http://wiki.ovirt.org/wiki/How_to_Connect_to_SPICE_Console_Withou= t_Portal</a><br></blockquote></blockquote></blockquote></blockquote></bloc= kquote></blockquote></blockquote><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite">to get the list of VMs = (presumably for the user that is = logging<br></blockquote></blockquote></blockquote></blockquote></blockquot= e></blockquote></blockquote><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite">in), I get an unauthorized = error. If the user account I = login<br></blockquote></blockquote></blockquote></blockquote></blockquote>= </blockquote></blockquote><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite">with in the curl or ovirt-shell = connect statement is an admin, = I<br></blockquote></blockquote></blockquote></blockquote></blockquote></bl= ockquote></blockquote><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite">get the list of = VMs.<br></blockquote></blockquote></blockquote></blockquote></blockquote><= /blockquote></blockquote><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote = type=3D"cite"><br></blockquote></blockquote></blockquote></blockquote></bl= ockquote></blockquote></blockquote><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite">So my question here is does the = REST-API need admin privileges = or<br></blockquote></blockquote></blockquote></blockquote></blockquote></b= lockquote></blockquote><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite">am I using a url that requires = admin privileges whereas = some<br></blockquote></blockquote></blockquote></blockquote></blockquote><= /blockquote></blockquote><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite">others don't. And if it is the = latter, is there somewhere = that<br></blockquote></blockquote></blockquote></blockquote></blockquote><= /blockquote></blockquote><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite">documents the various rest api = resources? For example, to go = back<br></blockquote></blockquote></blockquote></blockquote></blockquote><= /blockquote></blockquote><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite">to the "How to connect to Spice = console ..." article, how = would<br></blockquote></blockquote></blockquote></blockquote></blockquote>= </blockquote></blockquote><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite">one use the REST API to fetch = one's virtual machines, = their<br></blockquote></blockquote></blockquote></blockquote></blockquote>= </blockquote></blockquote><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite">status, and connection info for = them?<br></blockquote></blockquote></blockquote></blockquote></blockquote>= </blockquote></blockquote><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote = type=3D"cite"><br></blockquote></blockquote></blockquote></blockquote></bl= ockquote></blockquote></blockquote><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote = type=3D"cite">Thanks,<br></blockquote></blockquote></blockquote></blockquo= te></blockquote></blockquote></blockquote><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><br></blockquote></blockquote></blockquote></blockquote></bl= ockquote></blockquote></blockquote><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><blockquote = type=3D"cite">Brian<br></blockquote></blockquote></blockquote></blockquote=

</blockquote></blockquote></blockquote><blockquote = type=3D"cite"><blockquote type=3D"cite"><blockquote = type=3D"cite"><br></blockquote></blockquote></blockquote><blockquote = type=3D"cite"><blockquote = type=3D"cite"><br></blockquote></blockquote><blockquote = type=3D"cite"><blockquote = type=3D"cite"><br></blockquote></blockquote><blockquote = type=3D"cite"><br></blockquote><br><br></div></blockquote></div><br></div>= </body></html>=

--Apple-Mail=_4EAD8554-0B0E-4319-812F-9E0B82F673A7--

--Apple-Mail=_C446C6FD-E578-458C-8521-3EA4DD1025A4 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=iso-8859-1 The "error: 'str' object has no attribute 'product_info'" was a red = herring (mistyped url). The 401 errors for non-admins though is still = quite real. Detailed response inside ... On Oct 2, 2012, at 1:48 PM, Michael Pasternak wrote:

...

I also tried a simple connect to the home of the ovirt server in the = ovirt-shell: =20 [oVirt shell (disconnected)]# connect https://ovirtserver <user> = <pass> =20 error: 'str' object has no attribute 'product_info' =20

Hi Brian, =20 On 10/02/2012 05:52 PM, Brian Vetter wrote: this could happen if you trying connect to SSL site via HTTP protocol, btw what sdk/cli version you're using [1]? latest sdk/cli protects = against this. =20 [1] run 'info' command in cli

...

As to your question: =20

...

i think you should get an empty list and not a 401 in any case, = but just to make sure - you have the user role on a specific VM and you = don't see it? =20 =20 Yes, I believe this is true. If the same user logs into the user =

As this turned out, the problem was due to a bad url (transposed = characters). Once fixed, I'm back to the 401 error condition. portal, he can see the VM and start/stop it. =46rom the ovirt admin = portal, I see the following permissions

...

for the VM: =20 does this user has any other role/s besides UserRole?

No, the only role it is given is UserRole. Here is how it was applied: 1) The user was created in my directory server (that was added to the = ovirt manager during setup). 2) After creating a new desktop VM, I selected the VM, selected its = Permissions tab, and then added the user with the role 'UserRole' to the = VM. This was all done in the ovirt-manager web app. 3) I then login to the user portal with that user account name. After = refreshing the VM list (a very minor bug), I see the VM that was = assigned to the user. 4) When using the ovirt-shell command, the connect command fails with an = error 401 as in the following text: [oVirt shell (disconnected)]# connect https://ovirt-serveri/ 'xxx@yyyy' = 'pword' error: Unauthorized, [Errno: 401] 5) If I add the "DatacenterAdmin" role, the connect command works. 6) Similarly, if I use curl, I get the same HTTPS Status 401 error. # curl --cacert $CA_FILE -X GET -H "Filter: true" -u xxx@yyyy:pword = https://ovirtserver/api/vms > uservms.xml=20 # cat uservms.xml <html><head><title>JBoss Web/7.0.0.SNAPSHOT - Error = report</title><style><!--H1 = {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;= font-size:22px;} H2 = {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;= font-size:16px;} H3 = {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;= font-size:14px;} BODY = {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} = B = {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;= } P = {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-siz= e:12px;}A {color : black;}A.name {color : black;}HR {color : = #525D76;}--></style> </head><body><h1>HTTP Status 401 - </h1><HR = size=3D"1" noshade=3D"noshade"><p><b>type</b> Status = report</p><p><b>message</b> <u></u></p><p><b>description</b> <u>This = request requires HTTP authentication ().</u></p><HR size=3D"1" = noshade=3D"noshade"><h3>JBoss = Web/7.0.0.SNAPSHOT</h3></body></html>[bjv@eos ~]$ 7) I see the following when I use ovirt -d and do the connect: send: 'GET /api HTTP/1.1\r\nHost: eos.testcloud.com\r\nAccept-Encoding: = identity\r\nPrefer: persistent-auth\r\nContent-type: = application/xml\r\nAuthorization: Basic = Ymp2ZXR0ZXJAZHJvaWRjbG91ZC5tb2JpOmxvc3QrZm91bmQ=3D\r\n\r\n' reply: 'HTTP/1.1 401 Unauthorized\r\n' header: Date: Wed, 03 Oct 2012 03:24:53 GMT header: Set-Cookie: JSESSIONID=3Dn3Ex3mxsvzTEM3rlkiHa85mP.undefined; = Path=3D/api; Secure header: WWW-Authenticate: Basic realm=3D"ENGINE" header: Content-Type: text/html;charset=3Dutf-8 header: Content-Length: 962 header: Connection: close Clearly, the ovirt-shell and curl are making the same request and = getting the same error response. The engine.log file in /var/log/ovirt-engine has the following after I = try to connect: 2012-10-02 22:28:37,489 INFO = [org.ovirt.engine.core.bll.LoginAdminUserCommand] (ajp--0.0.0.0-8009-3) = Checking if user bjvetter is an admin, result false 2012-10-02 22:28:37,490 WARN = [org.ovirt.engine.core.bll.LoginAdminUserCommand] (ajp--0.0.0.0-8009-3) = CanDoAction of action LoginAdminUser failed. = Reasons:USER_NOT_AUTHORIZED_TO_PERFORM_ACTION 2012-10-02 22:28:37,491 INFO = [org.ovirt.engine.api.restapi.security.auth.LoginValidator] = (ajp--0.0.0.0-8009-3) Login failure, user: bjvetter domain: = my.testcloud.com reason: [USER_NOT_AUTHORIZED_TO_PERFORM_ACTION] So based upon what I see in this log file, it would seem that the = connect API wants to make sure that I am an admin and not a regular = user. Which gets me back to my original question: Do the REST API and the = ovirt-shell require admin privileges or is there a separate uri = namespace for regular users to make requests? Or perhaps more direct, = should https://$ovirt-server/api/vms be accessible to non-admins or is = there a different url a non-admin should use? Brian --Apple-Mail=_C446C6FD-E578-458C-8521-3EA4DD1025A4 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=iso-8859-1 <html><head></head><body style=3D"word-wrap: break-word; = -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; = "><div>The "error: 'str' object has no attribute 'product_info'" was a = red herring (mistyped url). The 401 errors for non-admins though is = still quite real.</div><div><br></div>Detailed response inside = ...<div><br><div><div>On Oct 2, 2012, at 1:48 PM, Michael Pasternak = wrote:</div><br class=3D"Apple-interchange-newline"><blockquote = type=3D"cite"><div>Hi Brian,<br><br>On 10/02/2012 05:52 PM, Brian Vetter = wrote:<br><blockquote type=3D"cite">I also tried a simple connect to the = home of the ovirt server in the ovirt-shell:<br></blockquote><blockquote = type=3D"cite"><br></blockquote><blockquote type=3D"cite"> =    [oVirt shell (disconnected)]# connect <a = href=3D"https://ovirtserver">https://ovirtserver</a> <user> = <pass><br></blockquote><blockquote = type=3D"cite"><br></blockquote><blockquote type=3D"cite"> =    error: 'str' object has no attribute = 'product_info'<br></blockquote><br>this could happen if you trying = connect to SSL site via HTTP protocol,<br>btw what sdk/cli version = you're using [1]? latest sdk/cli protects against<br>this.<br><br>[1] = run 'info' command in cli<br></div></blockquote><div><br></div><div>As = this turned out, the problem was due to a bad url (transposed = characters). Once fixed, I'm back to the 401 error = condition.</div></div><div><br><blockquote type=3D"cite"><div><blockquote = type=3D"cite">As to your question:<br></blockquote><blockquote = type=3D"cite"><br></blockquote><blockquote type=3D"cite"><blockquote = type=3D"cite">    i think you should get an empty list = and not a 401 in any case, but just to make sure - you have the user = role on a specific VM and you don't see = it?<br></blockquote></blockquote><blockquote = type=3D"cite"><br></blockquote><blockquote = type=3D"cite"><br></blockquote><blockquote type=3D"cite">Yes, I believe = this is true. If the same user logs into the user portal, he can see the = VM and start/stop it. =46rom the ovirt admin portal, I see the following = permissions<br></blockquote><blockquote type=3D"cite">for the = VM:<br></blockquote><br>does this user has any other role/s besides = UserRole?</div></blockquote><div><br></div><div>No, the only role it is = given is UserRole. Here is how it was = applied:</div><div><br></div><div>1) The user was created in my = directory server (that was added to the ovirt manager during = setup).</div><div>2) After creating a new desktop VM, I selected the VM, = selected its Permissions tab, and then added the user with the role = 'UserRole' to the VM. This was all done in the ovirt-manager web = app.</div><div>3) I then login to the user portal with that user account = name. After refreshing the VM list (a very minor bug), I see the VM that = was assigned to the user.</div><div>4) When using the ovirt-shell = command, the connect command fails with an error 401 as in the following = text:</div><div><br></div></div></div><blockquote = class=3D"webkit-indent-blockquote" style=3D"margin: 0 0 0 40px; border: = none; padding: 0px;"><div><div><div><div>[oVirt shell (disconnected)]# = connect <a href=3D"https://ovirt-serveri/">https://ovirt-serveri/</a> = 'xxx@yyyy' = 'pword'</div></div></div></div><div><div><div><div><br></div></div></div><= /div><div><div><div><div>error: Unauthorized, [Errno: = 401]</div></div></div></div></blockquote><div><div>5) If I add the = "DatacenterAdmin" role, the connect command works.</div><div>6) = Similarly, if I use curl, I get the same HTTPS Status 401 = error.</div><div><br></div></div><blockquote = class=3D"webkit-indent-blockquote" style=3D"margin: 0 0 0 40px; border: = none; padding: 0px;"><div><div># curl --cacert $CA_FILE -X GET -H = "Filter: true" -u xxx@yyyy:pword <a = href=3D"https://ovirtserver/api/vms">https://ovirtserver/api/vms</a> = > uservms.xml </div></div></blockquote><blockquote = class=3D"webkit-indent-blockquote" style=3D"margin: 0 0 0 40px; border: = none; padding: 0px;"><div><div><div># cat = uservms.xml</div></div></div><div><div><div><html><head><ti= tle>JBoss Web/7.0.0.SNAPSHOT - Error = report</title><style><!--H1 = {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;= font-size:22px;} H2 = {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;= font-size:16px;} H3 = {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;= font-size:14px;} BODY = {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} = B = {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;= } P = {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-siz= e:12px;}A {color : black;}A.name {color : black;}HR {color : = #525D76;}--></style> </head><body><h1>HTTP = Status 401 - </h1><HR size=3D"1" = noshade=3D"noshade"><p><b>type</b> Status = report</p><p><b>message</b> = <u></u></p><p><b>description</b> = <u>This request requires HTTP authentication = ().</u></p><HR size=3D"1" = noshade=3D"noshade"><h3>JBoss = Web/7.0.0.SNAPSHOT</h3></body></html>[bjv@eos = ~]$</div></div></div></blockquote><div><br></div><div>7) I see the = following when I use ovirt -d and do the = connect:</div><div><br></div><blockquote = class=3D"webkit-indent-blockquote" style=3D"margin: 0 0 0 40px; border: = none; padding: 0px;"><div><div>send: 'GET /api HTTP/1.1\r\nHost: <a = href=3D"http://eos.testcloud.com">eos.testcloud.com</a>\r\nAccept-Encoding= : identity\r\nPrefer: persistent-auth\r\nContent-type: = application/xml\r\nAuthorization: Basic = Ymp2ZXR0ZXJAZHJvaWRjbG91ZC5tb2JpOmxvc3QrZm91bmQ=3D\r\n\r\n'</div></div><di= v><div>reply: 'HTTP/1.1 401 = Unauthorized\r\n'</div></div><div><div>header: Date: Wed, 03 Oct 2012 = 03:24:53 GMT</div></div><div><div>header: Set-Cookie: = JSESSIONID=3Dn3Ex3mxsvzTEM3rlkiHa85mP.undefined; Path=3D/api; = Secure</div></div><div><div>header: WWW-Authenticate: Basic = realm=3D"ENGINE"</div></div><div><div>header: Content-Type: = text/html;charset=3Dutf-8</div></div><div><div>header: Content-Length: = 962</div></div><div><div>header: Connection: = close</div></div></blockquote><div><br></div><div>Clearly, the = ovirt-shell and curl are making the same request and getting the same = error response.</div><div><br></div><div>The engine.log file in = /var/log/ovirt-engine has the following after I try to = connect:</div><div><br></div><blockquote = class=3D"webkit-indent-blockquote" style=3D"margin: 0 0 0 40px; border: = none; padding: 0px;"><div><div>2012-10-02 22:28:37,489 INFO =  [org.ovirt.engine.core.bll.LoginAdminUserCommand] = (ajp--0.0.0.0-8009-3) <font class=3D"Apple-style-span" = color=3D"#b61810"><b>Checking if user bjvetter is an admin, result = false</b></font></div></div><div><div>2012-10-02 22:28:37,490 WARN =  [org.ovirt.engine.core.bll.LoginAdminUserCommand] = (ajp--0.0.0.0-8009-3) CanDoAction of action LoginAdminUser failed. = Reasons:USER_NOT_AUTHORIZED_TO_PERFORM_ACTION</div></div><div><div>2012-10= -02 22:28:37,491 INFO =  [org.ovirt.engine.api.restapi.security.auth.LoginValidator] = (ajp--0.0.0.0-8009-3) Login failure, user: bjvetter domain: <a = href=3D"http://my.testcloud.com">my.testcloud.com</a> reason: = [USER_NOT_AUTHORIZED_TO_PERFORM_ACTION]</div></div></blockquote><div><br><= /div><div>So based upon what I see in this log file, it would seem that = the connect API wants to make sure that I am an admin and not a regular = user.</div><div><br></div>Which gets me back to my original question: Do = the REST API and the ovirt-shell require admin privileges or is there a = separate uri namespace for regular users to make requests? Or perhaps = more direct, should <a = href=3D"https://$ovirt-server/api/vms">https://$ovirt-server/api/vms</a> = be accessible to non-admins or is there a different url a non-admin = should = use?<div><br></div><div>Brian</div><div><div><br></div></div></body></html=

=

--Apple-Mail=_C446C6FD-E578-458C-8521-3EA4DD1025A4--

--Apple-Mail=_EADA9659-F589-4A31-A283-D87398215C4D Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=iso-8859-1 On Oct 3, 2012, at 12:55 AM, Itamar Heim wrote:

...

snip ... =20 So based upon what I see in this log file, it would seem that the connect API wants to make sure that I am an admin and not a regular = user. =20 Which gets me back to my original question: Do the REST API and the ovirt-shell require admin privileges or is there a separate uri namespace for regular users to make requests? Or perhaps more direct, should https://$ovirt-server/api/vms be accessible to non-admins or = is there a different url a non-admin should use? =20 Brian =20 =20 which version of the sdk are you using? michael - maybe user level api made it into upstream post ovirt 3.1 = feature freeze (brian, in that case, it will be in ovirt 3.2, slated for = freeze in novemeber/release in december) =20

oVirt Engine version is 3.1.0-2.fc17 oVirt API/shell/tool version from yum is 3.1.0.6-1.fc17 Results from 'info' command in ovirt-shell: [oVirt shell (connected)]# info backend version: 3.1 sdk version : 3.1.0.4 cli version : 3.1.0.6 python version : 2.7.3.final.0 If the user level api isn't in 3.1, then I presume it would be in the = nightly builds. Are there instructions for pulling the nightly builds = and/or upgrading them. I saw the build instructions, but was hoping to = save some time while evaluating things. Brian --Apple-Mail=_EADA9659-F589-4A31-A283-D87398215C4D Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=iso-8859-1 <html><head></head><body style=3D"word-wrap: break-word; = -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; = "><div><div>On Oct 3, 2012, at 12:55 AM, Itamar Heim wrote:</div><br = class=3D"Apple-interchange-newline"><blockquote = type=3D"cite"><div><blockquote type=3D"cite">snip = ...</blockquote><blockquote type=3D"cite"><br></blockquote><blockquote = type=3D"cite">So based upon what I see in this log file, it would seem = that the<br></blockquote><blockquote type=3D"cite">connect API wants to = make sure that I am an admin and not a regular = user.<br></blockquote><blockquote = type=3D"cite"><br></blockquote><blockquote type=3D"cite">Which gets me = back to my original question: Do the REST API and = the<br></blockquote><blockquote type=3D"cite">ovirt-shell require admin = privileges or is there a separate uri<br></blockquote><blockquote = type=3D"cite">namespace for regular users to make requests? Or perhaps = more direct,<br></blockquote><blockquote type=3D"cite">should <a = href=3D"https://$ovirt-server/api/vms">https://$ovirt-server/api/vms</a> = be accessible to non-admins or is<br></blockquote><blockquote = type=3D"cite">there a different url a non-admin should = use?<br></blockquote><blockquote = type=3D"cite"><br></blockquote><blockquote = type=3D"cite">Brian<br></blockquote><blockquote = type=3D"cite"><br></blockquote><br>which version of the sdk are you = using?<br>michael - maybe user level api made it into upstream post = ovirt 3.1 feature freeze (brian, in that case, it will be in ovirt 3.2, = slated for freeze in novemeber/release in = december)<br><br></div></blockquote></div><div><br></div>oVirt Engine = version is 3.1.0-2.fc17<br><div>oVirt API/shell/tool version from yum = is 3.1.0.6-1.fc17</div><div><br></div><div>Results from 'info' = command in ovirt-shell:</div><blockquote = class=3D"webkit-indent-blockquote" style=3D"margin: 0 0 0 40px; border: = none; padding: 0px;"><div><div>[oVirt shell (connected)]# = info</div></div><div><div><br></div></div><div><div>backend version: = 3.1</div></div><div><div>sdk version    : = 3.1.0.4</div></div><div><div>cli version    : = 3.1.0.6</div></div><div><div>python version : = 2.7.3.final.0</div></div></blockquote><div><br></div><div>If the user = level api isn't in 3.1, then I presume it would be in the nightly = builds. Are there instructions for pulling the nightly builds and/or = upgrading them. I saw the build instructions, but was hoping to save = some time while evaluating = things.</div><div><br></div><div>Brian</div><div><br></div></body></html>= --Apple-Mail=_EADA9659-F589-4A31-A283-D87398215C4D--

--Apple-Mail=_D36C9C4E-1613-4755-9366-F602411AE656 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=iso-8859-1 I found instructions on the wiki for using nightly builds at: http://wiki.ovirt.org/wiki/Installing_ovirt-engine_from_rpm The instructions didn't work. In particular, the ovirt-engine.repo file = was not found at the provided url.=20 http://www.ovirt.org/releases/nightly/fedora/16/ovirt-engine.repo I did find an ovirt-engine.repo file at: http://www.ovirt.org/releases/nightly/rpm/Fedora/17/ovirt-engine.repo The contents of that repo file point it back to the = releases/3.1/rpm/Fedora/17 directory. I'm presuming that if I change the = baseurl to releases/nightly/rpm/... it will all work (which I'll be = doing this afternoon). In any case, someone might want to fix the ovirt-engine.repo file in the = nightly tree and then update the urls in the wiki. Brian On Oct 3, 2012, at 1:13 PM, Itamar Heim wrote:

...

If the user level api isn't in 3.1, then I presume it would be in the nightly builds. Are there instructions for pulling the nightly builds and/or upgrading them. I saw the build instructions, but was hoping = to save some time while evaluating things. =20 Brian =20 =20 true, nightly builds should have them. ofer - any wiki on how best to use the nightly builds? =20

http://www.ovirt.org/releases/nightly/fedora/16/ovirt-engine.repo</a></di= v></blockquote><div><br></div><div>I did find an ovirt-engine.repo file = at:</div><blockquote class=3D"webkit-indent-blockquote" style=3D"margin: = 0 0 0 40px; border: none; padding: 0px;"><div><a =

--Apple-Mail=_D36C9C4E-1613-4755-9366-F602411AE656 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=iso-8859-1 <html><head></head><body style=3D"word-wrap: break-word; = -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">I = found instructions on the wiki for using nightly builds = at:<div><br></div><blockquote class=3D"webkit-indent-blockquote" = style=3D"margin: 0 0 0 40px; border: none; padding: 0px;"><div><a = href=3D"http://wiki.ovirt.org/wiki/Installing_ovirt-engine_from_rpm">http:= //wiki.ovirt.org/wiki/Installing_ovirt-engine_from_rpm</a></div></blockquo= te><div><br></div><div>The instructions didn't work. In particular, = the ovirt-engine.repo file was not found at the provided = url. </div><blockquote class=3D"webkit-indent-blockquote" = style=3D"margin: 0 0 0 40px; border: none; padding: 0px;"><div><a = href=3D"http://www.ovirt.org/releases/nightly/fedora/16/ovirt-engine.repo"= href=3D"http://www.ovirt.org/releases/nightly/rpm/Fedora/17/ovirt-engine.r= epo">http://www.ovirt.org/releases/nightly/rpm/Fedora/17/ovirt-engine.repo= </a></div></blockquote><div><div><div><br></div><div>The contents of = that repo file point it back to the releases/3.1/rpm/Fedora/17 = directory. I'm presuming that if I change the baseurl to = releases/nightly/rpm/... it will all work (which I'll be doing this = afternoon).</div><div><br></div><div>In any case, someone might want to = fix the ovirt-engine.repo file in the nightly tree and then update the = urls in the = wiki.</div><div><br></div><div>Brian</div><div><br></div><div>On Oct 3, = 2012, at 1:13 PM, Itamar Heim wrote:</div><br><blockquote = type=3D"cite"><div><blockquote type=3D"cite">If the user level api isn't = in 3.1, then I presume it would be in the<br></blockquote><blockquote = type=3D"cite">nightly builds. Are there instructions for pulling the = nightly builds<br></blockquote><blockquote type=3D"cite">and/or = upgrading them. I saw the build instructions, but was hoping = to<br></blockquote><blockquote type=3D"cite">save some time while = evaluating things.<br></blockquote><blockquote = type=3D"cite"><br></blockquote><blockquote = type=3D"cite">Brian<br></blockquote><blockquote = type=3D"cite"><br></blockquote><br>true, nightly builds should have = them.<br>ofer - any wiki on how best to use the nightly = builds?<br><br></div></blockquote></div><br></div></body></html>= --Apple-Mail=_D36C9C4E-1613-4755-9366-F602411AE656--

On Fri, 2012-10-05 at 14:02 -0400, Steve Gordon wrote:

----- Original Message -----

...

From: "Brian Vetter" <bjvetter@gmail.com> To: "Itamar Heim" <iheim@redhat.com> Cc: users@ovirt.org Sent: Friday, October 5, 2012 12:03:13 PM Subject: Re: [Users] Nightly Builds, was Authentication for REST APIs?

I found instructions on the wiki for using nightly builds at:

http://wiki.ovirt.org/wiki/Installing_ovirt-engine_from_rpm

The instructions didn't work. In particular, the ovirt-engine.repo file was not found at the provided url. http://www.ovirt.org/releases/nightly/fedora/16/ovirt-engine.repo

I did find an ovirt-engine.repo file at: http://www.ovirt.org/releases/nightly/rpm/Fedora/17/ovirt-engine.repo

The contents of that repo file point it back to the releases/3.1/rpm/Fedora/17 directory. I'm presuming that if I change the baseurl to releases/nightly/rpm/... it will all work (which I'll be doing this afternoon).

In any case, someone might want to fix the ovirt-engine.repo file in the nightly tree and then update the urls in the wiki.

Brian

I would recommend using this package to install the repo file:

http://www.ovirt.org/releases/ovirt-release-fedora.noarch.rpm

It includes definitions for both the stable and nightly repositories - defaulting to stable. You can:

yum install ovirt-engine --enablerepo=ovirt-nightly

Or enable it in the /etc/yum.repos.d/ovirt.repo file. Agree that the other repo files littering the directory structure should be cleaned up (I thought they already had been). Who has access to do that?

Done. All .repo files removed from releases. Mike

Steve _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users