extra permissions required to start VM via ovirt-shell?
Hi, I created a user and a new user role, VmStarter, that has two permissions: System -> Configure System -> Login Permissions VM -> Basic Operations -> Run VM I assigned this new user to this role at the data center. If I login to the user portal with this user I get a screen with all my VMs, and if a VM is down I can click on the "run" button and it will start. If a machine is running I cannot click on the stop button (well, I can, but I get a permission denied error, which is expected). So it sounds like everything is working. Now I want to use ovirt-shell to do the same thing. I can login just fine using this user's credentials, and I get connected. However when I execute the command to start a VM: [oVirt shell (connected)]# action vm vm-0 start I get this error: ==================================== ERROR ================================= status: 400 reason: Bad Request detail: query execution failed due to insufficient permissions. ============================================================================ This seems to imply I'm missing a permission. But I have no idea what permission I'm missing. I haven't found anything in the engine log that would help me. Any ideas what's wrong and (more importantly) how to fix it? Thanks, -derek -- Derek Atkins 617-623-3745 derek@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant
Hello, when using user roles (not admin ones) you have to use filter parameter. So you need to start the ovirt-shell similar to this: $ ovirt-shell --filter --username=... --url=... --ca-file=... On 11/09/2016 10:49 PM, Derek Atkins wrote:
Hi,
I created a user and a new user role, VmStarter, that has two permissions: System -> Configure System -> Login Permissions VM -> Basic Operations -> Run VM
I assigned this new user to this role at the data center.
If I login to the user portal with this user I get a screen with all my VMs, and if a VM is down I can click on the "run" button and it will start. If a machine is running I cannot click on the stop button (well, I can, but I get a permission denied error, which is expected). So it sounds like everything is working.
Now I want to use ovirt-shell to do the same thing. I can login just fine using this user's credentials, and I get connected. However when I execute the command to start a VM:
[oVirt shell (connected)]# action vm vm-0 start
I get this error:
==================================== ERROR ================================= status: 400 reason: Bad Request detail: query execution failed due to insufficient permissions. ============================================================================
This seems to imply I'm missing a permission. But I have no idea what permission I'm missing. I haven't found anything in the engine log that would help me.
Any ideas what's wrong and (more importantly) how to fix it?
Thanks,
-derek
Awesome. Thank you. This solved the problem. Looking with 20/20 hindsight, then --help output says this: -F, --filter enables user permission based filtering However as a n00b I would suggest that this is not sufficient to have figured out the error. From the documentation it's totally unclear the difference between Admin:VM -> Basic Operations -> Run VM and User:VM -> Basic Operations -> Run VM. It's unclear from the Role Definition UI, and it's unclear from the Administration Guide. One would think that a permission is a permission. Anyways, thank you for clearing this up. Hopefully this exchange will help the next person that comes along trying to figure it all out. Thank you! -derek On Thu, November 10, 2016 2:57 am, Ondra Machacek wrote:
Hello,
when using user roles (not admin ones) you have to use filter parameter. So you need to start the ovirt-shell similar to this:
$ ovirt-shell --filter --username=... --url=... --ca-file=...
On 11/09/2016 10:49 PM, Derek Atkins wrote:
Hi,
I created a user and a new user role, VmStarter, that has two permissions: System -> Configure System -> Login Permissions VM -> Basic Operations -> Run VM
I assigned this new user to this role at the data center.
If I login to the user portal with this user I get a screen with all my VMs, and if a VM is down I can click on the "run" button and it will start. If a machine is running I cannot click on the stop button (well, I can, but I get a permission denied error, which is expected). So it sounds like everything is working.
Now I want to use ovirt-shell to do the same thing. I can login just fine using this user's credentials, and I get connected. However when I execute the command to start a VM:
[oVirt shell (connected)]# action vm vm-0 start
I get this error:
==================================== ERROR ================================= status: 400 reason: Bad Request detail: query execution failed due to insufficient permissions. ============================================================================
This seems to imply I'm missing a permission. But I have no idea what permission I'm missing. I haven't found anything in the engine log that would help me.
Any ideas what's wrong and (more importantly) how to fix it?
Thanks,
-derek
-- Derek Atkins 617-623-3745 derek@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant
participants (2)
-
Derek Atkins -
Ondra Machacek