12:49 a.m.
Hi,
I created a user and a new user role, VmStarter, that has two permissions:
System -> Configure System -> Login Permissions
VM -> Basic Operations -> Run VM
I assigned this new user to this role at the data center.
If I login to the user portal with this user I get a screen with all
my VMs, and if a VM is down I can click on the "run" button and it will
start. If a machine is running I cannot click on the stop button (well,
I can, but I get a permission denied error, which is expected). So it
sounds like everything is working.
Now I want to use ovirt-shell to do the same thing. I can login just
fine using this user's credentials, and I get connected. However when I
execute the command to start a VM:
[oVirt shell (connected)]# action vm vm-0 start
I get this error:
==================================== ERROR =================================
status: 400
reason: Bad Request
detail: query execution failed due to insufficient permissions.
============================================================================
This seems to imply I'm missing a permission. But I have no idea what
permission I'm missing. I haven't found anything in the engine log that
would help me.
Any ideas what's wrong and (more importantly) how to fix it?
Thanks,
-derek
--
Derek Atkins 617-623-3745
derek(a)ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant
10:57 a.m.
Hello,
when using user roles (not admin ones) you have to use filter
parameter. So you need to start the ovirt-shell similar to this:
$ ovirt-shell --filter --username=... --url=... --ca-file=...
On 11/09/2016 10:49 PM, Derek Atkins wrote:
Hi,
I created a user and a new user role, VmStarter, that has two permissions:
System -> Configure System -> Login Permissions
VM -> Basic Operations -> Run VM
I assigned this new user to this role at the data center.
If I login to the user portal with this user I get a screen with all
my VMs, and if a VM is down I can click on the "run" button and it will
start. If a machine is running I cannot click on the stop button (well,
I can, but I get a permission denied error, which is expected). So it
sounds like everything is working.
Now I want to use ovirt-shell to do the same thing. I can login just
fine using this user's credentials, and I get connected. However when I
execute the command to start a VM:
[oVirt shell (connected)]# action vm vm-0 start
I get this error:
==================================== ERROR =================================
status: 400
reason: Bad Request
detail: query execution failed due to insufficient permissions.
============================================================================
This seems to imply I'm missing a permission. But I have no idea what
permission I'm missing. I haven't found anything in the engine log that
would help me.
Any ideas what's wrong and (more importantly) how to fix it?
Thanks,
-derek
5:26 p.m.
Awesome. Thank you. This solved the problem.
Looking with 20/20 hindsight, then --help output says this:
-F, --filter enables user permission based filtering
However as a n00b I would suggest that this is not sufficient to have
figured out the error. From the documentation it's totally unclear the
difference between Admin:VM -> Basic Operations -> Run VM and User:VM ->
Basic Operations -> Run VM. It's unclear from the Role Definition UI, and
it's unclear from the Administration Guide.
One would think that a permission is a permission. Anyways, thank you for
clearing this up. Hopefully this exchange will help the next person that
comes along trying to figure it all out.
Thank you!
-derek
On Thu, November 10, 2016 2:57 am, Ondra Machacek wrote:
Hello,
when using user roles (not admin ones) you have to use filter
parameter. So you need to start the ovirt-shell similar to this:
$ ovirt-shell --filter --username=... --url=... --ca-file=...
On 11/09/2016 10:49 PM, Derek Atkins wrote:
> Hi,
>
> I created a user and a new user role, VmStarter, that has two
> permissions:
> System -> Configure System -> Login Permissions
> VM -> Basic Operations -> Run VM
>
> I assigned this new user to this role at the data center.
>
> If I login to the user portal with this user I get a screen with all
> my VMs, and if a VM is down I can click on the "run" button and it will
> start. If a machine is running I cannot click on the stop button (well,
> I can, but I get a permission denied error, which is expected). So it
> sounds like everything is working.
>
> Now I want to use ovirt-shell to do the same thing. I can login just
> fine using this user's credentials, and I get connected. However when I
> execute the command to start a VM:
>
> [oVirt shell (connected)]# action vm vm-0 start
>
> I get this error:
>
> ==================================== ERROR
> =================================
> status: 400
> reason: Bad Request
> detail: query execution failed due to insufficient permissions.
> ============================================================================
>
> This seems to imply I'm missing a permission. But I have no idea what
> permission I'm missing. I haven't found anything in the engine log that
> would help me.
>
> Any ideas what's wrong and (more importantly) how to fix it?
>
> Thanks,
>
> -derek
>
--
Derek Atkins 617-623-3745
derek(a)ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant
2934
days inactive
2935
days old
2 comments
2 participants
participants (2)
-
Derek Atkins -
Ondra Machacek