[Engine-devel] Permissions involved in using REST API
Oved Ourfalli
ovedo at redhat.com
Thu Nov 7 08:26:42 UTC 2013
----- Original Message -----
> From: "Jonathan Daugherty" <jtd at galois.com>
> To: engine-devel at ovirt.org
> Cc: "Trevor Elliott" <trevor at galois.com>
> Sent: Thursday, November 7, 2013 1:34:01 AM
> Subject: [Engine-devel] Permissions involved in using REST API
>
> Hi all,
>
> I'm interested in setting up a non-administrative user account to be
> used to access the oVirt REST API. I have a user who is testing this
> functionality by integrating some Vagrant-related software to talk to
> oVirt. The user's oVirt account is a non-admin account with enough
> privileges to create and modify VMs on one of my clusters.
>
> What we found is that the account is unable to make requests to, say,
>
> /api/vms
>
> (he gets 401 or 404 responses) and instead gets a response indicating
> that the account has "insufficient permissions." My engine.log says of
> the access only this:
>
> 2013-11-06 14:50:28,158 ERROR
> [org.ovirt.engine.api.restapi.resource.AbstractBackendResource]
> (ajp--127.0.0.1-8702-13) Operation Failed: query execution faile
> d due to insufficient permissions.
>
> and in server.log I have see Java tracebacks involving this[1]:
>
> 2013-11-06 14:50:28,159 WARN
> [org.jboss.resteasy.core.SynchronousDispatcher]
> (ajp--127.0.0.1-8702-13) failed to execute:
> org.ovirt.engine.api.restapi.resource.BaseBackendResource$WebFaultException
>
> Later we found that assigning an Admin role to the user's account at the
> data center level with no permissions enabled permitted API access. So
> the user was able to make requests to /api/ URLs and get data and was
> able to log into the oVirt administration portal but was unable to take
> further action.
>
> So my questions are:
>
> - Is this expected behavior? Is there some smaller (less permissive)
> change in privileges I can use to bring about the same behavior?
>
Yes. That's the expected behavior. However, when accessing the API you can set the "filter" header parameter to "true", and that will get you to the user-level API.
Let me know if you need technical assistance with that.
> - Is there some place where such behavior is documented? I couldn't
> find any. The documentation on permissions on the RHEV docs only
> mentions the overall impact of using specific roles and permissions
> and says nothing about API access consequences or "Admin" roles with
> no permissions.
>
Unfortunately I didn't find any documentation on that on the ovirt wiki.
Michael - do you know if such documentation exists somewhere?
> My initial assumption was that any user with credentials would be able
> to make API requests, but that the corresponding API responses would be
> filtered based on what the user had privileges to see just as with the
> User Portal.
>
> Thanks!
>
> [1] A full trace can be found at http://pastebin.com/czcfQkYL
>
> --
> Jonathan Daugherty
> Software Engineer
> Galois, Inc.
> _______________________________________________
> Engine-devel mailing list
> Engine-devel at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/engine-devel
>
More information about the Engine-devel
mailing list