[Users] Authentication for REST APIs?

Brian Vetter bjvetter at gmail.com
Tue Oct 2 15:52:44 UTC 2012 

I also tried a simple connect to the home of the ovirt server in the ovirt-shell:

[oVirt shell (disconnected)]# connect https://ovirtserver <user> <pass>

error: 'str' object has no attribute 'product_info'

[oVirt shell (disconnected)]# 

So this happens without trying to get to the api/vms.

As to your question:
> i think you should get an empty list and not a 401 in any case, but just to make sure - you have the user role on a specific VM and you don't see it?


Yes, I believe this is true. If the same user logs into the user portal, he can see the VM and start/stop it. From the ovirt admin portal, I see the following permissions for the VM:

User							Role
Brian Vetter (bjvetter at domain)	UserRole

Brian

On Oct 2, 2012, at 10:27 AM, Itamar Heim wrote:

> On 10/02/2012 05:20 PM, Brian Vetter wrote:
>>> 3.1 added support for non admin to use the api.
>>> i.e., this should work.
>>> which specific version are you using?
>> 
>> From the about box in the admin web app:
>> 
>>    oVirt Engine Version:3.1.0-2.fc17
>> 
>> 
>> The curl command I send is:
>> 
>>    curl --cacert $CA_FILE -X GET -H "Filter: true" -u
>>    user at domain:password https://$OVIRT/api/vms > uservms.xml
>> 
>> 
>> The output when my user's group has a DOMAIN_ADMIN role contains the xml
>> for the VMs. The output when the user's group has either a power user or
>> a regular user role contains the error response with a 401 unauthorized
>> error.
>> 
>> I had lots of fun getting this server set up so it is possible I made a
>> mistake during installation, but it seems pretty functional right now.
>> Everything seems to be working but I haven't been able to to test out
>> how/if I can connect a new, non-portal client without having to add new
>> servlets.
> 
> i think you should get an empty list and not a 401 in any case, but just to make sure - you have the user role on a specific VM and you don't see it?
> michael - thoughts?
> maybe this was fixed post ovirt 3.1 fedora release?
> 
>> 
>> Brian
>> 
>> On Oct 2, 2012, at 9:57 AM, Itamar Heim wrote:
>> 
>>> On 10/02/2012 04:52 PM, Brian Vetter wrote:
>>>> Adding the "Filter:true" header to the curl request doesn't change
>>>> anything. If the user account is not an admin account, I get a 401
>>>> status result. So my question still stands, can the REST API be used
>>>> by a mere, non-admin "mortal" or is it only for administrative functions?
>>>> 
>>>> I'm in the process of trying to hook up a different client to a VM
>>>> managed by ovirt. I can't use the user portal app. So I was trying to
>>>> use the REST APIs on behalf of a normal, non-admin user to get the
>>>> list of the authenticating user's VMs and their connection information.
>>> 
>>> 3.1 added support for non admin to use the api.
>>> i.e., this should work.
>>> which specific version are you using?
>>> 
>>>> 
>>>> Brian
>>>> 
>>>> On Oct 2, 2012, at 2:15 AM, Itamar Heim wrote:
>>>> 
>>>>> On 10/02/2012 06:28 AM, Brian Vetter wrote:
>>>>>> I've done two different things. First, I associated one of my
>>>>>> groups in my directory with being a VMUser which gave members
>>>>>> access to a particular VM. If I login with one of those users via
>>>>>> the User portal, I can see their VM (or VMs if I do more than one).
>>>>>> If I use the REST API (or ovirt-shell) using this user's account
>>>>>> and password, I get an unauthorized error.
>>>>>> 
>>>>>> Similarly, I have another group that is assigned the DomainManager
>>>>>> role. If I add this other user to that group, when I login with
>>>>>> that user via the user portal, I see the advanced portal. If I use
>>>>>> the REST-API (using curl) or ovirt-shell and use the user's login
>>>>>> information, I now am authorized and see a list of VMs returned as
>>>>>> XML (in the case of curl).
>>>>>> 
>>>>>> That said, I see all VMs in the system, not just the one assigned
>>>>>> to the user that logged in. So this makes me think that either the
>>>>>> REST API for getting the APIs as suggested by the article is an
>>>>>> administrative API and there is either (a) a different rest API/uri
>>>>>> that returns the logged in user's vms (the list that would be
>>>>>> returned to the portal) or (b) no way to get a particular user's
>>>>>> list of VMs authenticated as the user.
>>>>> 
>>>>> you need to specify to the api you want to view things in "user
>>>>> mode" via the filter header.
>>>>> Example:
>>>>> curl -X GET -H "Filter: true" -u user at domain:password
>>>>> http://[servername]:PORT/api/vms
>>>>> 
>>>>> 
>>>>> 
>>>>>> 
>>>>>> Brian
>>>>>> 
>>>>>> On Oct 1, 2012, at 10:49 PM, Yair Zaslavsky wrote:
>>>>>> 
>>>>>>> Hi Brian,
>>>>>>> I looked at the wiki -
>>>>>>> I assume you're referring to the "showVm" part.
>>>>>>> Have you assigned any permissions to the user that is supposed to
>>>>>>> view the VMs?
>>>>>>> I assume you created the VMs with the administrator user, so any
>>>>>>> other user will require to have a proper permissions in order to
>>>>>>> view these VMs
>>>>>>> 
>>>>>>> Yair
>>>>>>> 
>>>>>>> 
>>>>>>> On 10/02/2012 05:09 AM, Brian Vetter wrote:
>>>>>>>> I was trying to use both the rest api to view a user's vm
>>>>>>>> information. I found that the REST APIs always returned an
>>>>>>>> authentication error if the account I had logged into was not an
>>>>>>>> ovirt administrator. I am guessing that either (a) I am using the
>>>>>>>> wrong URL in the REST api or (b) you must be some kind of admin
>>>>>>>> to access the REST APIs. I noticed the same behavior when I was
>>>>>>>> using the ovirt-shell tool.
>>>>>>>> 
>>>>>>>> For example, I was trying to follow the instructions in
>>>>>>>> http://wiki.ovirt.org/wiki/How_to_Connect_to_SPICE_Console_Without_Portal
>>>>>>>> to get the list of VMs (presumably for the user that is logging
>>>>>>>> in), I get an unauthorized error. If the user account I login
>>>>>>>> with in the curl or ovirt-shell connect statement is an admin, I
>>>>>>>> get the list of VMs.
>>>>>>>> 
>>>>>>>> So my question here is does the REST-API need admin privileges or
>>>>>>>> am I using a url that requires admin privileges whereas some
>>>>>>>> others don't. And if it is the latter, is there somewhere that
>>>>>>>> documents the various rest api resources? For example, to go back
>>>>>>>> to the "How to connect to Spice console ..." article, how would
>>>>>>>> one use the REST API to fetch one's virtual machines, their
>>>>>>>> status, and connection info for them?
>>>>>>>> 
>>>>>>>> Thanks,
>>>>>>>> 
>>>>>>>> Brian
>>>> 
>>> 
>>> 
>> 
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20121002/6aadaa27/attachment-0001.html>

More information about the Users mailing list