[Users] Authentication for REST APIs?

Itamar Heim iheim at redhat.com
Wed Oct 3 05:55:40 UTC 2012 

On 10/03/2012 05:40 AM, Brian Vetter wrote:
> The "error: 'str' object has no attribute 'product_info'" was a red
> herring (mistyped url). The 401 errors for non-admins though is still
> quite real.
>
> Detailed response inside ...
>
> On Oct 2, 2012, at 1:48 PM, Michael Pasternak wrote:
>
>> Hi Brian,
>>
>> On 10/02/2012 05:52 PM, Brian Vetter wrote:
>>> I also tried a simple connect to the home of the ovirt server in the
>>> ovirt-shell:
>>>
>>>    [oVirt shell (disconnected)]# connect https://ovirtserver <user>
>>> <pass>
>>>
>>>    error: 'str' object has no attribute 'product_info'
>>
>> this could happen if you trying connect to SSL site via HTTP protocol,
>> btw what sdk/cli version you're using [1]? latest sdk/cli protects against
>> this.
>>
>> [1] run 'info' command in cli
>
> As this turned out, the problem was due to a bad url (transposed
> characters). Once fixed, I'm back to the 401 error condition.
>
>>> As to your question:
>>>
>>>>    i think you should get an empty list and not a 401 in any case,
>>>> but just to make sure - you have the user role on a specific VM and
>>>> you don't see it?
>>>
>>>
>>> Yes, I believe this is true. If the same user logs into the user
>>> portal, he can see the VM and start/stop it. From the ovirt admin
>>> portal, I see the following permissions
>>> for the VM:
>>
>> does this user has any other role/s besides UserRole?
>
> No, the only role it is given is UserRole. Here is how it was applied:
>
> 1) The user was created in my directory server (that was added to the
> ovirt manager during setup).
> 2) After creating a new desktop VM, I selected the VM, selected its
> Permissions tab, and then added the user with the role 'UserRole' to the
> VM. This was all done in the ovirt-manager web app.
> 3) I then login to the user portal with that user account name. After
> refreshing the VM list (a very minor bug), I see the VM that was
> assigned to the user.
> 4) When using the ovirt-shell command, the connect command fails with an
> error 401 as in the following text:
>
>     [oVirt shell (disconnected)]# connect https://ovirt-serveri/
>     'xxx at yyyy' 'pword'
>
>     error: Unauthorized, [Errno: 401]
>
> 5) If I add the "DatacenterAdmin" role, the connect command works.
> 6) Similarly, if I use curl, I get the same HTTPS Status 401 error.
>
>     # curl --cacert $CA_FILE -X GET -H "Filter: true" -u xxx at yyyy:pword
>     https://ovirtserver/api/vms > uservms.xml
>
>     # cat uservms.xml
>     <html><head><title>JBoss Web/7.0.0.SNAPSHOT - Error
>     report</title><style><!--H1
>     {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
>     H2
>     {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;}
>     H3
>     {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;}
>     BODY
>     {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;}
>     B
>     {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;}
>     P
>     {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A
>     {color : black;}A.name {color : black;}HR {color :
>     #525D76;}--></style> </head><body><h1>HTTP Status 401 - </h1><HR
>     size="1" noshade="noshade"><p><b>type</b> Status
>     report</p><p><b>message</b> <u></u></p><p><b>description</b> <u>This
>     request requires HTTP authentication ().</u></p><HR size="1"
>     noshade="noshade"><h3>JBoss
>     Web/7.0.0.SNAPSHOT</h3></body></html>[bjv at eos ~]$
>
>
> 7) I see the following when I use ovirt -d and do the connect:
>
>     send: 'GET /api HTTP/1.1\r\nHost: eos.testcloud.com
>     <http://eos.testcloud.com>\r\nAccept-Encoding: identity\r\nPrefer:
>     persistent-auth\r\nContent-type: application/xml\r\nAuthorization:
>     Basic Ymp2ZXR0ZXJAZHJvaWRjbG91ZC5tb2JpOmxvc3QrZm91bmQ=\r\n\r\n'
>     reply: 'HTTP/1.1 401 Unauthorized\r\n'
>     header: Date: Wed, 03 Oct 2012 03:24:53 GMT
>     header: Set-Cookie: JSESSIONID=n3Ex3mxsvzTEM3rlkiHa85mP.undefined;
>     Path=/api; Secure
>     header: WWW-Authenticate: Basic realm="ENGINE"
>     header: Content-Type: text/html;charset=utf-8
>     header: Content-Length: 962
>     header: Connection: close
>
>
> Clearly, the ovirt-shell and curl are making the same request and
> getting the same error response.
>
> The engine.log file in /var/log/ovirt-engine has the following after I
> try to connect:
>
>     2012-10-02 22:28:37,489 INFO
>       [org.ovirt.engine.core.bll.LoginAdminUserCommand]
>     (ajp--0.0.0.0-8009-3) *Checking if user bjvetter is an admin, result
>     false*
>     2012-10-02 22:28:37,490 WARN
>       [org.ovirt.engine.core.bll.LoginAdminUserCommand]
>     (ajp--0.0.0.0-8009-3) CanDoAction of action LoginAdminUser failed.
>     Reasons:USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
>     2012-10-02 22:28:37,491 INFO
>       [org.ovirt.engine.api.restapi.security.auth.LoginValidator]
>     (ajp--0.0.0.0-8009-3) Login failure, user: bjvetter domain:
>     my.testcloud.com <http://my.testcloud.com> reason:
>     [USER_NOT_AUTHORIZED_TO_PERFORM_ACTION]
>
>
> So based upon what I see in this log file, it would seem that the
> connect API wants to make sure that I am an admin and not a regular user.
>
> Which gets me back to my original question: Do the REST API and the
> ovirt-shell require admin privileges or is there a separate uri
> namespace for regular users to make requests? Or perhaps more direct,
> should https://$ovirt-server/api/vms be accessible to non-admins or is
> there a different url a non-admin should use?
>
> Brian
>

which version of the sdk are you using?
michael - maybe user level api made it into upstream post ovirt 3.1 
feature freeze (brian, in that case, it will be in ovirt 3.2, slated for 
freeze in novemeber/release in december)

More information about the Users mailing list