[Users] API read-only access / roles

René Koch (ovido) r.koch at ovido.at
Thu Nov 21 11:11:04 UTC 2013


On Tue, 2013-11-19 at 09:55 +0100, Sander Grendelman wrote:
> On Mon, Nov 18, 2013 at 5:18 PM, René Koch (ovido) <r.koch at ovido.at> wrote:
> > Very nice - do you use my check_rhev3 Nagios plugin
> > (https://github.com/ovido/check_rhev3) or are you working on
> > your own script?
> 
> At the moment: both. The problem with using Nagios scripts in Zabbix is that
> the trigger/alarm decision is made in different places. In Nagios this is done
> in the check scripts / on the "client" side while Zabbix mainly
> collects data and
> fires triggers if certain conditions in that data are met.

Yes that's true. Maybe adding a Zabbix compatibility mode for
check_rhev3 could also be an option where no decisions about the status
is done in the script so you can let Zabbix triggers handle this? Anyway
I think you're much more experienced with Zabbix then I am, so you
properly know better what's the best solution for monitoring oVirt with
Zabbix...

> 
> New(er) Zabbix versions also have a feature called "low level discovery" that
> automatically creates items.
> 
> It also seems that there is better RESTful/ovirt API support in python
> so I'm giving
> that a try too. Although perl is usually my poison of choice too ;)

Yes, the Python SDK is really good.
But as I'm more experienced with Perl I don't use it often...

> 
> >> For this I've created a "AdminLoginOnly" role that only has
> >> System->Configure System->Login Permissions access.
> >>
> >> Is this the way to go for this king of configuration? Or is there
> >> a way to further minimize the permissions of this user?
> >
> > I create a custom role with these permissions for Nagios monitoring,
> > too.
> > I was thinking that in oVirt 3.3 there should be a predefined
> > viewers-role, but can't find it in my setup :(
> 
> OK, that would have been nice, do you have any history on this one?
> 
> >> Another issue is that a "Login" event is generated every time
> >> the user connects through the API. This makes the "Events"
> >> pane less useful / readable. Is there a way to disable this for
> >> some users/roles?
> >
> >
> > It depends if you have your own script or check_rhev3:
> > - check_rhev3 1.2: use option -o
> > - check_rhev3 1.3: you should not see any login information in this
> > version anymore
> > - custom script: see this page on information how to use the JSESSIONID
> > cookie: http://www.ovirt.org/Features/RESTSessionManagement
> 
> Thanks for the info I'll look into this.
> 
> It does make the logic in the script a bit harder because you have to store
> the sessionid somewhere and check if the session is still valid.

I'm not sure if Session management works out of the box in Python SDK (I
think so), so maybe the Python SDK can be the best solution when
starting new scripts for Zabbix...


Regards,
René





More information about the Users mailing list