[ovirt-users] api access with poweruser role
Jorick Astrego
j.astrego at netbulae.eu
Mon Nov 2 09:41:50 UTC 2015
On 10/29/2015 03:58 PM, Ondra Machacek wrote:
>
>
> On 10/29/2015 03:56 PM, Ondra Machacek wrote:
>>
>>
>> On 10/28/2015 11:29 AM, Jorick Astrego wrote:
>>>
>>>
>>> On 10/26/2015 03:14 PM, Jorick Astrego wrote:
>>>>
>>>>
>>>> On 10/26/2015 02:57 PM, Ondra Machacek wrote:
>>>>>
>>>>>
>>>>> On 10/26/2015 02:53 PM, Jorick Astrego wrote:
>>>>>> Hi,
>>>>>>
>>>>>> Currently I'm trying to add an ovirt compute resource in forman
>>>>>> that is limited to the VM's of the user.
>>>>>>
>>>>>> When I give this user the PowerUser role, I cannot access the api:
>>>>>>
>>>>>> query execution failed due to insufficient permissions
>>>>>>
>>>>>
>>>>> Are you sending header 'Filter: true' with the request ?
>>>>> If your user is not admin(PowerUserRole is not admin role),
>>>>> you have to use this header.
>>>>>
>>>>>
>>>>
>>>
>>> Hmm, not much response on foreman-users..
>>>
>>> I checked the code of fog in my foreman install (
>>> /opt/rh/ruby193/root/usr/share/gems/gems/fog-1.32.0/lib/fog/ovirt/compute.rb
>>> ) and it appears to have the correct option merged:
>>>
>>> connection_opts[:filtered_api] =
>>> options[:ovirt_filtered_api]
>>>
>>>
>>> But I don't know what url the foreman actually generates, is there
>>> any way to capture the login string? I tried setting some DEBUG
>>> logging but don't get the output I'm looking for.
>>>
>>> <logger category="org.ovirt.engine.core.bll.SearchQuery">
>>> <level name="DEBUG"/>
>>> </logger>
>>> <logger
>>> category="org.ovirt.engine.core.bll.aaa.LoginUserCommand">
>>> <level name="DEBUG"/>
>>> </logger>
>>> <logger
>>> category="org.ovirt.engine.api.restapi.resource.AbstractBackendResource">
>>> <level name="DEBUG"/>
>>> </logger>
>>>
>>>
>>
>> It depends what url foreman client access. But you can set:
>>
>> <logger category="org.ovirt.engine.core.bll">
>> <level name="ALL"/>
>> </logger>
>>
>> And then you will see what commands was queried with or without the
>> filtered API.
>>
>> 2015-10-29 15:45:45,436 TRACE
>> [org.ovirt.engine.core.bll.GetAllVmsQuery] (ajp-/127.0.0.1:8702-1) []
>> START, GetAllVmsQuery(VdcQueryParametersBase:{refresh='true',
>> filtered='true'}), log id: 53b3c8b9
>>
>> ^^ This is example of running 'Filter: true' on /api/vms (you can see
>> filtered='true').
>
It appears the filtered tag doesn't get set. I'll continue on the
foreman list from now.
2015-11-02 10:29:17,126 DEBUG
[org.ovirt.engine.core.bll.aaa.LoginUserCommand]
(ajp--127.0.0.1-8702-9) Found permission
fbcb73a0-226e-49d4-9e7a-01c665127a07 for user when running
LoginUser, on Bottom with id bbb00000-0000-0000-0000-123456789bbb
2015-11-02 10:29:17,128 DEBUG
[org.ovirt.engine.core.bll.aaa.LoginBaseCommand]
(ajp--127.0.0.1-8702-9) Checking if user testuser is an admin,
result false
2015-11-02 10:29:17,129 INFO
[org.ovirt.engine.core.bll.aaa.LoginUserCommand]
(ajp--127.0.0.1-8702-9) Running command: LoginUserCommand(LoginName
= null, ProfileName = netbulae.test, AuthRecord =
{Extkey[name=AAA_AUTHN_AUTH_RECORD_PRINCIPAL;type=class
java.lang.String;uuid=AAA_AUTHN_AUTH_RECORD_PRINCIPAL[c3498f07-11fe-464c-958c-8bd7490b119a];]=testuser},
IsAdmin = false, ActionType = LoginUser, AuthType = CREDENTIALS)
internal: false.
2015-11-02 10:29:17,132 TRACE
[org.ovirt.engine.core.bll.GetConfigurationValueQuery]
(ajp--127.0.0.1-8702-9) START, GetConfigurationValueQuery(version:
general, configuration value: ApplicationMode, refresh: false,
filtered: false), log id: 438b23b5
2015-11-02 10:29:17,134 TRACE
[org.ovirt.engine.core.bll.GetConfigurationValueQuery]
(ajp--127.0.0.1-8702-9) FINISH, GetConfigurationValueQuery, log id:
438b23b5
2015-11-02 10:29:17,134 TRACE
[org.ovirt.engine.core.bll.aaa.GetValueBySessionQuery]
(ajp--127.0.0.1-8702-9) START, GetValueBySessionQuery(refresh:
false, *filtered: false), *log id: 63d562b7
2015-11-02 10:29:17,135 TRACE
[org.ovirt.engine.core.bll.aaa.GetValueBySessionQuery]
(ajp--127.0.0.1-8702-9) FINISH, GetValueBySessionQuery, log id: 63d562b7
2015-11-02 10:29:17,136 TRACE
[org.ovirt.engine.core.bll.SearchQuery] (ajp--127.0.0.1-8702-9)
START, SearchQuery(search type: StoragePool, search pattern:
[Datacenter : ], case sensitive: true [from: 0, max: -1] refresh:
true, filtered: false), log id: 4e440f95
2015-11-02 10:29:17,138 ERROR
[org.ovirt.engine.core.bll.SearchQuery] (ajp--127.0.0.1-8702-9)
Query execution failed due to insufficient permissions.
I've updated http://projects.theforeman.org/issues/6835
Met vriendelijke groet, With kind regards,
Jorick Astrego
Netbulae Virtualization Experts
----------------
Tel: 053 20 30 270 info at netbulae.eu Staalsteden 4-3A KvK 08198180
Fax: 053 20 30 271 www.netbulae.eu 7547 TA Enschede BTW NL821234584B01
----------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20151102/f7670285/attachment-0001.html>
More information about the Users
mailing list