[ovirt-users] api access with poweruser role

Jorick Astrego j.astrego at netbulae.eu
Mon Nov 2 09:41:50 UTC 2015 


On 10/29/2015 03:58 PM, Ondra Machacek wrote:
>
>
> On 10/29/2015 03:56 PM, Ondra Machacek wrote:
>>
>>
>> On 10/28/2015 11:29 AM, Jorick Astrego wrote:
>>>
>>>
>>> On 10/26/2015 03:14 PM, Jorick Astrego wrote:
>>>>
>>>>
>>>> On 10/26/2015 02:57 PM, Ondra Machacek wrote:
>>>>>
>>>>>
>>>>> On 10/26/2015 02:53 PM, Jorick Astrego wrote:
>>>>>> Hi,
>>>>>>
>>>>>> Currently I'm trying to add an ovirt compute resource in forman
>>>>>> that is limited to the VM's of the user.
>>>>>>
>>>>>> When I give this user the PowerUser role, I cannot access the api:
>>>>>>
>>>>>>     query execution failed due to insufficient permissions
>>>>>>
>>>>>
>>>>> Are you sending header 'Filter: true' with the request ?
>>>>> If your user is not admin(PowerUserRole is not admin role),
>>>>> you have to use this header.
>>>>>
>>>>>
>>>>
>>>
>>> Hmm, not much response on foreman-users..
>>>
>>> I checked the code of fog in my foreman install (
>>> /opt/rh/ruby193/root/usr/share/gems/gems/fog-1.32.0/lib/fog/ovirt/compute.rb
>>> ) and it appears to have the correct option merged:
>>>
>>>               connection_opts[:filtered_api]  =
>>>     options[:ovirt_filtered_api]
>>>
>>>
>>> But I don't know what url the foreman actually generates, is there
>>> any way to capture the login string? I tried setting some DEBUG
>>> logging but don't get the output I'm looking for.
>>>
>>>             <logger category="org.ovirt.engine.core.bll.SearchQuery">
>>>                     <level name="DEBUG"/>
>>>             </logger>
>>>             <logger
>>>     category="org.ovirt.engine.core.bll.aaa.LoginUserCommand">
>>>                     <level name="DEBUG"/>
>>>             </logger>
>>>             <logger
>>>     category="org.ovirt.engine.api.restapi.resource.AbstractBackendResource">
>>>                     <level name="DEBUG"/>
>>>             </logger>
>>>
>>>
>>
>> It depends what url foreman client access. But you can set:
>>
>> <logger category="org.ovirt.engine.core.bll">
>>     <level name="ALL"/>
>> </logger>
>>
>> And then you will see what commands was queried with or without the
>> filtered API.
>>
>> 2015-10-29 15:45:45,436 TRACE
>> [org.ovirt.engine.core.bll.GetAllVmsQuery] (ajp-/127.0.0.1:8702-1) []
>> START, GetAllVmsQuery(VdcQueryParametersBase:{refresh='true',
>> filtered='true'}), log id: 53b3c8b9
>>
>> ^^ This is example of running 'Filter: true' on /api/vms (you can see
>> filtered='true').
>


It appears the filtered tag doesn't get set. I'll continue on the
foreman list from now.

    2015-11-02 10:29:17,126 DEBUG
    [org.ovirt.engine.core.bll.aaa.LoginUserCommand]
    (ajp--127.0.0.1-8702-9) Found permission
    fbcb73a0-226e-49d4-9e7a-01c665127a07 for user when running
    LoginUser, on Bottom with id bbb00000-0000-0000-0000-123456789bbb
    2015-11-02 10:29:17,128 DEBUG
    [org.ovirt.engine.core.bll.aaa.LoginBaseCommand]
    (ajp--127.0.0.1-8702-9) Checking if user testuser is an admin,
    result false
    2015-11-02 10:29:17,129 INFO 
    [org.ovirt.engine.core.bll.aaa.LoginUserCommand]
    (ajp--127.0.0.1-8702-9) Running command: LoginUserCommand(LoginName
    = null, ProfileName = netbulae.test, AuthRecord =
    {Extkey[name=AAA_AUTHN_AUTH_RECORD_PRINCIPAL;type=class
    java.lang.String;uuid=AAA_AUTHN_AUTH_RECORD_PRINCIPAL[c3498f07-11fe-464c-958c-8bd7490b119a];]=testuser},
    IsAdmin = false, ActionType = LoginUser, AuthType = CREDENTIALS)
    internal: false.
    2015-11-02 10:29:17,132 TRACE
    [org.ovirt.engine.core.bll.GetConfigurationValueQuery]
    (ajp--127.0.0.1-8702-9) START, GetConfigurationValueQuery(version:
    general, configuration value: ApplicationMode, refresh: false,
    filtered: false), log id: 438b23b5
    2015-11-02 10:29:17,134 TRACE
    [org.ovirt.engine.core.bll.GetConfigurationValueQuery]
    (ajp--127.0.0.1-8702-9) FINISH, GetConfigurationValueQuery, log id:
    438b23b5
    2015-11-02 10:29:17,134 TRACE
    [org.ovirt.engine.core.bll.aaa.GetValueBySessionQuery]
    (ajp--127.0.0.1-8702-9) START, GetValueBySessionQuery(refresh:
    false, *filtered: false), *log id: 63d562b7
    2015-11-02 10:29:17,135 TRACE
    [org.ovirt.engine.core.bll.aaa.GetValueBySessionQuery]
    (ajp--127.0.0.1-8702-9) FINISH, GetValueBySessionQuery, log id: 63d562b7
    2015-11-02 10:29:17,136 TRACE
    [org.ovirt.engine.core.bll.SearchQuery] (ajp--127.0.0.1-8702-9)
    START, SearchQuery(search type: StoragePool, search pattern:
    [Datacenter : ], case sensitive: true [from: 0, max: -1] refresh:
    true, filtered: false), log id: 4e440f95
    2015-11-02 10:29:17,138 ERROR
    [org.ovirt.engine.core.bll.SearchQuery] (ajp--127.0.0.1-8702-9)
    Query execution failed due to insufficient permissions.

I've updated http://projects.theforeman.org/issues/6835





Met vriendelijke groet, With kind regards,

Jorick Astrego

Netbulae Virtualization Experts 

----------------

	Tel: 053 20 30 270 	info at netbulae.eu 	Staalsteden 4-3A 	KvK 08198180
 	Fax: 053 20 30 271 	www.netbulae.eu 	7547 TA Enschede 	BTW NL821234584B01

----------------

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20151102/f7670285/attachment-0001.html>

More information about the Users mailing list