[ovirt-users] api access with poweruser role

Jorick Astrego j.astrego at netbulae.eu
Mon Oct 26 14:14:53 UTC 2015



On 10/26/2015 02:57 PM, Ondra Machacek wrote:
>
>
> On 10/26/2015 02:53 PM, Jorick Astrego wrote:
>> Hi,
>>
>> Currently I'm trying to add an ovirt compute resource in forman that
>> is limited to the VM's of the user.
>>
>> When I give this user the PowerUser role, I cannot access the api:
>>
>>     query execution failed due to insufficient permissions
>>
>
> Are you sending header 'Filter: true' with the request ?
> If your user is not admin(PowerUserRole is not admin role),
> you have to use this header.
>
>

As I'm using forman, I have no control over this. There used to be a
bug, but it should have been patched months ago:

http://projects.theforeman.org/issues/6835


    	-

    ------------------------------------------------------------------------

    *Description*

    Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1123676
    Description of problem:
    When trying to create a rhev compute resource with non-admin RHEV
    user, the following error occurs:

    "query execution failed due to insufficient permissions."

    The reason for this is the RHEV needs to be called with 'Filter:
    true' headers
    for the api to work correctly with non-admin user.

    The rbovirt client library supports to specify the filtered_api
    option, but fog and foreman don't have a support for that

    https://github.com/abenari/rbovirt/blob/a7c277e3fc5698e55e95a9432997b1a9c8d486ae/lib/rbovirt.rb#L54-L55


          History


            #1 <http://projects.theforeman.org/issues/6835#note-1>
            Updated by Dominic Cleal
            <http://projects.theforeman.org/users/3536> about 1 year
            <http://projects.theforeman.org/projects/foreman/activity?from=2014-07-30>
            ago

      * *Category* set to /Compute resources - oVirt/
      * *Assigned To* deleted (/Dominic Cleal/)


            #2 <http://projects.theforeman.org/issues/6835#note-2>
            Updated by Tom Caspy
            <http://projects.theforeman.org/users/5429> 10 months
            <http://projects.theforeman.org/projects/foreman/activity?from=2015-01-13>
            ago

    added a pull request to the fog gem:
    https://github.com/fog/fog/pull/3393


            #3 <http://projects.theforeman.org/issues/6835#note-3>
            Updated by Ohad Levy
            <http://projects.theforeman.org/users/3> 5 months
            <http://projects.theforeman.org/projects/foreman/activity?from=2015-06-09>
            ago

    Fog PR has been merged a while ago.

The version of rbovirt we have is:

ruby193-rubygem-rbovirt-0.0.35-1.el6.noarch

Kind regards,

Jorick

>>
>> When I give this user the SuperUser role, I can access the api. But I
>> can see all the VM's of all users.
>>
>> How can I grant api access so the user can deploy through forman
>> without giving access to all the vm's in our oVirt environment?
>>
>> Kind regards,
>>
>> Jorick
>>
>>
>>
>>
>> Met vriendelijke groet, With kind regards,
>>
>> Jorick Astrego
>> *
>> Netbulae Virtualization Experts *
>> ------------------------------------------------------------------------
>> Tel: 053 20 30 270 	info at netbulae.eu 	Staalsteden 4-3A 	KvK 08198180
>> Fax: 053 20 30 271 	www.netbulae.eu 	7547 TA Enschede 	BTW
>> NL821234584B01
>>
>>
>> ------------------------------------------------------------------------
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>





Met vriendelijke groet, With kind regards,

Jorick Astrego

Netbulae Virtualization Experts 

----------------

	Tel: 053 20 30 270 	info at netbulae.eu 	Staalsteden 4-3A 	KvK 08198180
 	Fax: 053 20 30 271 	www.netbulae.eu 	7547 TA Enschede 	BTW NL821234584B01

----------------

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20151026/1335a798/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: efafgfcc.gif
Type: image/gif
Size: 42 bytes
Desc: not available
URL: <http://lists.ovirt.org/pipermail/users/attachments/20151026/1335a798/attachment-0001.gif>


More information about the Users mailing list