[ovirt-users] api access with poweruser role

Ondra Machacek omachace at redhat.com
Thu Oct 29 14:56:20 UTC 2015 


On 10/28/2015 11:29 AM, Jorick Astrego wrote:
>
>
> On 10/26/2015 03:14 PM, Jorick Astrego wrote:
>>
>>
>> On 10/26/2015 02:57 PM, Ondra Machacek wrote:
>>>
>>>
>>> On 10/26/2015 02:53 PM, Jorick Astrego wrote:
>>>> Hi,
>>>>
>>>> Currently I'm trying to add an ovirt compute resource in forman 
>>>> that is limited to the VM's of the user.
>>>>
>>>> When I give this user the PowerUser role, I cannot access the api:
>>>>
>>>>     query execution failed due to insufficient permissions
>>>>
>>>
>>> Are you sending header 'Filter: true' with the request ?
>>> If your user is not admin(PowerUserRole is not admin role),
>>> you have to use this header.
>>>
>>>
>>
>
> Hmm, not much response on foreman-users..
>
> I checked the code of fog in my foreman install ( 
> /opt/rh/ruby193/root/usr/share/gems/gems/fog-1.32.0/lib/fog/ovirt/compute.rb 
> ) and it appears to have the correct option merged:
>
>               connection_opts[:filtered_api]  =
>     options[:ovirt_filtered_api]
>
>
> But I don't know what url the foreman actually generates, is there any 
> way to capture the login string? I tried setting some DEBUG logging 
> but don't get the output I'm looking for.
>
>             <logger category="org.ovirt.engine.core.bll.SearchQuery">
>                     <level name="DEBUG"/>
>             </logger>
>             <logger
>     category="org.ovirt.engine.core.bll.aaa.LoginUserCommand">
>                     <level name="DEBUG"/>
>             </logger>
>             <logger
>     category="org.ovirt.engine.api.restapi.resource.AbstractBackendResource">
>                     <level name="DEBUG"/>
>             </logger>
>
>

It depends what url foreman client access. But you can set:

<logger category="org.ovirt.engine.core.bll">
     <level name="ALL"/>
</logger>

And then you will see what commands was queried with or without the 
filtered API.

2015-10-29 15:45:45,436 TRACE [org.ovirt.engine.core.bll.GetAllVmsQuery] 
(ajp-/127.0.0.1:8702-1) [] START, 
GetAllVmsQuery(VdcQueryParametersBase:{refresh='true', 
filtered='true'}), log id: 53b3c8b9

^^ This is example of running 'Filter: true' on /api/vms (you can see 
filtered='true').

>
>
>
>
>
>
> Met vriendelijke groet, With kind regards,
>
> Jorick Astrego
> *
> Netbulae Virtualization Experts *
> ------------------------------------------------------------------------
> Tel: 053 20 30 270 	info at netbulae.eu 	Staalsteden 4-3A 	KvK 08198180
> Fax: 053 20 30 271 	www.netbulae.eu 	7547 TA Enschede 	BTW NL821234584B01
>
>
> ------------------------------------------------------------------------
>
>
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20151029/37cc31ef/attachment-0001.html>

More information about the Users mailing list