[ovirt-users] api access with poweruser role

Ondra Machacek omachace at redhat.com
Thu Oct 29 14:58:06 UTC 2015 


On 10/29/2015 03:56 PM, Ondra Machacek wrote:
>
>
> On 10/28/2015 11:29 AM, Jorick Astrego wrote:
>>
>>
>> On 10/26/2015 03:14 PM, Jorick Astrego wrote:
>>>
>>>
>>> On 10/26/2015 02:57 PM, Ondra Machacek wrote:
>>>>
>>>>
>>>> On 10/26/2015 02:53 PM, Jorick Astrego wrote:
>>>>> Hi,
>>>>>
>>>>> Currently I'm trying to add an ovirt compute resource in forman 
>>>>> that is limited to the VM's of the user.
>>>>>
>>>>> When I give this user the PowerUser role, I cannot access the api:
>>>>>
>>>>>     query execution failed due to insufficient permissions
>>>>>
>>>>
>>>> Are you sending header 'Filter: true' with the request ?
>>>> If your user is not admin(PowerUserRole is not admin role),
>>>> you have to use this header.
>>>>
>>>>
>>>
>>
>> Hmm, not much response on foreman-users..
>>
>> I checked the code of fog in my foreman install ( 
>> /opt/rh/ruby193/root/usr/share/gems/gems/fog-1.32.0/lib/fog/ovirt/compute.rb 
>> ) and it appears to have the correct option merged:
>>
>>               connection_opts[:filtered_api]  =
>>     options[:ovirt_filtered_api]
>>
>>
>> But I don't know what url the foreman actually generates, is there 
>> any way to capture the login string? I tried setting some DEBUG 
>> logging but don't get the output I'm looking for.
>>
>>             <logger category="org.ovirt.engine.core.bll.SearchQuery">
>>                     <level name="DEBUG"/>
>>             </logger>
>>             <logger
>>     category="org.ovirt.engine.core.bll.aaa.LoginUserCommand">
>>                     <level name="DEBUG"/>
>>             </logger>
>>             <logger
>>     category="org.ovirt.engine.api.restapi.resource.AbstractBackendResource">
>>                     <level name="DEBUG"/>
>>             </logger>
>>
>>
>
> It depends what url foreman client access. But you can set:
>
> <logger category="org.ovirt.engine.core.bll">
>     <level name="ALL"/>
> </logger>
>
> And then you will see what commands was queried with or without the 
> filtered API.
>
> 2015-10-29 15:45:45,436 TRACE 
> [org.ovirt.engine.core.bll.GetAllVmsQuery] (ajp-/127.0.0.1:8702-1) [] 
> START, GetAllVmsQuery(VdcQueryParametersBase:{refresh='true', 
> filtered='true'}), log id: 53b3c8b9
>
> ^^ This is example of running 'Filter: true' on /api/vms (you can see 
> filtered='true').

But maybe it would be easier to use tcpdump, or some apache module to 
dump headers.

>
>>
>>
>>
>>
>>
>>
>> Met vriendelijke groet, With kind regards,
>>
>> Jorick Astrego
>> *
>> Netbulae Virtualization Experts *
>> ------------------------------------------------------------------------
>> Tel: 053 20 30 270 	info at netbulae.eu 	Staalsteden 4-3A 	KvK 08198180
>> Fax: 053 20 30 271 	www.netbulae.eu 	7547 TA Enschede 	BTW 
>> NL821234584B01
>>
>>
>> ------------------------------------------------------------------------
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>
>
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20151029/5ca133c4/attachment-0001.html>

More information about the Users mailing list