[ovirt-users] OVirt API question

Juan Hernández jhernand at redhat.com
Mon Jul 25 10:56:05 UTC 2016 

On 07/25/2016 08:43 AM, Костя Климук wrote:
> Hello, OVirt community!
> 
> I have some problems in understanding with OVirt (v 3.6.0) API.
> I'm trying to create user with specifying his roles, by using such
> signature in POST call:
> 
>     <user>
> 
>         <user_name>testuser at saml-auth</user_name>
> 
>         <roles>
> 
>             <role id="some_role_id1"/>
> 
>             <role id="some_role_id2"/>
> 
>             <role id="some_role_id3"/>
> 
>         </roles>
> 
>     </user>
> 
> 
> The user is created but without the roles.
> The next issues, that I encountered is associated with updating of
> existing user (adding the roles to him). I am trying to do PUT call on
> .../ovirt-engine/api/users/long_user_id/roles :
> 
>     <role id="some_role_id1"/>
> 
> 
> But this doesn't work.
> Please, give we insight in what I am doing wrong.
> 

In order to do this you first need to add the user, as you did, but
without the roles (if you include then they will just be ignored):

  POST /ovirt-engine/api/users
  <user>
    <user_name>testuser at saml-auth</user_name>
  </user>

This will return you the added user, including the an identifier:

  <user id="the_user_id" href="...">
    ...
  </user>

But you can't directly add role to an user, because there isn't really a
direct relationship between users and roles. Instead you need to add
"permissions", and each permission is composed of an user, a role and an
object. For example, if you want to add to that user the role
"ClusterAdmin" role for a specific cluster:

  POST /ovirt-engine/api/users/the_user_id/permissions
  <permission>
    <role id="the_role_id"/>
    <cluster id="the_cluster_id"/>
  </permission>

Alternatively, you can also add the permission using the collection of
the object. For example:

  POST /ovirt-engine/api/clusters/the_cluster_id/permissions
  <permission>
    <role id="the_role_id"/>
    <user id="the_user_id"/>
  </permission>

The /users/the_user_id/roles has a rather strange meaning, it displays
(read only) the roles of the permissions corresponding to the "system"
object. You should probably avoid it completely, and we should probably
remove it.

-- 
Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta
3ºD, 28016 Madrid, Spain
Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.

More information about the Users mailing list