[ovirt-users] extra permissions required to start VM via ovirt-shell?

Derek Atkins derek at ihtfp.com
Thu Nov 10 14:26:51 UTC 2016 

Awesome.  Thank you.  This solved the problem.

Looking with 20/20 hindsight, then --help output says this:

  -F, --filter          enables user permission based filtering

However as a n00b I would suggest that this is not sufficient to have
figured out the error.  From the documentation it's totally unclear the
difference between Admin:VM -> Basic Operations -> Run VM and User:VM ->
Basic Operations -> Run VM.  It's unclear from the Role Definition UI, and
it's unclear from the Administration Guide.

One would think that a permission is a permission.  Anyways, thank you for
clearing this up.  Hopefully this exchange will help the next person that
comes along trying to figure it all out.

Thank you!

-derek


On Thu, November 10, 2016 2:57 am, Ondra Machacek wrote:
> Hello,
>
> when using user roles (not admin ones) you have to use filter
> parameter. So you need to start the ovirt-shell similar to this:
>
>    $ ovirt-shell --filter --username=...  --url=... --ca-file=...
>
> On 11/09/2016 10:49 PM, Derek Atkins wrote:
>> Hi,
>>
>> I created a user and a new user role, VmStarter, that has two
>> permissions:
>>   System -> Configure System -> Login Permissions
>>   VM -> Basic Operations -> Run VM
>>
>> I assigned this new user to this role at the data center.
>>
>> If I login to the user portal with this user I get a screen with all
>> my VMs, and if a VM is down I can click on the "run" button and it will
>> start.  If a machine is running I cannot click on the stop button (well,
>> I can, but I get a permission denied error, which is expected).  So it
>> sounds like everything is working.
>>
>> Now I want to use ovirt-shell to do the same thing.  I can login just
>> fine using this user's credentials, and I get connected.  However when I
>> execute the command to start a VM:
>>
>>   [oVirt shell (connected)]# action vm vm-0 start
>>
>> I get this error:
>>
>>   ==================================== ERROR
>> =================================
>>   status: 400
>>   reason: Bad Request
>>   detail: query execution failed due to insufficient permissions.
>>   ============================================================================
>>
>> This seems to imply I'm missing a permission.  But I have no idea what
>> permission I'm missing.  I haven't found anything in the engine log that
>> would help me.
>>
>> Any ideas what's wrong and (more importantly) how to fix it?
>>
>> Thanks,
>>
>> -derek
>>
>


-- 
       Derek Atkins                 617-623-3745
       derek at ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant

More information about the Users mailing list