[ovirt-users] Python-SDK4: How to list user permissions?

Wed Mar 29 13:46:17 UTC 2017

El 2017-03-29 12:35, Juan Hernández escribió:
> On 03/29/2017 01:05 PM, nicolas at devels.es wrote:
>> Hi,
>> 
>> I'm trying to get a user's list of permissions, i.e., list all
>> permissions a user have on VMs and VmPools.
>> 
>> In SDK3 that was easy as I could run (being 'u' a User object):
>> 
>> for perm in u.permissions.list():
>>     vm = perm.get_vm()
>>     vmpool = perm.get_vmpool()
>> 
>>     if vm or vmpool:
>>         print "User has some permissions!"
>> 
>> In SDK4 I cannot reproduce the same logic. u.permissions returns an
>> empty list ([]).
>> 
>> What I have so far is something like this:
>> 
>> for u in users_serv.list():
>>      if u.user_name == 'admin at internal':
>>          continue
>> 
>>      vms_service = sys_serv.vms_service()
>>      for vm in vms_service.list():
>>          vms = vms_service.vm_service(id=vm.id)
>>          ps = vms.permissions_service()
>>          for perm in ps.list():
>>              perm_service = ps.permission_service(id=perm.id)
>>              getperm = perm_service.get()
>>              if getperm.user.user_name == u.user_name:
>>                  print "Permission for %s" % (u.user_name)
>>                  if getperm.vm:
>>                      print "VM: %s" % (getperm.vm.id)
>>                  if getperm.vm_pool:
>>                      print "VmPool: %s" % (getperm.vm_pool.id)
>> 
>> However, this seems a bit overkill. We have nearly 850 VMs and for a
>> single user this takes about 25 minutes to run. Additionally, it 
>> doesn't
>> seem to return any permission, although I know this user has some
>> permissions over 2 VMs (not sure where is it messed up).
>> 
>> I also tried using the system_service.permissions_service() but it 
>> seems
>> to return only the global permissions.
>> 
>> Is there an easier way to do this?
>> 
>> Thanks!
> 
> Version 4 of the SDK makes a clear distinction between what are pure
> containers of data (like the User class) and what are services (like 
> the
> UsersService class). Therefore when you call 'u.permissions' in version
> 4 of the SD you get nothing, because the object that you retrieved
> previously doesn't contain the permissions, only a link. That is 
> exactly
> how the API behaves. When you do this:
> 
>   GET /ovirt-engine/api/users/{user:id}
> 
> You only get the data of the user, and some links to other related 
> data,
> like the permissions:
> 
>   <user id="..." href="...">
>     <name>myuser</name>
>     ...
>     <link rel="permissions"
> href="/ovirt-engine/api/users/{user:id}/permissions"/>
>   </user>
> 
> In version 4 of the SDK the simple way to follow the link is to use the
> Connection.follow_link method. So, you need something like this:
> 
> ---8<---
> # Find the user:
> users_service = connection.system_service().users_service()
> user = users_service.list(search='name=myuser')[0]
> 
> # Follow the link to the permissions of the user:
> perms = connection.follow_link(user.permissions)
> for perm in perms:
>     if perm.vm or perm.vm_pool:
>         print "User has some permissions!"
> --->8---

Thanks, that makes things much easier!

Regards,

Nicolás