----- Original Message ----- > From: "Jonathan Daugherty" <j...@galois.com> > To: engine-devel@ovirt.org > Cc: "Trevor Elliott" <tre...@galois.com> > Sent: Thursday, November 7, 2013 1:34:01 AM > Subject: [Engine-devel] Permissions involved in using REST API > > Hi all, > > I'm interested in setting up a non-administrative user account to be > used to access the oVirt REST API. I have a user who is testing this > functionality by integrating some Vagrant-related software to talk to > oVirt. The user's oVirt account is a non-admin account with enough > privileges to create and modify VMs on one of my clusters. > > What we found is that the account is unable to make requests to, say, > > /api/vms > > (he gets 401 or 404 responses) and instead gets a response indicating > that the account has "insufficient permissions." My engine.log says of > the access only this: > > 2013-11-06 14:50:28,158 ERROR > [org.ovirt.engine.api.restapi.resource.AbstractBackendResource] > (ajp--127.0.0.1-8702-13) Operation Failed: query execution faile > d due to insufficient permissions. > > and in server.log I have see Java tracebacks involving this[1]: > > 2013-11-06 14:50:28,159 WARN > [org.jboss.resteasy.core.SynchronousDispatcher] > (ajp--127.0.0.1-8702-13) failed to execute: > org.ovirt.engine.api.restapi.resource.BaseBackendResource$WebFaultException > > Later we found that assigning an Admin role to the user's account at the > data center level with no permissions enabled permitted API access. So > the user was able to make requests to /api/ URLs and get data and was > able to log into the oVirt administration portal but was unable to take > further action. > > So my questions are: > > - Is this expected behavior? Is there some smaller (less permissive) > change in privileges I can use to bring about the same behavior? >
Yes. That's the expected behavior. However, when accessing the API you can set the "filter" header parameter to "true", and that will get you to the user-level API. Let me know if you need technical assistance with that. > - Is there some place where such behavior is documented? I couldn't > find any. The documentation on permissions on the RHEV docs only > mentions the overall impact of using specific roles and permissions > and says nothing about API access consequences or "Admin" roles with > no permissions. > Unfortunately I didn't find any documentation on that on the ovirt wiki. Michael - do you know if such documentation exists somewhere? > My initial assumption was that any user with credentials would be able > to make API requests, but that the corresponding API responses would be > filtered based on what the user had privileges to see just as with the > User Portal. > > Thanks! > > [1] A full trace can be found at http://pastebin.com/czcfQkYL > > -- > Jonathan Daugherty > Software Engineer > Galois, Inc. > _______________________________________________ > Engine-devel mailing list > Engine-devel@ovirt.org > http://lists.ovirt.org/mailman/listinfo/engine-devel > _______________________________________________ Engine-devel mailing list Engine-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-devel