Re: [ovirt-users] api access with poweruser role

Thu, 29 Oct 2015 07:58:38 -0700 


On 10/29/2015 03:56 PM, Ondra Machacek wrote:



On 10/28/2015 11:29 AM, Jorick Astrego wrote:



On 10/26/2015 03:14 PM, Jorick Astrego wrote:



On 10/26/2015 02:57 PM, Ondra Machacek wrote:



On 10/26/2015 02:53 PM, Jorick Astrego wrote:

Hi,


Currently I'm trying to add an ovirt compute resource in forman 
that is limited to the VM's of the user.


When I give this user the PowerUser role, I cannot access the api:

    query execution failed due to insufficient permissions



Are you sending header 'Filter: true' with the request ?
If your user is not admin(PowerUserRole is not admin role),
you have to use this header.






Hmm, not much response on foreman-users..


I checked the code of fog in my foreman install ( 
/opt/rh/ruby193/root/usr/share/gems/gems/fog-1.32.0/lib/fog/ovirt/compute.rb 
) and it appears to have the correct option merged:


              connection_opts[:filtered_api]  =
    options[:ovirt_filtered_api]



But I don't know what url the foreman actually generates, is there 
any way to capture the login string? I tried setting some DEBUG 
logging but don't get the output I'm looking for.


            <logger category="org.ovirt.engine.core.bll.SearchQuery">
                    <level name="DEBUG"/>
            </logger>
            <logger
    category="org.ovirt.engine.core.bll.aaa.LoginUserCommand">
                    <level name="DEBUG"/>
            </logger>
            <logger
    category="org.ovirt.engine.api.restapi.resource.AbstractBackendResource">
                    <level name="DEBUG"/>
            </logger>




It depends what url foreman client access. But you can set:

<logger category="org.ovirt.engine.core.bll">
    <level name="ALL"/>
</logger>


And then you will see what commands was queried with or without the 
filtered API.



2015-10-29 15:45:45,436 TRACE 
[org.ovirt.engine.core.bll.GetAllVmsQuery] (ajp-/127.0.0.1:8702-1) [] 
START, GetAllVmsQuery(VdcQueryParametersBase:{refresh='true', 
filtered='true'}), log id: 53b3c8b9



^^ This is example of running 'Filter: true' on /api/vms (you can see 
filtered='true').



But maybe it would be easier to use tcpdump, or some apache module to 
dump headers.











Met vriendelijke groet, With kind regards,

Jorick Astrego
*
Netbulae Virtualization Experts *
------------------------------------------------------------------------
Tel: 053 20 30 270      i...@netbulae.eu        Staalsteden 4-3A        KvK 
08198180

Fax: 053 20 30 271 	www.netbulae.eu 	7547 TA Enschede 	BTW 
NL821234584B01



------------------------------------------------------------------------



_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users




_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users



_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users






















					Reply via email to