Re: [Users] Authentication
- Original Message - From: Maurice James midnightst...@msn.com To: users@ovirt.org Sent: Friday, January 31, 2014 8:55:33 PM Subject: [Users] Authentication Is anyone working on LDAP authentication that does NOT require the use of kerberos yet? If so, what is the timeframe? I hope we will make it in to 3.5. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Authentication
Work is in progress, led by Juan Hernandez (CC'ed) See - http://gerrit.ovirt.org/#/q/status:open+project:ovirt-engine+branch:master+topic:directory_refactoring,n,z - Original Message - From: Maurice James midnightst...@msn.com To: users@ovirt.org Sent: Monday, December 16, 2013 4:12:47 PM Subject: [Users] Authentication I was curious to know how is the update of the authentication options coming. Right now the only option for external authentication involves the use of Kerberos. I am interested in using an LDAP only model (389-ds) without Kerberos. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Authentication for REST APIs?
On Oct 3, 2012, at 12:55 AM, Itamar Heim wrote: snip ... So based upon what I see in this log file, it would seem that the connect API wants to make sure that I am an admin and not a regular user. Which gets me back to my original question: Do the REST API and the ovirt-shell require admin privileges or is there a separate uri namespace for regular users to make requests? Or perhaps more direct, should https://$ovirt-server/api/vms be accessible to non-admins or is there a different url a non-admin should use? Brian which version of the sdk are you using? michael - maybe user level api made it into upstream post ovirt 3.1 feature freeze (brian, in that case, it will be in ovirt 3.2, slated for freeze in novemeber/release in december) oVirt Engine version is 3.1.0-2.fc17 oVirt API/shell/tool version from yum is 3.1.0.6-1.fc17 Results from 'info' command in ovirt-shell: [oVirt shell (connected)]# info backend version: 3.1 sdk version: 3.1.0.4 cli version: 3.1.0.6 python version : 2.7.3.final.0 If the user level api isn't in 3.1, then I presume it would be in the nightly builds. Are there instructions for pulling the nightly builds and/or upgrading them. I saw the build instructions, but was hoping to save some time while evaluating things. Brian ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Authentication for REST APIs?
On 10/02/2012 06:28 AM, Brian Vetter wrote: I've done two different things. First, I associated one of my groups in my directory with being a VMUser which gave members access to a particular VM. If I login with one of those users via the User portal, I can see their VM (or VMs if I do more than one). If I use the REST API (or ovirt-shell) using this user's account and password, I get an unauthorized error. Similarly, I have another group that is assigned the DomainManager role. If I add this other user to that group, when I login with that user via the user portal, I see the advanced portal. If I use the REST-API (using curl) or ovirt-shell and use the user's login information, I now am authorized and see a list of VMs returned as XML (in the case of curl). That said, I see all VMs in the system, not just the one assigned to the user that logged in. So this makes me think that either the REST API for getting the APIs as suggested by the article is an administrative API and there is either (a) a different rest API/uri that returns the logged in user's vms (the list that would be returned to the portal) or (b) no way to get a particular user's list of VMs authenticated as the user. you need to specify to the api you want to view things in user mode via the filter header. Example: curl -X GET -H Filter: true -u user@domain:password http://[servername]:PORT/api/vms Brian On Oct 1, 2012, at 10:49 PM, Yair Zaslavsky wrote: Hi Brian, I looked at the wiki - I assume you're referring to the showVm part. Have you assigned any permissions to the user that is supposed to view the VMs? I assume you created the VMs with the administrator user, so any other user will require to have a proper permissions in order to view these VMs Yair On 10/02/2012 05:09 AM, Brian Vetter wrote: I was trying to use both the rest api to view a user's vm information. I found that the REST APIs always returned an authentication error if the account I had logged into was not an ovirt administrator. I am guessing that either (a) I am using the wrong URL in the REST api or (b) you must be some kind of admin to access the REST APIs. I noticed the same behavior when I was using the ovirt-shell tool. For example, I was trying to follow the instructions in http://wiki.ovirt.org/wiki/How_to_Connect_to_SPICE_Console_Without_Portal to get the list of VMs (presumably for the user that is logging in), I get an unauthorized error. If the user account I login with in the curl or ovirt-shell connect statement is an admin, I get the list of VMs. So my question here is does the REST-API need admin privileges or am I using a url that requires admin privileges whereas some others don't. And if it is the latter, is there somewhere that documents the various rest api resources? For example, to go back to the How to connect to Spice console ... article, how would one use the REST API to fetch one's virtual machines, their status, and connection info for them? Thanks, Brian ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Authentication for REST APIs?
- Original Message - From: Itamar Heim ih...@redhat.com To: Brian Vetter bjvet...@gmail.com Cc: users@ovirt.org Sent: Tuesday, October 2, 2012 3:15:34 AM Subject: Re: [Users] Authentication for REST APIs? On 10/02/2012 06:28 AM, Brian Vetter wrote: I've done two different things. First, I associated one of my groups in my directory with being a VMUser which gave members access to a particular VM. If I login with one of those users via the User portal, I can see their VM (or VMs if I do more than one). If I use the REST API (or ovirt-shell) using this user's account and password, I get an unauthorized error. Similarly, I have another group that is assigned the DomainManager role. If I add this other user to that group, when I login with that user via the user portal, I see the advanced portal. If I use the REST-API (using curl) or ovirt-shell and use the user's login information, I now am authorized and see a list of VMs returned as XML (in the case of curl). That said, I see all VMs in the system, not just the one assigned to the user that logged in. So this makes me think that either the REST API for getting the APIs as suggested by the article is an administrative API and there is either (a) a different rest API/uri that returns the logged in user's vms (the list that would be returned to the portal) or (b) no way to get a particular user's list of VMs authenticated as the user. you need to specify to the api you want to view things in user mode via the filter header. Example: curl -X GET -H Filter: true -u user@domain:password http://[servername]:PORT/api/vms Yes, and if using the SDK set filter=true when calling the API constructor (is there a reason filtered isn't the default? Wouldn't this suit both uses - admin/non-admin - better?). Steve ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Authentication for REST APIs?
On 10/02/2012 03:56 PM, Steve Gordon wrote: - Original Message - From: Itamar Heim ih...@redhat.com To: Brian Vetter bjvet...@gmail.com Cc: users@ovirt.org Sent: Tuesday, October 2, 2012 3:15:34 AM Subject: Re: [Users] Authentication for REST APIs? On 10/02/2012 06:28 AM, Brian Vetter wrote: I've done two different things. First, I associated one of my groups in my directory with being a VMUser which gave members access to a particular VM. If I login with one of those users via the User portal, I can see their VM (or VMs if I do more than one). If I use the REST API (or ovirt-shell) using this user's account and password, I get an unauthorized error. Similarly, I have another group that is assigned the DomainManager role. If I add this other user to that group, when I login with that user via the user portal, I see the advanced portal. If I use the REST-API (using curl) or ovirt-shell and use the user's login information, I now am authorized and see a list of VMs returned as XML (in the case of curl). That said, I see all VMs in the system, not just the one assigned to the user that logged in. So this makes me think that either the REST API for getting the APIs as suggested by the article is an administrative API and there is either (a) a different rest API/uri that returns the logged in user's vms (the list that would be returned to the portal) or (b) no way to get a particular user's list of VMs authenticated as the user. you need to specify to the api you want to view things in user mode via the filter header. Example: curl -X GET -H Filter: true -u user@domain:password http://[servername]:PORT/api/vms Yes, and if using the SDK set filter=true when calling the API constructor (is there a reason filtered isn't the default? Wouldn't this suit both uses - admin/non-admin - better?). Steve I think only reason is the api had admin by default in 3.0, so to preserve functionality ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Authentication for REST APIs?
Adding the Filter:true header to the curl request doesn't change anything. If the user account is not an admin account, I get a 401 status result. So my question still stands, can the REST API be used by a mere, non-admin mortal or is it only for administrative functions? I'm in the process of trying to hook up a different client to a VM managed by ovirt. I can't use the user portal app. So I was trying to use the REST APIs on behalf of a normal, non-admin user to get the list of the authenticating user's VMs and their connection information. Brian On Oct 2, 2012, at 2:15 AM, Itamar Heim wrote: On 10/02/2012 06:28 AM, Brian Vetter wrote: I've done two different things. First, I associated one of my groups in my directory with being a VMUser which gave members access to a particular VM. If I login with one of those users via the User portal, I can see their VM (or VMs if I do more than one). If I use the REST API (or ovirt-shell) using this user's account and password, I get an unauthorized error. Similarly, I have another group that is assigned the DomainManager role. If I add this other user to that group, when I login with that user via the user portal, I see the advanced portal. If I use the REST-API (using curl) or ovirt-shell and use the user's login information, I now am authorized and see a list of VMs returned as XML (in the case of curl). That said, I see all VMs in the system, not just the one assigned to the user that logged in. So this makes me think that either the REST API for getting the APIs as suggested by the article is an administrative API and there is either (a) a different rest API/uri that returns the logged in user's vms (the list that would be returned to the portal) or (b) no way to get a particular user's list of VMs authenticated as the user. you need to specify to the api you want to view things in user mode via the filter header. Example: curl -X GET -H Filter: true -u user@domain:password http://[servername]:PORT/api/vms Brian On Oct 1, 2012, at 10:49 PM, Yair Zaslavsky wrote: Hi Brian, I looked at the wiki - I assume you're referring to the showVm part. Have you assigned any permissions to the user that is supposed to view the VMs? I assume you created the VMs with the administrator user, so any other user will require to have a proper permissions in order to view these VMs Yair On 10/02/2012 05:09 AM, Brian Vetter wrote: I was trying to use both the rest api to view a user's vm information. I found that the REST APIs always returned an authentication error if the account I had logged into was not an ovirt administrator. I am guessing that either (a) I am using the wrong URL in the REST api or (b) you must be some kind of admin to access the REST APIs. I noticed the same behavior when I was using the ovirt-shell tool. For example, I was trying to follow the instructions in http://wiki.ovirt.org/wiki/How_to_Connect_to_SPICE_Console_Without_Portal to get the list of VMs (presumably for the user that is logging in), I get an unauthorized error. If the user account I login with in the curl or ovirt-shell connect statement is an admin, I get the list of VMs. So my question here is does the REST-API need admin privileges or am I using a url that requires admin privileges whereas some others don't. And if it is the latter, is there somewhere that documents the various rest api resources? For example, to go back to the How to connect to Spice console ... article, how would one use the REST API to fetch one's virtual machines, their status, and connection info for them? Thanks, Brian ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Authentication for REST APIs?
On 10/02/2012 04:52 PM, Brian Vetter wrote: Adding the Filter:true header to the curl request doesn't change anything. If the user account is not an admin account, I get a 401 status result. So my question still stands, can the REST API be used by a mere, non-admin mortal or is it only for administrative functions? I'm in the process of trying to hook up a different client to a VM managed by ovirt. I can't use the user portal app. So I was trying to use the REST APIs on behalf of a normal, non-admin user to get the list of the authenticating user's VMs and their connection information. 3.1 added support for non admin to use the api. i.e., this should work. which specific version are you using? Brian On Oct 2, 2012, at 2:15 AM, Itamar Heim wrote: On 10/02/2012 06:28 AM, Brian Vetter wrote: I've done two different things. First, I associated one of my groups in my directory with being a VMUser which gave members access to a particular VM. If I login with one of those users via the User portal, I can see their VM (or VMs if I do more than one). If I use the REST API (or ovirt-shell) using this user's account and password, I get an unauthorized error. Similarly, I have another group that is assigned the DomainManager role. If I add this other user to that group, when I login with that user via the user portal, I see the advanced portal. If I use the REST-API (using curl) or ovirt-shell and use the user's login information, I now am authorized and see a list of VMs returned as XML (in the case of curl). That said, I see all VMs in the system, not just the one assigned to the user that logged in. So this makes me think that either the REST API for getting the APIs as suggested by the article is an administrative API and there is either (a) a different rest API/uri that returns the logged in user's vms (the list that would be returned to the portal) or (b) no way to get a particular user's list of VMs authenticated as the user. you need to specify to the api you want to view things in user mode via the filter header. Example: curl -X GET -H Filter: true -u user@domain:password http://[servername]:PORT/api/vms Brian On Oct 1, 2012, at 10:49 PM, Yair Zaslavsky wrote: Hi Brian, I looked at the wiki - I assume you're referring to the showVm part. Have you assigned any permissions to the user that is supposed to view the VMs? I assume you created the VMs with the administrator user, so any other user will require to have a proper permissions in order to view these VMs Yair On 10/02/2012 05:09 AM, Brian Vetter wrote: I was trying to use both the rest api to view a user's vm information. I found that the REST APIs always returned an authentication error if the account I had logged into was not an ovirt administrator. I am guessing that either (a) I am using the wrong URL in the REST api or (b) you must be some kind of admin to access the REST APIs. I noticed the same behavior when I was using the ovirt-shell tool. For example, I was trying to follow the instructions in http://wiki.ovirt.org/wiki/How_to_Connect_to_SPICE_Console_Without_Portal to get the list of VMs (presumably for the user that is logging in), I get an unauthorized error. If the user account I login with in the curl or ovirt-shell connect statement is an admin, I get the list of VMs. So my question here is does the REST-API need admin privileges or am I using a url that requires admin privileges whereas some others don't. And if it is the latter, is there somewhere that documents the various rest api resources? For example, to go back to the How to connect to Spice console ... article, how would one use the REST API to fetch one's virtual machines, their status, and connection info for them? Thanks, Brian ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Authentication for REST APIs?
3.1 added support for non admin to use the api. i.e., this should work. which specific version are you using? From the about box in the admin web app: oVirt Engine Version: 3.1.0-2.fc17 The curl command I send is: curl --cacert $CA_FILE -X GET -H Filter: true -u user@domain:password https://$OVIRT/api/vms uservms.xml The output when my user's group has a DOMAIN_ADMIN role contains the xml for the VMs. The output when the user's group has either a power user or a regular user role contains the error response with a 401 unauthorized error. I had lots of fun getting this server set up so it is possible I made a mistake during installation, but it seems pretty functional right now. Everything seems to be working but I haven't been able to to test out how/if I can connect a new, non-portal client without having to add new servlets. Brian On Oct 2, 2012, at 9:57 AM, Itamar Heim wrote: On 10/02/2012 04:52 PM, Brian Vetter wrote: Adding the Filter:true header to the curl request doesn't change anything. If the user account is not an admin account, I get a 401 status result. So my question still stands, can the REST API be used by a mere, non-admin mortal or is it only for administrative functions? I'm in the process of trying to hook up a different client to a VM managed by ovirt. I can't use the user portal app. So I was trying to use the REST APIs on behalf of a normal, non-admin user to get the list of the authenticating user's VMs and their connection information. 3.1 added support for non admin to use the api. i.e., this should work. which specific version are you using? Brian On Oct 2, 2012, at 2:15 AM, Itamar Heim wrote: On 10/02/2012 06:28 AM, Brian Vetter wrote: I've done two different things. First, I associated one of my groups in my directory with being a VMUser which gave members access to a particular VM. If I login with one of those users via the User portal, I can see their VM (or VMs if I do more than one). If I use the REST API (or ovirt-shell) using this user's account and password, I get an unauthorized error. Similarly, I have another group that is assigned the DomainManager role. If I add this other user to that group, when I login with that user via the user portal, I see the advanced portal. If I use the REST-API (using curl) or ovirt-shell and use the user's login information, I now am authorized and see a list of VMs returned as XML (in the case of curl). That said, I see all VMs in the system, not just the one assigned to the user that logged in. So this makes me think that either the REST API for getting the APIs as suggested by the article is an administrative API and there is either (a) a different rest API/uri that returns the logged in user's vms (the list that would be returned to the portal) or (b) no way to get a particular user's list of VMs authenticated as the user. you need to specify to the api you want to view things in user mode via the filter header. Example: curl -X GET -H Filter: true -u user@domain:password http://[servername]:PORT/api/vms Brian On Oct 1, 2012, at 10:49 PM, Yair Zaslavsky wrote: Hi Brian, I looked at the wiki - I assume you're referring to the showVm part. Have you assigned any permissions to the user that is supposed to view the VMs? I assume you created the VMs with the administrator user, so any other user will require to have a proper permissions in order to view these VMs Yair On 10/02/2012 05:09 AM, Brian Vetter wrote: I was trying to use both the rest api to view a user's vm information. I found that the REST APIs always returned an authentication error if the account I had logged into was not an ovirt administrator. I am guessing that either (a) I am using the wrong URL in the REST api or (b) you must be some kind of admin to access the REST APIs. I noticed the same behavior when I was using the ovirt-shell tool. For example, I was trying to follow the instructions in http://wiki.ovirt.org/wiki/How_to_Connect_to_SPICE_Console_Without_Portal to get the list of VMs (presumably for the user that is logging in), I get an unauthorized error. If the user account I login with in the curl or ovirt-shell connect statement is an admin, I get the list of VMs. So my question here is does the REST-API need admin privileges or am I using a url that requires admin privileges whereas some others don't. And if it is the latter, is there somewhere that documents the various rest api resources? For example, to go back to the How to connect to Spice console ... article, how would one use the REST API to fetch one's virtual machines, their status, and connection info for them? Thanks, Brian ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Authentication for REST APIs?
I also tried a simple connect to the home of the ovirt server in the ovirt-shell: [oVirt shell (disconnected)]# connect https://ovirtserver user pass error: 'str' object has no attribute 'product_info' [oVirt shell (disconnected)]# So this happens without trying to get to the api/vms. As to your question: i think you should get an empty list and not a 401 in any case, but just to make sure - you have the user role on a specific VM and you don't see it? Yes, I believe this is true. If the same user logs into the user portal, he can see the VM and start/stop it. From the ovirt admin portal, I see the following permissions for the VM: UserRole Brian Vetter (bjvetter@domain) UserRole Brian On Oct 2, 2012, at 10:27 AM, Itamar Heim wrote: On 10/02/2012 05:20 PM, Brian Vetter wrote: 3.1 added support for non admin to use the api. i.e., this should work. which specific version are you using? From the about box in the admin web app: oVirt Engine Version:3.1.0-2.fc17 The curl command I send is: curl --cacert $CA_FILE -X GET -H Filter: true -u user@domain:password https://$OVIRT/api/vms uservms.xml The output when my user's group has a DOMAIN_ADMIN role contains the xml for the VMs. The output when the user's group has either a power user or a regular user role contains the error response with a 401 unauthorized error. I had lots of fun getting this server set up so it is possible I made a mistake during installation, but it seems pretty functional right now. Everything seems to be working but I haven't been able to to test out how/if I can connect a new, non-portal client without having to add new servlets. i think you should get an empty list and not a 401 in any case, but just to make sure - you have the user role on a specific VM and you don't see it? michael - thoughts? maybe this was fixed post ovirt 3.1 fedora release? Brian On Oct 2, 2012, at 9:57 AM, Itamar Heim wrote: On 10/02/2012 04:52 PM, Brian Vetter wrote: Adding the Filter:true header to the curl request doesn't change anything. If the user account is not an admin account, I get a 401 status result. So my question still stands, can the REST API be used by a mere, non-admin mortal or is it only for administrative functions? I'm in the process of trying to hook up a different client to a VM managed by ovirt. I can't use the user portal app. So I was trying to use the REST APIs on behalf of a normal, non-admin user to get the list of the authenticating user's VMs and their connection information. 3.1 added support for non admin to use the api. i.e., this should work. which specific version are you using? Brian On Oct 2, 2012, at 2:15 AM, Itamar Heim wrote: On 10/02/2012 06:28 AM, Brian Vetter wrote: I've done two different things. First, I associated one of my groups in my directory with being a VMUser which gave members access to a particular VM. If I login with one of those users via the User portal, I can see their VM (or VMs if I do more than one). If I use the REST API (or ovirt-shell) using this user's account and password, I get an unauthorized error. Similarly, I have another group that is assigned the DomainManager role. If I add this other user to that group, when I login with that user via the user portal, I see the advanced portal. If I use the REST-API (using curl) or ovirt-shell and use the user's login information, I now am authorized and see a list of VMs returned as XML (in the case of curl). That said, I see all VMs in the system, not just the one assigned to the user that logged in. So this makes me think that either the REST API for getting the APIs as suggested by the article is an administrative API and there is either (a) a different rest API/uri that returns the logged in user's vms (the list that would be returned to the portal) or (b) no way to get a particular user's list of VMs authenticated as the user. you need to specify to the api you want to view things in user mode via the filter header. Example: curl -X GET -H Filter: true -u user@domain:password http://[servername]:PORT/api/vms Brian On Oct 1, 2012, at 10:49 PM, Yair Zaslavsky wrote: Hi Brian, I looked at the wiki - I assume you're referring to the showVm part. Have you assigned any permissions to the user that is supposed to view the VMs? I assume you created the VMs with the administrator user, so any other user will require to have a proper permissions in order to view these VMs Yair On 10/02/2012 05:09 AM, Brian Vetter wrote: I was trying to use both the rest api to view a user's vm information. I found that the REST APIs always returned an authentication error if the account I had logged into was not an ovirt administrator. I am guessing that either (a) I am using the wrong URL in the REST api or (b) you must be some kind of admin to access
Re: [Users] Authentication for REST APIs?
Hi Brian, On 10/02/2012 05:52 PM, Brian Vetter wrote: I also tried a simple connect to the home of the ovirt server in the ovirt-shell: [oVirt shell (disconnected)]# connect https://ovirtserver user pass error: 'str' object has no attribute 'product_info' this could happen if you trying connect to SSL site via HTTP protocol, btw what sdk/cli version you're using [1]? latest sdk/cli protects against this. [1] run 'info' command in cli [oVirt shell (disconnected)]# So this happens without trying to get to the api/vms. As to your question: i think you should get an empty list and not a 401 in any case, but just to make sure - you have the user role on a specific VM and you don't see it? Yes, I believe this is true. If the same user logs into the user portal, he can see the VM and start/stop it. From the ovirt admin portal, I see the following permissions for the VM: does this user has any other role/s besides UserRole? *UserRole* Brian Vetter (bjvetter@domain)UserRole Brian On Oct 2, 2012, at 10:27 AM, Itamar Heim wrote: -- Michael Pasternak RedHat, ENG-Virtualization RD ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Authentication for REST APIs?
On 10/03/2012 05:40 AM, Brian Vetter wrote:
The error: 'str' object has no attribute 'product_info' was a red
herring (mistyped url). The 401 errors for non-admins though is still
quite real.
Detailed response inside ...
On Oct 2, 2012, at 1:48 PM, Michael Pasternak wrote:
Hi Brian,
On 10/02/2012 05:52 PM, Brian Vetter wrote:
I also tried a simple connect to the home of the ovirt server in the
ovirt-shell:
[oVirt shell (disconnected)]# connect https://ovirtserver user
pass
error: 'str' object has no attribute 'product_info'
this could happen if you trying connect to SSL site via HTTP protocol,
btw what sdk/cli version you're using [1]? latest sdk/cli protects against
this.
[1] run 'info' command in cli
As this turned out, the problem was due to a bad url (transposed
characters). Once fixed, I'm back to the 401 error condition.
As to your question:
i think you should get an empty list and not a 401 in any case,
but just to make sure - you have the user role on a specific VM and
you don't see it?
Yes, I believe this is true. If the same user logs into the user
portal, he can see the VM and start/stop it. From the ovirt admin
portal, I see the following permissions
for the VM:
does this user has any other role/s besides UserRole?
No, the only role it is given is UserRole. Here is how it was applied:
1) The user was created in my directory server (that was added to the
ovirt manager during setup).
2) After creating a new desktop VM, I selected the VM, selected its
Permissions tab, and then added the user with the role 'UserRole' to the
VM. This was all done in the ovirt-manager web app.
3) I then login to the user portal with that user account name. After
refreshing the VM list (a very minor bug), I see the VM that was
assigned to the user.
4) When using the ovirt-shell command, the connect command fails with an
error 401 as in the following text:
[oVirt shell (disconnected)]# connect https://ovirt-serveri/
'xxx@' 'pword'
error: Unauthorized, [Errno: 401]
5) If I add the DatacenterAdmin role, the connect command works.
6) Similarly, if I use curl, I get the same HTTPS Status 401 error.
# curl --cacert $CA_FILE -X GET -H Filter: true -u xxx@:pword
https://ovirtserver/api/vms uservms.xml
# cat uservms.xml
htmlheadtitleJBoss Web/7.0.0.SNAPSHOT - Error
report/titlestyle!--H1
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
H2
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;}
H3
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;}
BODY
{font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;}
B
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;}
P
{font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A
{color : black;}A.name {color : black;}HR {color :
#525D76;}--/style /headbodyh1HTTP Status 401 - /h1HR
size=1 noshade=noshadepbtype/b Status
report/ppbmessage/b u/u/ppbdescription/b uThis
request requires HTTP authentication ()./u/pHR size=1
noshade=noshadeh3JBoss
Web/7.0.0.SNAPSHOT/h3/body/html[bjv@eos ~]$
7) I see the following when I use ovirt -d and do the connect:
send: 'GET /api HTTP/1.1\r\nHost: eos.testcloud.com
http://eos.testcloud.com\r\nAccept-Encoding: identity\r\nPrefer:
persistent-auth\r\nContent-type: application/xml\r\nAuthorization:
Basic Ymp2ZXR0ZXJAZHJvaWRjbG91ZC5tb2JpOmxvc3QrZm91bmQ=\r\n\r\n'
reply: 'HTTP/1.1 401 Unauthorized\r\n'
header: Date: Wed, 03 Oct 2012 03:24:53 GMT
header: Set-Cookie: JSESSIONID=n3Ex3mxsvzTEM3rlkiHa85mP.undefined;
Path=/api; Secure
header: WWW-Authenticate: Basic realm=ENGINE
header: Content-Type: text/html;charset=utf-8
header: Content-Length: 962
header: Connection: close
Clearly, the ovirt-shell and curl are making the same request and
getting the same error response.
The engine.log file in /var/log/ovirt-engine has the following after I
try to connect:
2012-10-02 22:28:37,489 INFO
[org.ovirt.engine.core.bll.LoginAdminUserCommand]
(ajp--0.0.0.0-8009-3) *Checking if user bjvetter is an admin, result
false*
2012-10-02 22:28:37,490 WARN
[org.ovirt.engine.core.bll.LoginAdminUserCommand]
(ajp--0.0.0.0-8009-3) CanDoAction of action LoginAdminUser failed.
Reasons:USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
2012-10-02 22:28:37,491 INFO
[org.ovirt.engine.api.restapi.security.auth.LoginValidator]
(ajp--0.0.0.0-8009-3) Login failure, user: bjvetter domain:
my.testcloud.com http://my.testcloud.com reason:
[USER_NOT_AUTHORIZED_TO_PERFORM_ACTION]
So based upon what I see in this log file, it would seem that the
connect API wants to make sure that I am an admin and not a regular user.
Which gets me back to my original question: Do
Re: [Users] Authentication for REST APIs?
Hi Brian, I looked at the wiki - I assume you're referring to the showVm part. Have you assigned any permissions to the user that is supposed to view the VMs? I assume you created the VMs with the administrator user, so any other user will require to have a proper permissions in order to view these VMs Yair On 10/02/2012 05:09 AM, Brian Vetter wrote: I was trying to use both the rest api to view a user's vm information. I found that the REST APIs always returned an authentication error if the account I had logged into was not an ovirt administrator. I am guessing that either (a) I am using the wrong URL in the REST api or (b) you must be some kind of admin to access the REST APIs. I noticed the same behavior when I was using the ovirt-shell tool. For example, I was trying to follow the instructions in http://wiki.ovirt.org/wiki/How_to_Connect_to_SPICE_Console_Without_Portal to get the list of VMs (presumably for the user that is logging in), I get an unauthorized error. If the user account I login with in the curl or ovirt-shell connect statement is an admin, I get the list of VMs. So my question here is does the REST-API need admin privileges or am I using a url that requires admin privileges whereas some others don't. And if it is the latter, is there somewhere that documents the various rest api resources? For example, to go back to the How to connect to Spice console ... article, how would one use the REST API to fetch one's virtual machines, their status, and connection info for them? Thanks, Brian ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Authentication for REST APIs?
I've done two different things. First, I associated one of my groups in my directory with being a VMUser which gave members access to a particular VM. If I login with one of those users via the User portal, I can see their VM (or VMs if I do more than one). If I use the REST API (or ovirt-shell) using this user's account and password, I get an unauthorized error. Similarly, I have another group that is assigned the DomainManager role. If I add this other user to that group, when I login with that user via the user portal, I see the advanced portal. If I use the REST-API (using curl) or ovirt-shell and use the user's login information, I now am authorized and see a list of VMs returned as XML (in the case of curl). That said, I see all VMs in the system, not just the one assigned to the user that logged in. So this makes me think that either the REST API for getting the APIs as suggested by the article is an administrative API and there is either (a) a different rest API/uri that returns the logged in user's vms (the list that would be returned to the portal) or (b) no way to get a particular user's list of VMs authenticated as the user. Brian On Oct 1, 2012, at 10:49 PM, Yair Zaslavsky wrote: Hi Brian, I looked at the wiki - I assume you're referring to the showVm part. Have you assigned any permissions to the user that is supposed to view the VMs? I assume you created the VMs with the administrator user, so any other user will require to have a proper permissions in order to view these VMs Yair On 10/02/2012 05:09 AM, Brian Vetter wrote: I was trying to use both the rest api to view a user's vm information. I found that the REST APIs always returned an authentication error if the account I had logged into was not an ovirt administrator. I am guessing that either (a) I am using the wrong URL in the REST api or (b) you must be some kind of admin to access the REST APIs. I noticed the same behavior when I was using the ovirt-shell tool. For example, I was trying to follow the instructions in http://wiki.ovirt.org/wiki/How_to_Connect_to_SPICE_Console_Without_Portal to get the list of VMs (presumably for the user that is logging in), I get an unauthorized error. If the user account I login with in the curl or ovirt-shell connect statement is an admin, I get the list of VMs. So my question here is does the REST-API need admin privileges or am I using a url that requires admin privileges whereas some others don't. And if it is the latter, is there somewhere that documents the various rest api resources? For example, to go back to the How to connect to Spice console ... article, how would one use the REST API to fetch one's virtual machines, their status, and connection info for them? Thanks, Brian ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
