I also tried a simple connect to the home of the ovirt server in the ovirt-shell:
[oVirt shell (disconnected)]# connect https://ovirtserver <user> <pass> error: 'str' object has no attribute 'product_info' [oVirt shell (disconnected)]# So this happens without trying to get to the api/vms. As to your question: > i think you should get an empty list and not a 401 in any case, but just to > make sure - you have the user role on a specific VM and you don't see it? Yes, I believe this is true. If the same user logs into the user portal, he can see the VM and start/stop it. From the ovirt admin portal, I see the following permissions for the VM: User Role Brian Vetter (bjvetter@domain) UserRole Brian On Oct 2, 2012, at 10:27 AM, Itamar Heim wrote: > On 10/02/2012 05:20 PM, Brian Vetter wrote: >>> 3.1 added support for non admin to use the api. >>> i.e., this should work. >>> which specific version are you using? >> >> From the about box in the admin web app: >> >> oVirt Engine Version:3.1.0-2.fc17 >> >> >> The curl command I send is: >> >> curl --cacert $CA_FILE -X GET -H "Filter: true" -u >> user@domain:password https://$OVIRT/api/vms > uservms.xml >> >> >> The output when my user's group has a DOMAIN_ADMIN role contains the xml >> for the VMs. The output when the user's group has either a power user or >> a regular user role contains the error response with a 401 unauthorized >> error. >> >> I had lots of fun getting this server set up so it is possible I made a >> mistake during installation, but it seems pretty functional right now. >> Everything seems to be working but I haven't been able to to test out >> how/if I can connect a new, non-portal client without having to add new >> servlets. > > i think you should get an empty list and not a 401 in any case, but just to > make sure - you have the user role on a specific VM and you don't see it? > michael - thoughts? > maybe this was fixed post ovirt 3.1 fedora release? > >> >> Brian >> >> On Oct 2, 2012, at 9:57 AM, Itamar Heim wrote: >> >>> On 10/02/2012 04:52 PM, Brian Vetter wrote: >>>> Adding the "Filter:true" header to the curl request doesn't change >>>> anything. If the user account is not an admin account, I get a 401 >>>> status result. So my question still stands, can the REST API be used >>>> by a mere, non-admin "mortal" or is it only for administrative functions? >>>> >>>> I'm in the process of trying to hook up a different client to a VM >>>> managed by ovirt. I can't use the user portal app. So I was trying to >>>> use the REST APIs on behalf of a normal, non-admin user to get the >>>> list of the authenticating user's VMs and their connection information. >>> >>> 3.1 added support for non admin to use the api. >>> i.e., this should work. >>> which specific version are you using? >>> >>>> >>>> Brian >>>> >>>> On Oct 2, 2012, at 2:15 AM, Itamar Heim wrote: >>>> >>>>> On 10/02/2012 06:28 AM, Brian Vetter wrote: >>>>>> I've done two different things. First, I associated one of my >>>>>> groups in my directory with being a VMUser which gave members >>>>>> access to a particular VM. If I login with one of those users via >>>>>> the User portal, I can see their VM (or VMs if I do more than one). >>>>>> If I use the REST API (or ovirt-shell) using this user's account >>>>>> and password, I get an unauthorized error. >>>>>> >>>>>> Similarly, I have another group that is assigned the DomainManager >>>>>> role. If I add this other user to that group, when I login with >>>>>> that user via the user portal, I see the advanced portal. If I use >>>>>> the REST-API (using curl) or ovirt-shell and use the user's login >>>>>> information, I now am authorized and see a list of VMs returned as >>>>>> XML (in the case of curl). >>>>>> >>>>>> That said, I see all VMs in the system, not just the one assigned >>>>>> to the user that logged in. So this makes me think that either the >>>>>> REST API for getting the APIs as suggested by the article is an >>>>>> administrative API and there is either (a) a different rest API/uri >>>>>> that returns the logged in user's vms (the list that would be >>>>>> returned to the portal) or (b) no way to get a particular user's >>>>>> list of VMs authenticated as the user. >>>>> >>>>> you need to specify to the api you want to view things in "user >>>>> mode" via the filter header. >>>>> Example: >>>>> curl -X GET -H "Filter: true" -u user@domain:password >>>>> http://[servername]:PORT/api/vms >>>>> >>>>> >>>>> >>>>>> >>>>>> Brian >>>>>> >>>>>> On Oct 1, 2012, at 10:49 PM, Yair Zaslavsky wrote: >>>>>> >>>>>>> Hi Brian, >>>>>>> I looked at the wiki - >>>>>>> I assume you're referring to the "showVm" part. >>>>>>> Have you assigned any permissions to the user that is supposed to >>>>>>> view the VMs? >>>>>>> I assume you created the VMs with the administrator user, so any >>>>>>> other user will require to have a proper permissions in order to >>>>>>> view these VMs >>>>>>> >>>>>>> Yair >>>>>>> >>>>>>> >>>>>>> On 10/02/2012 05:09 AM, Brian Vetter wrote: >>>>>>>> I was trying to use both the rest api to view a user's vm >>>>>>>> information. I found that the REST APIs always returned an >>>>>>>> authentication error if the account I had logged into was not an >>>>>>>> ovirt administrator. I am guessing that either (a) I am using the >>>>>>>> wrong URL in the REST api or (b) you must be some kind of admin >>>>>>>> to access the REST APIs. I noticed the same behavior when I was >>>>>>>> using the ovirt-shell tool. >>>>>>>> >>>>>>>> For example, I was trying to follow the instructions in >>>>>>>> http://wiki.ovirt.org/wiki/How_to_Connect_to_SPICE_Console_Without_Portal >>>>>>>> to get the list of VMs (presumably for the user that is logging >>>>>>>> in), I get an unauthorized error. If the user account I login >>>>>>>> with in the curl or ovirt-shell connect statement is an admin, I >>>>>>>> get the list of VMs. >>>>>>>> >>>>>>>> So my question here is does the REST-API need admin privileges or >>>>>>>> am I using a url that requires admin privileges whereas some >>>>>>>> others don't. And if it is the latter, is there somewhere that >>>>>>>> documents the various rest api resources? For example, to go back >>>>>>>> to the "How to connect to Spice console ..." article, how would >>>>>>>> one use the REST API to fetch one's virtual machines, their >>>>>>>> status, and connection info for them? >>>>>>>> >>>>>>>> Thanks, >>>>>>>> >>>>>>>> Brian >>>> >>> >>> >> > >
_______________________________________________ Users mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/users
