So both of the user's roles are administrative, so please try to remove following line in your script:
> conn_attr[:headers] = {'Filter' => true } This should be used only with roles which are not administrative, like UserVmManager, etc. On 11/27/18 1:21 PM, Staniforth, Paul wrote:
The user also has AffinityGroupManager role for the cluster this role has permission Manipulate Affinity Groups. It is the same account that works when using the python SDK 2018-11-27 11:36:50,791Z INFO [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default task-5237) [b225cdb] Running command: CreateUserSessionCommand internal: false. 2018-11-27 11:36:50,988Z INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-5229) [21e2d0fe] EVENT_ID: USER_VDC_LOGIN(30), User secgen@internal-authz connecting from 'x.x.x.x' using session 'mT2aF7+FziRwE3ZZ29y7y2QHidDX4aAquc5fwo5swyLVMxufAyF26JbmDNeN9ylob1+zSSH9JWu4bBDt2wdHGw==' logged in. 2018-11-27 11:36:51,081Z INFO [org.ovirt.engine.core.sso.utils.AuthenticationUtils] (default task-5233) [] User xxxx@internal successfully logged in with scopes: ovirt-app-api ovirt-ext=token-in fo:authz-search ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate ovirt-ext=token:passw..d-access 2018-11-27 11:36:51,154Z INFO [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default task-5233) [1d0e61f8] Running command: CreateUserSessionCommand internal: false. 2018-11-27 11:36:51,604Z INFO [org.ovirt.engine.core.bll.scheduling.commands.AddAffinityGroupCommand] (default task-5233) [dd01962d-bead-499a-a31f-1ead974483ac] No permission found for user 'd5b7e8f0-603e-47c5-a420-1f5f6834aa02' or one of the groups he is member of, when running action 'AddAffinityGroup', Required permissions are: Action type: 'ADMIN' Action group: 'MANIPULATE_AFFINITY_GROUPS' Object type: 'Cluster' Object ID: 'beac8771-1dbc-4046-99b1-c17d072fb27f'. 2018-11-27 11:36:51,604Z WARN [org.ovirt.engine.core.bll.scheduling.commands.AddAffinityGroupCommand] (default task-5233) [dd01962d-bead-499a-a31f-1ead974483ac] Validation of action 'AddAffinityGroup' failed for user xxxx@internal-authz. Reasons: VAR__TYPE__AFFINITY_GROUP,VAR__ACTION__ADD,USER_NOT_AUTHORIZED_TO_PERFORM_ACTION 2018-11-27 11:36:51,606Z ERROR [org.ovirt.engine.api.restapi.resource.AbstractBackendResource] (default task-5233) [] Operation Failed: [User is not authorized to perform this action.] Regards, Paul S. ________________________________ From: Schreuders, Cliffe Sent: 27 November 2018 11:55 To: Ondra Machacek; Staniforth, Paul Cc: Andrej Krejcir; users; Shaw, Thomas Subject: Re: [ovirt-users] AffinityGroup API Hi Ondra, Thanks. Here is a sample script that illustrates the problem. The same error occurs when adding a VM to an existing affinity group. Sample code: require 'ovirtsdk4' conn_attr = {} conn_attr[:url] = 'https://XXXX/ovirt-engine/api' conn_attr[:username] = 'XXXX' conn_attr[:passwxxd] = 'XXXX' conn_attr[:debug] = true conn_attr[:headers] = {'Filter' => true } ovirt_connection = OvirtSDK4::Connection.new(conn_attr) vms_service = ovirt_connection.system_service.vms_service clusters_service = ovirt_connection.system_service.clusters_service cluster = clusters_service.list(search: 'name=Default')[0] cluster_service = clusters_service.cluster_service(cluster.id) cluster_affinitygroups_service = cluster_service.affinity_groups_service begin affinity_group_name = "affinity_group_test123" puts "Creating affinity group: #{affinity_group_name}" cluster_affinitygroups_service.add(OvirtSDK4::AffinityGroup.new( name: affinity_group_name, description: 'a description', vms_rule: OvirtSDK4::AffinityRule.new( enabled: true, positive: true, enforcing: true ) )) rescue Exception => e warn "Failed to create affinity group" warn e.message end Output: cliffe@office:~/Code/ovirt_scripts$ ruby add_affinity_group.rb Creating affinity group: affinity_group_test123 Failed to create affinity group Fault reason is "Operation Failed". Fault detail is "[User is not authorized to perform this action.]". HTTP response code is 400. The user has ReadOnlyAdmin permissions. I would be happy to be told if I'm doing something wrong here, I didn't find any ruby examples that worked with affinity groups. Paul could you please provide the engine.log entries? Thanks. Cheers, Cliffe. On 27/11/2018 10:04, Ondra Machacek wrote: Can you please share the script? And also what's the permission of the user you are executing the script. When see error 'User is not authorized to perform the action', we print in engine.log, what's exactly wrong meaning we print what permissions the user is missing in order to execute that action. So it may help you find out what's wrong as well. On 11/26/18 5:35 PM, Schreuders, Cliffe wrote: Yes, the related issue we came across was that when using the Ruby gem, assigning a VM to an Affinity Group raises an exception that states the User is not authorized to perform the action; however, using the same account works fine from the Admin portal and carrying out the exact same steps via the Python SDK works as expected. The end result is that we ended up calling a Python script from our Ruby code just to set the affinity group. Thanks, Paul. On 26/11/2018 12:11, Staniforth, Paul wrote: Hi Andrej I believe they are using 4.2.5 they get a permission error although they can use the python SDK with the same account. Paul S. ________________________________________ From: Ondra Machacek <omach...@redhat.com><mailto:omach...@redhat.com> Sent: 26 November 2018 11:41 To: Staniforth, Paul Cc: Andrej Krejcir; users Subject: Re: [ovirt-users] AffinityGroup API What version of the SDK do you use? I can see it's supported in latest version. On 11/26/18 11:13 AM, Andrej Krejcir wrote: Hi, I don't know much about ruby SDK. I think the SDKs for various languages are generated from the API specification. Ondra, is this a bug in ruby SDK? Andrej On Fri, 23 Nov 2018 at 18:06, Staniforth, Paul < p.stanifo...@leedsbeckett.ac.uk<mailto:p.stanifo...@leedsbeckett.ac.uk>> wrote: Hello Andrej, Also the Affinity Groups apparently aren't available in the Ruby SDK should I add this to the bug report? Thanks, Paul S. ------------------------------ *From:* Andrej Krejcir <akrej...@redhat.com><mailto:akrej...@redhat.com> *Sent:* 21 November 2018 13:32 *To:* Staniforth, Paul *Cc:* users *Subject:* Re: [ovirt-users] AffinityGroup API Hi, Yes, the AffinityGroupHosts is missing. Can you please open a bug[1] so we can add it? As a workaround, the hosts can be modified by PUT request to the AffinityGroup endpoint directly, for example: PUT /ovirt-engine/api/clusters/1234/affinitygroups/5678 <affinity_group> <hosts> <host id="123456789"/> <host id="987654321"/> </hosts> </affinity_group> However, this will replace all hosts in the affinity group with the hosts listed. Best regards, Andrej [1] - https://bugzilla.redhat.com/enter_bug.cgi?product=ovirt-engine On Wed, 21 Nov 2018 at 13:26, <p.stanifo...@leedsbeckett.ac.uk><mailto:p.stanifo...@leedsbeckett.ac.uk> wrote: Hello, When using the API to update an AffinityGroup there is a AffinityGroupVm and AffinityGroupVms so I can add or remove VMs but there is no AffinityGroupHost or AffinityGroupHosts, therefore I can't add or remove hosts. Thanks, Paul S. _______________________________________________ Users mailing list -- users@ovirt.org<mailto:users@ovirt.org> To unsubscribe send an email to users-le...@ovirt.org<mailto:users-le...@ovirt.org> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/BUMDJ34JRLDHSE6CPUVZOD3I2TI2YBQD/ To view the terms under which this email is distributed, please go to:- http://disclaimer.leedsbeckett.ac.uk/disclaimer/disclaimer.html To view the terms under which this email is distributed, please go to:- http://disclaimer.leedsbeckett.ac.uk/disclaimer/disclaimer.html To view the terms under which this email is distributed, please go to:- http://leedsbeckett.ac.uk/disclaimer/email/
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/R7JUOQV2EXCYHD4AJAY5DPAY4DN6M2NN/