The user also has AffinityGroupManager role for the cluster this role has
permission Manipulate Affinity Groups.
It is the same account that works when using the python SDK
2018-11-27 11:36:50,791Z INFO
[org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default task-5237)
[b225cdb] Running command: CreateUserSessionCommand internal: false.
2018-11-27 11:36:50,988Z INFO
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default
task-5229) [21e2d0fe] EVENT_ID: USER_VDC_LOGIN(30), User secgen@internal-authz
connecting from 'x.x.x.x' using session
'mT2aF7+FziRwE3ZZ29y7y2QHidDX4aAquc5fwo5swyLVMxufAyF26JbmDNeN9ylob1+zSSH9JWu4bBDt2wdHGw=='
logged in.
2018-11-27 11:36:51,081Z INFO
[org.ovirt.engine.core.sso.utils.AuthenticationUtils] (default task-5233) []
User xxxx@internal successfully logged in with scopes: ovirt-app-api
ovirt-ext=token-in
fo:authz-search ovirt-ext=token-info:public-authz-search
ovirt-ext=token-info:validate ovirt-ext=token:passw..d-access
2018-11-27 11:36:51,154Z INFO
[org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default task-5233)
[1d0e61f8] Running command: CreateUserSessionCommand internal: false.
2018-11-27 11:36:51,604Z INFO
[org.ovirt.engine.core.bll.scheduling.commands.AddAffinityGroupCommand]
(default task-5233) [dd01962d-bead-499a-a31f-1ead974483ac] No permission found
for user 'd5b7e8f0-603e-47c5-a420-1f5f6834aa02' or one of the groups he is
member of, when running action 'AddAffinityGroup', Required permissions are:
Action type: 'ADMIN' Action group: 'MANIPULATE_AFFINITY_GROUPS' Object type:
'Cluster' Object ID: 'beac8771-1dbc-4046-99b1-c17d072fb27f'.
2018-11-27 11:36:51,604Z WARN
[org.ovirt.engine.core.bll.scheduling.commands.AddAffinityGroupCommand]
(default task-5233) [dd01962d-bead-499a-a31f-1ead974483ac] Validation of action
'AddAffinityGroup' failed for user xxxx@internal-authz. Reasons:
VAR__TYPE__AFFINITY_GROUP,VAR__ACTION__ADD,USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
2018-11-27 11:36:51,606Z ERROR
[org.ovirt.engine.api.restapi.resource.AbstractBackendResource] (default
task-5233) [] Operation Failed: [User is not authorized to perform this action.]
Regards,
Paul S.
________________________________
From: Schreuders, Cliffe
Sent: 27 November 2018 11:55
To: Ondra Machacek; Staniforth, Paul
Cc: Andrej Krejcir; users; Shaw, Thomas
Subject: Re: [ovirt-users] AffinityGroup API
Hi Ondra,
Thanks. Here is a sample script that illustrates the problem. The same error
occurs when adding a VM to an existing affinity group.
Sample code:
require 'ovirtsdk4'
conn_attr = {}
conn_attr[:url] = 'https://XXXX/ovirt-engine/api'
conn_attr[:username] = 'XXXX'
conn_attr[:passwxxd] = 'XXXX'
conn_attr[:debug] = true
conn_attr[:headers] = {'Filter' => true }
ovirt_connection = OvirtSDK4::Connection.new(conn_attr)
vms_service = ovirt_connection.system_service.vms_service
clusters_service = ovirt_connection.system_service.clusters_service
cluster = clusters_service.list(search: 'name=Default')[0]
cluster_service = clusters_service.cluster_service(cluster.id)
cluster_affinitygroups_service = cluster_service.affinity_groups_service
begin
affinity_group_name = "affinity_group_test123"
puts "Creating affinity group: #{affinity_group_name}"
cluster_affinitygroups_service.add(OvirtSDK4::AffinityGroup.new(
name: affinity_group_name,
description: 'a description',
vms_rule: OvirtSDK4::AffinityRule.new(
enabled: true,
positive: true,
enforcing: true
)
))
rescue Exception => e
warn "Failed to create affinity group"
warn e.message
end
Output:
cliffe@office:~/Code/ovirt_scripts$ ruby add_affinity_group.rb
Creating affinity group: affinity_group_test123
Failed to create affinity group
Fault reason is "Operation Failed". Fault detail is "[User is not authorized to
perform this action.]". HTTP response code is 400.
The user has ReadOnlyAdmin permissions.
I would be happy to be told if I'm doing something wrong here, I didn't find
any ruby examples that worked with affinity groups.
Paul could you please provide the engine.log entries? Thanks.
Cheers,
Cliffe.
On 27/11/2018 10:04, Ondra Machacek wrote:
Can you please share the script? And also what's the permission of the
user you are executing the script.
When see error 'User is not authorized to perform the action', we print
in engine.log, what's exactly wrong meaning we print what permissions
the user is missing in order to execute that action. So it may help you
find out what's wrong as well.
On 11/26/18 5:35 PM, Schreuders, Cliffe wrote:
Yes, the related issue we came across was that when using the Ruby gem,
assigning a VM to an Affinity Group raises an exception that states the
User is not authorized to perform the action; however, using the same
account works fine from the Admin portal and carrying out the exact same
steps via the Python SDK works as expected. The end result is that we
ended up calling a Python script from our Ruby code just to set the
affinity group.
Thanks, Paul.
On 26/11/2018 12:11, Staniforth, Paul wrote:
Hi Andrej
I believe they are using 4.2.5 they get a permission error although they can
use the python SDK with the same account.
Paul S.
________________________________________
From: Ondra Machacek <[email protected]><mailto:[email protected]>
Sent: 26 November 2018 11:41
To: Staniforth, Paul
Cc: Andrej Krejcir; users
Subject: Re: [ovirt-users] AffinityGroup API
What version of the SDK do you use?
I can see it's supported in latest version.
On 11/26/18 11:13 AM, Andrej Krejcir wrote:
Hi,
I don't know much about ruby SDK. I think the SDKs for various languages
are generated from the API specification.
Ondra, is this a bug in ruby SDK?
Andrej
On Fri, 23 Nov 2018 at 18:06, Staniforth, Paul <
[email protected]<mailto:[email protected]>> wrote:
Hello Andrej,
Also the Affinity Groups apparently aren't available
in the Ruby SDK should I add this to the bug report?
Thanks,
Paul S.
------------------------------
*From:* Andrej Krejcir <[email protected]><mailto:[email protected]>
*Sent:* 21 November 2018 13:32
*To:* Staniforth, Paul
*Cc:* users
*Subject:* Re: [ovirt-users] AffinityGroup API
Hi,
Yes, the AffinityGroupHosts is missing. Can you please open a bug[1] so we
can add it?
As a workaround, the hosts can be modified by PUT request to the
AffinityGroup endpoint directly, for example:
PUT /ovirt-engine/api/clusters/1234/affinitygroups/5678
<affinity_group>
<hosts>
<host id="123456789"/>
<host id="987654321"/>
</hosts>
</affinity_group>
However, this will replace all hosts in the affinity group with the hosts
listed.
Best regards,
Andrej
[1] - https://bugzilla.redhat.com/enter_bug.cgi?product=ovirt-engine
On Wed, 21 Nov 2018 at 13:26,
<[email protected]><mailto:[email protected]> wrote:
Hello,
When using the API to update an AffinityGroup there is a
AffinityGroupVm and AffinityGroupVms so I can add or remove VMs but there
is no AffinityGroupHost or AffinityGroupHosts, therefore I can't add or
remove hosts.
Thanks,
Paul S.
_______________________________________________
Users mailing list -- [email protected]<mailto:[email protected]>
To unsubscribe send an email to
[email protected]<mailto:[email protected]>
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/[email protected]/message/BUMDJ34JRLDHSE6CPUVZOD3I2TI2YBQD/
To view the terms under which this email is distributed, please go to:-
http://disclaimer.leedsbeckett.ac.uk/disclaimer/disclaimer.html
To view the terms under which this email is distributed, please go to:-
http://disclaimer.leedsbeckett.ac.uk/disclaimer/disclaimer.html
To view the terms under which this email is distributed, please go to:-
http://leedsbeckett.ac.uk/disclaimer/email/
_______________________________________________
Users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/[email protected]/message/MATQL6SUEYZFLMOOIZIEFZ5JWZMS6RQW/
