Bug 1420509

Summary: [Docs][REST] Document permissions required to use REST API
Product: Red Hat Enterprise Virtualization Manager Reporter: Stephen Gordon <sgordon>
Component: DocumentationAssignee: rhev-docs <rhev-docs>
Status: CLOSED WONTFIX QA Contact: rhev-docs <rhev-docs>
Severity: low Docs Contact:
Priority: low    
Version: 3.6.0CC: apinnick, lsurette, lsvaty, mperina, oliel, srevivo
Target Milestone: ---Keywords: Documentation
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: backlog
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-06-14 09:56:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Stephen Gordon 2017-02-08 20:55:24 UTC 
Description of problem:

The information contained in https://access.redhat.com/solutions/431653 should really be part of the REST API guide. It tells the user what permissions are required to access the REST API.

Version-Release number of selected component (if applicable):

3.6.0
Comment 4 Ori Liel 2020-02-17 10:03:02 UTC 
The documentation in the provided link seems to be outdated (says: "Updated February 28 2014")

Ovirt was indeed initially designed for users with administrator permissions. Later on it became necessary to open part of it to non-admin users.

Nowadays admins may access anything is the API, and non-admins have specific access according to the roles they have on specific entities.

For exammple, if Ori has UserRole for VM_1, then GET .../api/vms done by Ori would return VM_1, but not other vms in the system. And Ori may do operations on that VM, etc.

One exception to this is that an admin may choose to masquerade as a user, choose to see only entities which he has specific permission for, by providing filter=true flag to his API requests.
Comment 5 Martin Perina 2020-02-17 10:11:30 UTC 
As a general rule following should apply to RESTAPI (and the same is used for webadmin UI):

  - If a user has assigned at least one admin role, he can read information about all entities in the RHV installation, but he can write only to entities he has the admin permissions for
  - If a user has assigned only user role(s), he can read and write only to entities he has permissions for

Moving to documentation team to update relevant parts of RHV documentation, but I think also the KCS article should be updated.