Description of problem: Query execution failed due to insufficient permissions occurs in RHEVM engine.log while perform REST API GET VM info In spite that response is OK Version-Release number of selected component (if applicable): RHEVM: 3.4.0-0.16.rc.el6ev How reproducible: 100% Steps to Reproduce: 1. Run REST API Request GET https://****/api/vms Request Headers: Connection: keep-alive Session-TTL: 360 Accept-Language: en-US,en;q=0.5 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20131023 Firefox/17.0 Referer: ****/UserPortal/org.ovirt.engine.ui.userportal.UserPortal/UserPortal.html?locale=en_US Accept-Encoding: gzip, deflate Prefer: persistent-auth Authorization: Basic ***** Filter: true 2. 3. Actual results: Error occurs in RHEVM engine.log -> 2014-05-29 09:28:08,230 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-79) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User scale-1 logged in. 2014-05-29 09:28:08,281 ERROR [org.ovirt.engine.core.bll.GetVmsInitQuery] (ajp-/127.0.0.1:8702-79) Query execution failed due to insufficient permissions. Expected results: No error Additional info:
I think that we need to make the GetVmsInit query accessible to users, something like this: diff --git a/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/queries/VdcQueryType.java b/backend/manager/modu index 0480b74..26532a9 100644 --- a/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/queries/VdcQueryType.java +++ b/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/queries/VdcQueryType.java @@ -26,7 +26,7 @@ public enum VdcQueryType implements Serializable { GetVmsByVnicProfileId, GetTemplatesByVnicProfileId, GetVirtioScsiControllers(VdcQueryAuthType.User), - GetVmsInit, + GetVmsInit(VdcQueryAuthType.User), GetVmNextRunConfiguration(VdcQueryAuthType.User), GetVmUpdatesOnNextRunExists(VdcQueryAuthType.User), Shahar, can you confirm?
(In reply to Juan Hernández from comment #1) > Shahar, can you confirm? Ack
Note that the attached patch allows access to the query, but that query is only used if the "Filter: true" header is used, so in addition to the fix the caller needs to add that header to the request.
The fix for this issue has been merged into the upstream 3.5 branch, so it will be available downstream with the next rebase.
Verified upstream in ovirt-engine-3.5.0-0.0.master.20140804172041.git23b558e.el6.noarch (rc1). GET request (see comment 0) as a regular user works. No errors about insufficient permissions to execute query in occured engine log. curl -A "Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20131023 Firefox/17.0" \ -e "https://instance1.ovirt.org/ovirt-engine/userportal/" \ -H "Connection: keep-alive" \ -H "Session-TTL: 360" \ -H "Accept-Language: en-US,en;q=0.5" \ -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" \ -H "Prefer: persistent-auth" \ -H "Authorization: Basic ***" \ # a user -H "Filter: true" \ https://instance1.ovirt.org/ovirt-engine/api/vms/ Response: <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <vms> <vm href="/ovirt-engine/api/vms/5d4f3c8a-7514-400d-a0f7-5c6c51178ba8" id="5d4f3c8a-7514-400d-a0f7-5c6c51178ba8"> ... ... </vms>
RHEV-M 3.5.0 has been released