Bug 1420509 - [Docs][REST] Document permissions required to use REST API
Summary: [Docs][REST] Document permissions required to use REST API
Keywords:
Status: NEW
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: Documentation
Version: 3.6.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: ---
Assignee: rhev-docs@redhat.com
QA Contact: rhev-docs@redhat.com
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-02-08 20:55 UTC by Stephen Gordon
Modified: 2020-10-25 13:31 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
oVirt Team: Infra
Target Upstream Version:


Attachments (Terms of Use)

Description Stephen Gordon 2017-02-08 20:55:24 UTC
Description of problem:

The information contained in https://access.redhat.com/solutions/431653 should really be part of the REST API guide. It tells the user what permissions are required to access the REST API.

Version-Release number of selected component (if applicable):

3.6.0

Comment 4 Ori Liel 2020-02-17 10:03:02 UTC
The documentation in the provided link seems to be outdated (says: "Updated February 28 2014")

Ovirt was indeed initially designed for users with administrator permissions. Later on it became necessary to open part of it to non-admin users.

Nowadays admins may access anything is the API, and non-admins have specific access according to the roles they have on specific entities.

For exammple, if Ori has UserRole for VM_1, then GET .../api/vms done by Ori would return VM_1, but not other vms in the system. And Ori may do operations on that VM, etc.

One exception to this is that an admin may choose to masquerade as a user, choose to see only entities which he has specific permission for, by providing filter=true flag to his API requests.

Comment 5 Martin Perina 2020-02-17 10:11:30 UTC
As a general rule following should apply to RESTAPI (and the same is used for webadmin UI):

  - If a user has assigned at least one admin role, he can read information about all entities in the RHV installation, but he can write only to entities he has the admin permissions for
  - If a user has assigned only user role(s), he can read and write only to entities he has permissions for

Moving to documentation team to update relevant parts of RHV documentation, but I think also the KCS article should be updated.


Note You need to log in before you can comment on or make changes to this bug.