Red Hat Bugzilla – Bug 854296
vm.start() doesn't work for users with 'vm_basic_operations' permissions
Last modified: 2012-12-04 15:02:41 EST
Description of problem:
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Create VM.
2. Assign VM some role, which has 'vm_basic_operations' perms.
3. Via ovirtsdk try to start created VM.
Error: query execution failed due to insufficient permissions
API = ovirtsdk.api.API(
vm = API.vms.get(CREATED_VM)
vm.start() # FAIL
vm.stop() works fine.
Do you have the engine logs?
(just making sure it is indeed an MLA issue, and not a problem somewhere in the API).
I tried to reproduce this issue, and both Start and Stop work for me.
What were the exact permissions you gave the user?
Were the permissions granted via the SDK/CLI?
Can you give the exact steps to reproduce?
Created attachment 609938 [details]
Just making sure - did you see my second comment?
I wasn't able to reproduce it, so more details will be helpful in finding the problem.
I saw in the log that the failed query was GetVmByVmId, but you should be able to see the VM if the have the correct permissions on it.
In webadmin as admin do:
1) Create VM with name 'a'.
2) In permissions tab add permission to user 'someuser' and assing it 'UserRole' role
Then run this code:
API = ovirtsdk.api.API(
vm = API.vms.get('a')
vm.start() # Fails with error specified in decription
vm.stop() worsk fine
In userportal everything works fine(start, stop).
Also this works:
$curl -k -X POST -H "Content-type: application/xml" -H "Accept: application/xml" -H "Filter: True" -d "<action/>" -u email@example.com:123456 https://10.34.63.30/api/vms/vm-id/start
(In reply to comment #5)
> In webadmin as admin do:
> 1) Create VM with name 'a'.
> 2) In permissions tab add permission to user 'someuser' and assing it
> 'UserRole' role
> Then run this code:
> API = ovirtsdk.api.API(
> insecure=True, username='someuser',
it cannot be related to sdk, make sure you used in sdk same
user you are using in gui/api/curl
btw, what version of sdk you are using?, on sdk < 126.96.36.199 you had to
specify filter=true in methods as well.
(In reply to comment #7)
> btw, what version of sdk you are using?, on sdk < 188.8.131.52 you had to
> specify filter=true in methods as well.
There is an issue there. The "filter" header isn't passed to the start VM operation. Will post a fix soon.
lack of rsdl descriptor
Posted patch to gerrit: