Description of problem: Version-Release number of selected component (if applicable): How reproducible: always Steps to Reproduce: 1. Create VM. 2. Assign VM some role, which has 'vm_basic_operations' perms. 3. Via ovirtsdk try to start created VM. Actual results: Error: query execution failed due to insufficient permissions Expected results: VM starts Additional info: sample code: API = ovirtsdk.api.API( url='https://url:443/api', insecure=True, username='newUser', password='password', filter=True) vm = API.vms.get(CREATED_VM) vm.start() # FAIL ------------------------------- vm.stop() works fine.
Do you have the engine logs? (just making sure it is indeed an MLA issue, and not a problem somewhere in the API). Thank you.
I tried to reproduce this issue, and both Start and Stop work for me. What were the exact permissions you gave the user? Were the permissions granted via the SDK/CLI? Can you give the exact steps to reproduce?
Created attachment 609938 [details] engine log
Just making sure - did you see my second comment? I wasn't able to reproduce it, so more details will be helpful in finding the problem. I saw in the log that the failed query was GetVmByVmId, but you should be able to see the VM if the have the correct permissions on it.
Steps: In webadmin as admin do: 1) Create VM with name 'a'. 2) In permissions tab add permission to user 'someuser' and assing it 'UserRole' role Then run this code: API = ovirtsdk.api.API( url='https://10.34.63.30:443/api', insecure=True, username='someuser', password='123456', filter=True) vm = API.vms.get('a') vm.start() # Fails with error specified in decription ----------------------------------------------------- vm.stop() worsk fine In userportal everything works fine(start, stop). Also this works: $curl -k -X POST -H "Content-type: application/xml" -H "Accept: application/xml" -H "Filter: True" -d "<action/>" -u portaluser2.eng.brq.redhat.com:123456 https://10.34.63.30/api/vms/vm-id/start
(In reply to comment #5) > Steps: > > In webadmin as admin do: > 1) Create VM with name 'a'. > 2) In permissions tab add permission to user 'someuser' and assing it > 'UserRole' role > > > Then run this code: > API = ovirtsdk.api.API( > url='https://10.34.63.30:443/api', > insecure=True, username='someuser', it cannot be related to sdk, make sure you used in sdk same user you are using in gui/api/curl
btw, what version of sdk you are using?, on sdk < 3.1.0.8 you had to specify filter=true in methods as well.
(In reply to comment #7) > btw, what version of sdk you are using?, on sdk < 3.1.0.8 you had to > specify filter=true in methods as well. There is an issue there. The "filter" header isn't passed to the start VM operation. Will post a fix soon.
lack of rsdl descriptor
Posted patch to gerrit: http://gerrit.ovirt.org/7769
Commit: 292c58575c7ea6b6cd5c8fcff6d583b29a16b0eb http://gerrit.ovirt.org/gitweb?p=ovirt-engine.git;a=commit;h=292c58575c7ea6b6cd5c8fcff6d583b29a16b0eb