Description of problem: user who can create a VM in extended user portal can not create VM in filtered API due to insufficient permissions Version-Release number of selected component (if applicable): si24.1 / rhevm-restapi-3.1.0-28.el6ev.noarch How reproducible: always Steps to Reproduce: 1. give a user the PowerUserRole over a cluster Default 2. create a VM via user portal and API (example): curl --cacert .certs/cert.pem -D - -b JSESSIONID=JGOUUMzeGMN4-zs0JC1-nubr \ -H "prefer: persistent-auth" -H "Content-Type: application/xml" \ -H "filter: true" https://rhevm31.example.com/api/vms -X POST -d \ '<vm><name>test-vm-fdloddfl</name><cluster><name>Default</name></cluster><template><name>Blank</name></template></vm>' Actual results: UI: works API: HTTP/1.1 400 Bad Request Date: Wed, 14 Nov 2012 08:21:00 GMT Content-Type: application/xml Content-Length: 188 Connection: close <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <fault> <reason>Operation Failed</reason> <detail>query execution failed due to insufficient permissions.</detail> </fault> Expected results: operation succeeds via API as well Additional info:
well, the problem is that api using /search to fetch template/cluster id by name, workaround is using IDs instead.
The operation fails even when I specify a cluster with an ID: $ curl --cacert .cert.pem -D - -b JSESSIONID=7RhiNHUP6ORsTrX0-OCyDh+a \ -H "prefer: persistent-auth" -H "Content-Type: application/xml" \ -H "filter: true" https://rhevm31.example.com/api/vms -X POST -d \ "<vm><name>test-vm-fdloddfl</name><cluster id='99408929-82cf-4dc7-a532-9d998063fa95'/><template><name>Blank</name></template></vm>" HTTP/1.1 400 Bad Request Date: Wed, 14 Nov 2012 10:42:42 GMT Content-Type: application/xml Content-Length: 188 Connection: close <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <fault> <reason>Operation Failed</reason> <detail>query execution failed due to insufficient permissions.</detail> </fault> The permission is given at system-level to a group where the user belongs. When I try to look up the permissions of the cluster, I get this empty reply no matter if I ask as a filtered user or unfiltered admin: GET /api/clusters/99408929-82cf-4dc7-a532-9d998063fa95/permissions <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <permissions/> The same goes for respective data center and in /api, I can not see permissions at all (as admin). I'd expect to see inherited permissions or, in case filtered requests, just the subset of the permissions related to the user.
(In reply to comment #2) > The operation fails even when I specify a cluster with an ID: > > $ curl --cacert .cert.pem -D - -b JSESSIONID=7RhiNHUP6ORsTrX0-OCyDh+a \ > -H "prefer: persistent-auth" -H "Content-Type: application/xml" \ > -H "filter: true" https://rhevm31.example.com/api/vms -X POST -d \ > "<vm><name>test-vm-fdloddfl</name><cluster > id='99408929-82cf-4dc7-a532-9d998063fa95'/><template><name>Blank</name></ > template></vm>" > HTTP/1.1 400 Bad Request > Date: Wed, 14 Nov 2012 10:42:42 GMT > Content-Type: application/xml > Content-Length: 188 > Connection: close > > <?xml version="1.0" encoding="UTF-8" standalone="yes"?> > <fault> > <reason>Operation Failed</reason> > <detail>query execution failed due to insufficient permissions.</detail> > </fault> > > Comment 1 says: use template/cluster by-id
(In reply to comment #3) > (In reply to comment #2) > Comment 1 says: use template/cluster by-id sorry, I missed the template part. When specifying both as ids, the VM gets created. So is this a duplicate of bug 869334, i guess?
link : http://gerrit.ovirt.org/#/c/9248/ change id : I604883bc48dce3f326046d59534fb9134c1bbb29
(In reply to comment #4) > (In reply to comment #3) > > (In reply to comment #2) > > Comment 1 says: use template/cluster by-id > > sorry, I missed the template part. When specifying both as ids, the VM gets > created. So is this a duplicate of bug 869334, i guess? indeed, but i prefer keeping it in separate bug for not overloading #869334
3.2 has been released