RE: REST API create_vm returns task URL that doesn't exist?

Hi @DevFlint,
tasks are now correctly visible in the swagger documentation

Hi @slavavrn,
FYI, its now possible to revert a snapshot via the REST API.
POST /vms/:id/actions/revert_snapshot
And the body of the endpoint:

{
  "snapshotId": <snapshot-id>
  "snapshotBefore": boolean (optional)
}

Hi @johnnezero and thanks for the post!

Just wanted to talk about PERMISSION SYNC.

In the REST API the "permission sync" pattern is actually handled natively by the RBAC system using selectors.

For example, if you want a role that allows a user to manage VM power state only for VMs tagged dev:

• Start from the built-in role template “VMs power state manager” (just to speed up role creation, but totally optional)
• Create or customize a role with the required VM power privileges (read, start, stop, reboot, etc.)
• Scope each privileges using a selector like:
  tags:dev
• Then assign the role to your user or group

Once done, the access is fully dynamic:

• Any VM with the dev tag is included in the scope
• Removing the tag immediately revokes access
• Adding the tag grants access instantly
• No need to maintain per-VM ACL entries

The key point is that RBAC evaluates privileges at request time based on selectors.
You can also base selectors on other VM properties, not only tags (for example power state, name patterns ...).

You can find the doc here
and a dedicated forum thread here

PS: For the moment the XO6 UI does not support the RBAC system, but we are working on it

Hi @rzr,
When you say, "XO still showed host 2 needing patching", does that mean XO is still showing missing patches?

If so, can you run the following command: xe host-call-plugin host-uuid=<uuid-host2> plugin=updater.py fn=check_update

Hi @r0123456789,

GET /rest/v0/hosts/:id/stats is available in the REST API

Hi @dan89,
It is possible to create an authentication_token using the REST API.

POST /rest/v0/users/me/authentication_tokens

Hi @Steve_Sibilia,
FYI, ACL V2 / RBAC is now available in the REST API.

You can see the RBAC doc.
A dedicated thread is available on the forum thread, please feel free to share your feedback.

Thank you.

Hi @halvor,
FYI, ACL V2 / RBAC is now available in the REST API.

You can create a privilege that only give you read privilege on your host.
You can see the RBAC doc.
A dedicated thread is available on the forum thread, please feel free to share your feedback.

Thank you.

Hi @jedimarcus,
FYI, VIF creation is possible via the REST API POST /rest/v0/vifs

Hi, @14wkinnersley
We merged the PATCH /vms/:id endpoint onto the master branch

@acebmxer Hi

i am able to reproduce the dashboard issue locally now, so we can also investigate on our end.

Can you confirm, no dashboard issue on the commit : ee53cd072304a38e8bf816dceef9bc7277b776dc?

@acebmxer I remeber some users experiencing issues with XO6 due to a misconfigured NGINX reverse proxy (it was blocking SSE, which XO6 uses).

Is your reverse proxy configured correctly?

I won't have time to examine the script myself

@acebmxer Thank for your investigation.

• You talk about a script install-xen-orchestra.sh, but the link seems dead. What is that script, it is a script provided by Vates?
• Bearer token is not supported (the xo doc say we can use Basic auth, or cookie to connect). If Bearer token is an absolute need, we can think about implementing it.
• For XO6 UI that doesn't build, can you provide the full error log?

To reproduce dashbloard loading issues, we have to:

• have a fresh XO install
• import an XO config that come for antoher XO
• connect as the default admin@admin.net, and create another user
• connect as the new user, and delete the default user (admin@admin.net)

Symptom: Every browser session token fails immediately after login. Seconds after logging in, xo-server logs

Only browser session that use the deleted account fails, or even sessions with untouched users?

After that, the issue occures even if we logout/login with the new user?

@acebmxer Thanks!

What's strange is that the previous log shows a 401 status code for the /schedules endpoint, but you can access it.
The xo:rest-api:listener ERROR cannot handle data for task list> error is also odd.

You say you only have one user, but it seems you had several before, right?
Could you try logging out and then logging back in?

Is there perhaps a bug during user deletion that would keep some active but malfunctioning authentication tokens?

@acebmxer Thanks.
So, no issue to compute the dashboard.

In your log, I see unexpected 401 responses code.

Could you try /rest/v0/schedules and let me know the result? (and any XO-server errors that occur)

@acebmxer Hi,
Do you use an admin users or do you use a non admin users with RBAC/ACL-V2?

What is the ouput of /rest/v0/users/me?
Also, what is the ouput of /rest/v0/dashboard?

@acebmxer It also works on your XOA.

Thank you both for your availability for testing. I will see with the XO team when to release a fix.

We apologize for any inconvenience

Thanks @Baronvaile, the fix seems to work.

@acebmxer i will also patch your XOA, It's better to have several confirmations

Thanks @Baronvaile. Can i restart xo-server?

Can someone open a support tunnel, so that i can test a fix?

PR: https://github.com/vatesfr/xen-orchestra/pull/9798

MathieuRA opened this pull request in vatesfr/xen-orchestra

closed fix(rest-api): early return for admin user in acl check #9798