[Engine-devel] Disk Permissions Feature

Itamar Heim iheim at redhat.com
Thu Mar 15 05:25:02 UTC 2012 

On 03/14/2012 02:20 AM, Moti Asayag wrote:
> Hi all,
>
> Disk Permissions feature description Wiki page:
> http://www.ovirt.org/wiki/Features/DiskPermissions
>
> Please share your comments.

I think you are lacking a paragraph explaining some of the issues around 
this:
- are disks part of storage domains or VMs wrt permissions inheritance?
- what about direct luns (are not part of storage domains)?
- what about shared disks (multiple inheritance if from VM)?
- what if tomorrow we allow disks to span multiple storage domains?
- quota's are already a concept of permissions to create disks at 
storage domain level, does user need both (cumbersome)
- when do we must have this (to filter shared, floating or direct lun 
disks we would show to power users when not attached to VMs) - or these 
won't be available for now via the power user portal, only via admin.

1. "Create disk - requires permissions on the Storage Domain, (can't 
assume Quota is sufficient to permit user creating the disk on the 
Storage Domain, as Quota might be disabled)"

I'd also specify create disk for regular disks is at storage domain 
level?, while direct lun disks require system level permission of add disk.

so, if quota is disabled, how important is it to prevent creation of 
disks (other than direct lun ones, which would require a permission 
similar to storage domain creation)?

if this is added, it has to be implicitly added / not needed if user has 
quota (i.e., having a quota should be similar to having a permission as 
far as the check goes).

2. "Attach disk to VM - requires permissions on the Disk and on the VM 
(applies for shared disk as well). "

which permission at disk is required? (disk access?)

3. "Detach disk from VM - requires permissions on the VM only. (Unlike

attach disk that requires permissions on the VM and on the Disk). "

will detaching a disk copy the permission it so far inherited from the VM?

4. UI changes
an edit permissions button from VM disks subtab seems appropriate (will 
open a dialog i guess)

More information about the Devel mailing list