[Engine-devel] Disk Permissions Feature

Moti Asayag masayag at redhat.com
Mon Mar 19 17:03:36 UTC 2012 

On 03/15/2012 05:46 PM, Itamar Heim wrote:
> On 03/15/2012 05:34 PM, Omer Frenkel wrote:
>>>> >  >  1. "Create disk - requires permissions on the Storage Domain,
>>>> >  >  (can't
>>>> >  >  assume Quota is sufficient to permit user creating the disk on
>>>> the
>>>> >  >  Storage Domain, as Quota might be disabled)"
>>>> >  >
>>>> >  >  I'd also specify create disk for regular disks is at storage
>>>> domain
>>>> >  >  level?, while direct lun disks require system level permission of
>>>> >  >  add disk.
>>>> >  >
>>>> >  >  so, if quota is disabled, how important is it to prevent creation
>>>> >  >  of
>>>> >  >  disks (other than direct lun ones, which would require a
>>>> permission
>>>> >  >  similar to storage domain creation)?
>>>> >  >
>>>> >  >  if this is added, it has to be implicitly added / not needed if
>>>> >  >  user has
>>>> >  >  quota (i.e., having a quota should be similar to having a
>>>> >  >  permission as
>>>> >  >  far as the check goes).
>>>> >  >
>>> >
>>> >  We should look into it, how complicate is it to validate if user has
>>> >  either quota or permission, and allow creating a disk on a SD if
>>> >  either
>>> >  exists.
>> this might be confusing to the user as he can disable the quota,
>> then stuff would stop working.
>>
> 
> we can't require both quota and permissions from user on storage domains
> - that's cumbersome.
> question is if we can limit the need for permissions to disks only to
> places where they are needed (shared, direct, floating)?

Wiki is updated with a proposal for this issue. In a nutshell, adding
'automatic' permissions on the Storage Domain (or to Storage Pool for
Global quota) to relevant users when performing Quota specific actions
so they be used regardless quota concern (e.g. when Quota is disabled
for DC):

http://www.ovirt.org/wiki/Features/DiskPermissions#Design

> _______________________________________________
> Engine-devel mailing list
> Engine-devel at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/engine-devel

More information about the Devel mailing list