[Engine-devel] Managing permissions on network

Moti Asayag masayag at redhat.com
Wed Nov 7 10:26:49 UTC 2012 

On 11/06/2012 03:56 PM, Livnat Peer wrote:
> Hi All,
> 
> This is a proposal for handling network permissions in oVirt.
> 
> In this proposal we took the more permissive approach as we find it
> simple and a good starting point, we also think a more restrict approach
> makes the configuration of a network cumbersome for ovirt administrators.
> 
> Inputs are welcomed as always...
> 
> Here is an overview of the approach, for more detailed description
> please read the wiki page:
> http://wiki.ovirt.org/wiki/Feature/NetworkPermissions
> 
> ---------------------------------------------------------------------------
> Admin
> ======
> 
> -> For creating a network in a data center you need to be a Superuser or
> a DCAdmin or a networkAdmin on the DC.
> 
> -> After creating the network you can manipulate the network if you are
> a DCAdmin or a networkAdmin on the relevant network (or the whole DC).
> 
> -> For attaching the network to cluster you need to be a networkAdmin on
> the network (no requirement to have permission on the cluster)
> 
> -> Cluster administrator can not attach/detach a network from the
> cluster, the motivation for this is that as long as the network is not
> attached to the cluster it is not part of the cluster resources thus can
> not be managed by the cluster administrator.
> In addition once a network is attached to a cluster the cluster
> administrator can change the network from required to non-required for
> controlling the impact of the network within the cluster.

I'd like to clarify that NetworkAdmin is authorized to update the
cluster network's properties (set network as display network or set
network as required/optional). NetworkAdmin is capable of doing so with
permissions on the Network only (not on the cluster).

The ClusterAdmin is capable of updating the cluster network's properties
as well.

A restrictive approach would be requiring permissions on both Cluster
and Network with NetworkAdmin role in order to perform those actions.
This approach assures that changes committed for a network within a
cluster could be performed by user that owns permissions on both network
and cluster. However it will make the permission granting process a bit
toilsome: Granting the NetworkAdmin role of a specific cluster and also
a NetworkAdmin per each network to be assigned for the cluster.

I'd like to get opinions for the approaches mentioned above.

> 
> -> For setting a network on the host you need to be host administrator
> on the host and you don't need to be network administrator.
> This implies that if you are a host administrator you can add/remove all
> the cluster networks from your host without the need for network related
> permissions (this is the permissive approach).
> 
> User
> ====
> 
> -> For attaching a network to a Vnic in the VM you need to have the role
> of VmNetworkUser on the network and vmAdmin on the VM.
> 
> -> In user portal - the list of shown network for a user will include
> only the list of networks the user is allowed to attach to its vnics
> (instead of all cluster's networks).
> 
> Port-mirroring
> ===============
> 
> ->  For configuring in the VM port mirroring you need to have the role
> of VmAdvancedNetworkUser on the network and vmAdmin on the VM.
> VmAdvancedNetworkUser includes the VmNetworkUser actions in addition to
> port mirroring.
> 
> 
> 
> 
> For all DB upgrade information and new roles/action groups please review
> the wiki.
> 
> Thanks,
> Livnat & Moti
>

More information about the Devel mailing list