[Engine-devel] Managing permissions on network
Livnat Peer
lpeer at redhat.com
Tue Nov 13 17:18:28 UTC 2012
On 13/11/12 15:39, Itamar Heim wrote:
> On 11/13/2012 03:37 PM, Livnat Peer wrote:
>> On 13/11/12 15:19, Itamar Heim wrote:
>>> On 11/13/2012 12:45 PM, Livnat Peer wrote:
>>>> Interesting point, I think that if a user has permission to create a VM
>>>> from a specific template we should give him permission to use the
>>>> template networks on this VM implicitly upon the VM creation.
>>>
>>> having a permission to a template does not mean a permission to the
>>> default network of that VM, especially as we'll use templates more as
>>> instance types.
>>
>> Another alternative is to require permission on the network as well as
>> the template.
>> I must say I don't really like it, although I agree with your comment,
>> we require too many operations for enabling a user to create a VM from
>> template (permission on the template, quota on the storage, permissions
>> on the network, next we'll require a PHD ;)).
>>
>> Anyone has a better idea?
>
> I assume most networks would be given either to 'everyone' or groups of
> users, not per user (and if the network is per user/tenant, then it must
> be done per user.
Which reminds that I wanted to propose adding a property on a network
which is called public.
It's just a UI feature to give a NetworkUser on this network to
'everyone'. It makes making a network public easier for the user.
In addition during upgrade we should make all existing networks public
networks and not allocate specific permissions for users on networks.
In addition it also means a user is given permission on a network and
then he can use it for any VM he owns. Isn't that problematic? We can't
limit a user to use a network on a specific VM.
> i may not remember correctly, but i thought when giving quota to user we
> also give some permissions with it (on cluster and storage)?
I am not sure what is the current implementation as it changed a lot,
but last I tracked we checked for either quota or permissions we did not
give implicit permissions when creating a quota.
More information about the Devel
mailing list