[Engine-devel] Managing permissions on network
Itamar Heim
iheim at redhat.com
Tue Nov 13 18:19:01 UTC 2012
On 11/13/2012 07:18 PM, Livnat Peer wrote:
> On 13/11/12 15:39, Itamar Heim wrote:
>> On 11/13/2012 03:37 PM, Livnat Peer wrote:
>>> On 13/11/12 15:19, Itamar Heim wrote:
>>>> On 11/13/2012 12:45 PM, Livnat Peer wrote:
>>>>> Interesting point, I think that if a user has permission to create a VM
>>>>> from a specific template we should give him permission to use the
>>>>> template networks on this VM implicitly upon the VM creation.
>>>>
>>>> having a permission to a template does not mean a permission to the
>>>> default network of that VM, especially as we'll use templates more as
>>>> instance types.
>>>
>>> Another alternative is to require permission on the network as well as
>>> the template.
>>> I must say I don't really like it, although I agree with your comment,
>>> we require too many operations for enabling a user to create a VM from
>>> template (permission on the template, quota on the storage, permissions
>>> on the network, next we'll require a PHD ;)).
>>>
>>> Anyone has a better idea?
>>
>> I assume most networks would be given either to 'everyone' or groups of
>> users, not per user (and if the network is per user/tenant, then it must
>> be done per user.
>
> Which reminds that I wanted to propose adding a property on a network
> which is called public.
> It's just a UI feature to give a NetworkUser on this network to
> 'everyone'. It makes making a network public easier for the user.
>
> In addition during upgrade we should make all existing networks public
> networks and not allocate specific permissions for users on networks.
>
> In addition it also means a user is given permission on a network and
> then he can use it for any VM he owns. Isn't that problematic? We can't
> limit a user to use a network on a specific VM.
I think that's fine.
don't let user edit that vm if you don't trust them.
>
>> i may not remember correctly, but i thought when giving quota to user we
>> also give some permissions with it (on cluster and storage)?
>
> I am not sure what is the current implementation as it changed a lot,
> but last I tracked we checked for either quota or permissions we did not
> give implicit permissions when creating a quota.
>
gilad/doron?
More information about the Devel
mailing list