[Engine-devel] Floating Disk feature description

Itamar Heim iheim at redhat.com
Thu Feb 2 17:30:46 UTC 2012 

On 02/02/2012 07:05 PM, Oved Ourfalli wrote:
>
>
> ----- Original Message -----
>> From: "Itamar Heim"<iheim at redhat.com>
>> To: "Daniel Erez"<derez at redhat.com>
>> Cc: engine-devel at ovirt.org
>> Sent: Thursday, February 2, 2012 4:29:30 PM
>> Subject: Re: [Engine-devel] Floating Disk feature description
>>
>> On 02/02/2012 12:25 PM, Daniel Erez wrote:
>> ...
>>>> 6. permissions not available for disks?
>>>> at all?
>>>> what do you mean power user would be able to attach them by their
>>>> type?
>>>> does it mean they can associate any shared disk in the system? I
>>>> hope
>>>> i'm misunderstanding, as doesn't make sense to me.
>>>>
>>>> or is this caveat specific to the user portal and not the admin?
>>>> not allowing creating a floating disk from user portal is not a
>>>> problem
>>>> in my view for this phase.
>>>>
>>>> I assume anyone can add a disk on a storage domain they have quota
>>>> to.
>>>> who can edit a disk? remove a disk? attach disk to VM (which gives
>>>> them
>>>> ability to edit the disk)
>>>> (attach disk to VM obviously requires permission on both disk and
>>>> VM)
>>>
>>> Since we won't support permissions on disks entities (at first
>>> stage),
>>> as a compromise for the power user portal, we've agreed to simply
>>> hide
>>> floating non shared disks from the user.
>>
>> I still think we won't find a decent way to model this without
>> permissions, regardless of the power user portal.
>> we'll hit too many problems.
>> I'll look into this a bit more.
>
> I agree that permissions on disks are the right solution.
>
> But, if not possible to have disk permissions in the next version, as a compromise, maybe we can somehow use Quota. i.e, only users with permissions to consume from the Quota the disk resides on can attach the disk to another VM (if unattached). It can work to shared disks as well.
>
> There are some problems in this solution, though, as not everyone will use Quotas, you might want to share disks regardless of Quota,

quota is fine for a permission to add a floating disk, as quotas are the 
way we manage permissions to add disks to VMs as well.
problem is with 'add/import external disk', which would be a system wide 
permission (that should be ok, it is not a permission on a disk, rather 
on system).
my problem is with permission on the created (or detached) disks - who 
can edit/delete/attach them
(and attach is a special case, as it requires checking permission on 
both disk and vm)

More information about the Engine-devel mailing list