[Engine-devel] Clone VM from snapshot feature
Itamar Heim
iheim at redhat.com
Sun Feb 26 13:27:02 UTC 2012
On 02/26/2012 03:24 PM, Yair Zaslavsky wrote:
> On 02/26/2012 03:19 PM, Itamar Heim wrote:
>> On 02/26/2012 03:20 PM, Yair Zaslavsky wrote:
>> ...
>>>>>> 4. MLA - what permission does one need to have on source VM/snapsot to
>>>>>> clone it?
>>>>>> if a non-owner can clone a VM/snapshot, and become owner of the new
>>>>>> entity, need to make sure no privilege escalation flows exist.
>>>>>> is the intent to share the code of clone VM with AddVm (which is what
>>>>>> clone is), with a task to clone the disks rather than create them
>>>>>> (otherwise you need to duplicate the code for quota and permission
>>>>>> handling?)
>>>>> If I understand you correctly - Cloning images commands
>>>>> (AddVmFromTemplate, cloning vm from snapshot, etc..) will invoke a
>>>>> CopyImage internal command.
>>>>
>>>> iiuc, internal commands don't perform permission checks?
>>> Correct, they do not.
>>
>> then how do you not duplicate checks like user is allowed to the cluster
>> (and later, to custom properties, logical networks, shared disks, etc.)
> Not sure if I understand - are you asking if why I'm not duplicating
> this from the original VM?
>
I'm asking if a non owner of the original VM can copy these, and also if
you are cloning the permissions of the original VM
More information about the Engine-devel
mailing list