[Users] template provisioning permissions

Dead Horse deadhorseconsulting at gmail.com
Mon Mar 18 23:02:26 EDT 2013


Verified this is present in latest engine built from master with latest
VDSM built from master.
On the surface this literally seems as simple as a lack of Read-Only access
to the template image when requesting to clone it from the template on the
storage domain wherein the user cloning from the template has no
permissions.
- DHC


On Wed, Mar 13, 2013 at 4:34 PM, Dead Horse
<deadhorseconsulting at gmail.com>wrote:

> Got an interesting one here as pertaining to template permissions and
> provisioning.
>
> Given the following setup/situation:
>
> A cluster with a user A assigned poweruser role permissions on the cluster.
> - User A is assigned poweruser role permissions to storage domain A
> - User A is a consumer of quota A which is assigned to specific storage
> domain A
>
> A cluster with a user B assigned poweruser role permissions on the cluster.
> - User B is assigned poweruser role permissions to storage domain B
> - User B is a consumer of quota B which is assigned to specific storage
> domain B
>
> User A creates a VM and makes it a template of it with permissions of
> everyone as UserTemplateBasedVM.
>
> User B tries to create a VM based on the template that User A created.
> While the base VM profile can be created the storage provisioning
> encounters an issue.
>
> Via Template provisioning option with the thin provision option will fail
> due to the fact that User B does not have proper permissions to User A's
> storage domain. The symptom of this expected failure is the target storage
> domain pull-down is empty. (It really should show something or be greyed
> out rather than just be blank at least some sort of user notification).
>
> The real issue here is with the clone provisioning option. The idea here
> is to be to clone a copy of the template disks into User B's storage domain
> as a target where User B has poweruser role permissions. The problem here
> is that this fails just like the above thin provision which should not be
> the case. The target pulldown still blank it should by default show the
> target storage domain to which User B has permissions to that being Storage
> domain B.
>
> Further debugging yields that by assigning UserTemplateVM permissions to
> User A's storage domain allows User B to use either of the options above
> although the only one really desired is the clone option since we don't
> want User B creating VM's in User A's storage domain. There still however
> was an issue upon selecting clone and selecting Storage domain B as the
> target the VM is  created but the disk is created in Storage domain A
> instead of storage domain B.
>
>
> Running build of the engine is built from commit:
> 7354d3283627bdbe30dd9c15ce45eba375280a8c
>
> - DHC
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20130318/0817769a/attachment.html>


More information about the Users mailing list