[ovirt-users] user permissions

Fabrice Bacchella fabrice.bacchella at orange.fr
Thu Jul 6 09:56:38 UTC 2017 

It's getting stranger. I have written code to dump roles and permits for a given user.

./ovcmd user -n rexecutor roles | gsort -V
...
has role 'InstanceCreator' on vm 'fa42'
has role 'UserInstanceManager' on vm 'fa42'
has role 'UserRole' on vm 'fa42'
has role 'UserVmManager' on vm 'fa42'
has role 'UserVmRunTimeManager' on vm 'fa42'

So no super-user role for that VM.

./ovcmd user -n rexecutor permits
...
vm/fa42:
  add_users_and_groups_from_directory
  assign_cpu_profile
  attach_disk
  change_vm_cd
  configure_vm_network
  configure_vm_storage
  connect_to_vm
  create_disk
  create_vm
  delete_disk
  delete_vm
  edit_disk_properties
  edit_vm_properties
  hibernate_vm
  login
  manipulate_permissions
  reboot_vm
  run_vm
  shut_down_vm
  sparsify_disk
  stop_vm

./ovcmd  -u rexecutor at internal --passwordfile=/tmp/passwordfile vm -n fa42 stop
The action "vm stop" failed with: query execution failed due to insufficient permissions.

The role has the stop_vm but it can't stop it.

Now I add the SuperUser role for that VM.

./ovcmd user -n rexecutor roles | gsort -V
...
has role 'InstanceCreator' on vm 'fa42'
has role 'SuperUser' on vm 'fa42'
has role 'UserInstanceManager' on vm 'fa42'
has role 'UserRole' on vm 'fa42'
has role 'UserVmManager' on vm 'fa42'
has role 'UserVmRunTimeManager' on vm 'fa42'


The permits are the same:

./ovcmd user -n rexecutor permits
vm/fa42:
  add_users_and_groups_from_directory
  assign_cpu_profile
  attach_disk
  change_vm_cd
  configure_vm_network
  configure_vm_storage
  connect_to_vm
  create_disk
  create_vm
  delete_disk
  delete_vm
  edit_disk_properties
  edit_vm_properties
  hibernate_vm
  login
  manipulate_permissions
  reboot_vm
  run_vm
  shut_down_vm
  sparsify_disk
  stop_vm

./ovcmd  -u rexecutor at internal --passwordfile=/tmp/passwordfile vm -n fa42 stop
(OK)

But now it can stop the vm. Why ?


> Le 5 juil. 2017 à 17:55, Fabrice Bacchella <fabrice.bacchella at orange.fr> a écrit :
> 
> I'm trying to give a user the permissions to stop/start a specific server.
> 
> This user is given the generic UserRole for the System.
> 
> I tried to give him the roles :
> UserVmManager
> UserVmRunTimeManager
> UserInstanceManager
> InstanceCreator
> UserRole
> 
> for that specific VM, I always get: query execution failed due to insufficient permissions.
> 
> As soon as I give him the SuperUser role, he can stop/start it.
> 
> What role should I give him for that VM ? I don't want to give the privilege to destroy the vm, or add disks. But he should be able to change the os settings too.
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users

More information about the Users mailing list