[ovirt-users] user can see other user's vms

Hari Gowtham hgowtham at redhat.com
Wed Jul 26 14:17:14 UTC 2017 

Hi,
Thanks for the quick response,

comments inline.

On Wed, Jul 26, 2017 at 6:15 PM, Michal Skrivanek
<michal.skrivanek at redhat.com> wrote:
>
>> On 26 Jul 2017, at 15:39, Ondra Machacek <omachace at redhat.com> wrote:
>>
>> Hi,
>>
>> one possible way is to add PowerUserRole to user on datacenter where you want
>> the users to operate. That way, they only can create VMs from
>> templates which are
>> public or they have direct permissions on and if the VM is created they can use
>> only that VM, and not any other.

can me point me to the doc so i can take a look at this.
And we dont want to restrict the user to make use of templates alone.
we have to give them access to spawn vms from iso too.

>>
>> On Wed, Jul 26, 2017 at 2:22 PM, Hari Gowtham <hgowtham at redhat.com> wrote:
>>> Hi,
>>>
>>> we have been trying to use ovirt to let the other devs in our team
>>> spawn vms and use it.
>>> we are nearly done with the setup. we have the hosted engine up,
>>> created gluster volumes and now we have setup the login to the portal
>>> too. While trying to spawn vms we noticed that,
>>> The admin can view, start or stop the vms on the machines which is fine.
>>> But we can see that the users can see each other user's vms too.
>>> This will make it possible for one user to start or stop other user's
>>> vm which we don't want to happen.
>>> we need to avoid this situation were one user has access to other user's vm.
>>> A particular user should be able to see the vms created by him alone
>>> So that he will have the ability to stop his own vms alone. What is
>>> the best way to create this setup?
>
> is that within the admin portal? That’s for dmins which have visibility (not necessarily control) to all VMs/infrastructure
> There’s the User Portal (VM Portal since 4.1) for regular “powerless” user which can see only their VMs

>From the admin portal, the admin is able to see all the vms. this is
an expected behavior and this works fine.
But when the user logs in into the user portal, he can still see other
vms (which don't belong to him)

I want to mention one thing here.
We are trying to have two types of users.
1) with admin sort of access who can see and access others's vms
2) regular users who can create and use those vms in their quota.

The people who are similar to admins have certain special privileges.
we want them to be able to look into others vms
(stop, start or delete it). So we have gave them those rights.
The issue I'm talking now is with people who don't have these
privileges (the regular users who should access thier vms alone)
They are able to see others vms like the ones with elevated
privileges(the admin rights for the few users).

We want the ones with elevated privileges to be able to access others'
vm but the ones with the elevated privileges are also
able to access others vms, which we don't want to happen.

I would be happy if we have a direct solution, instead of adding
PowerUserRole to the user.

>
> Thanks,
> michal
>
>>>
>>> Is this the way it was designed to work or have i done something wrong here?
>>> Do let me know.
>>>
>>> --
>>> Regards,
>>> Hari Gowtham.
>>> _______________________________________________
>>> Users mailing list
>>> Users at ovirt.org
>>> http://lists.ovirt.org/mailman/listinfo/users
>> _______________________________________________
>> Users mailing list
>> Users at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
>>
>



-- 
Regards,
Hari Gowtham.

More information about the Users mailing list