2:09 a.m.
On 11/29/2012 11:11 PM, Eli Mesika wrote:
Hi
please note that this section
http://wiki.ovirt.org/wiki/Features/Design/DetailedExternalEvents#Permiss...
was changed and approved by PM (Miki)
_______________________________________________
Engine-devel mailing list
Engine-devel(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/engine-devel
Invoke ..api/events/add API giving at least AuditLogType, Severity,
Origin & CustomEventId
why do you need the AuditLogType - you already know it is
ExternalEvent/Alert? you only need to know the severity iiuc.
When the Event/Alert is on a specific object, the object instance id
should be set.
what if it is on multiple objects, like events are today?
...
Permissions on Entity Instances
There will be no permission check on entity instances on which External Events are
injected
this means this permission is always at system level, breaking the
current permission scheme where permission can be given on a portion of
the system.
The reason is that in order to invoke an External Events on an entity
instance, the invoker should know the entity instance UUID and therefore we had already
checked that the invoker has the right permissions on the entity instance when he gets the
information.
UUID are not cryptographically secure. knowing a UUID is not a way to
decide to give a permission.
(also, this is an admin action, and admins always see all objects in the
system today)
Also, double checking that in the AddExternalEvent command is not
simple, since each Entity may have several ActionGroups (Create, Edit etc.) associated
with it, so it is not clear which to check
it is very clear - you check for each entity the user has the new
ActionGroup that allows to inject events (same one you added to the
superuser and to the newly created special role).
So, in order to keep things simple, we will assume that if the caller
to Add External Event has the Entity UUID in hand, all we have to check is that he has
permission to inject External Events
as i stated above, this means you are creating an ActionGroup which is
global, regardless of the entity the role with it is given on.
...
User Experience
Global External Events will be displayed on the Global Events TAB
Entity instance External Events will be displayed on the Events TAB when selecting the
Entity instance
1. not clear here they will also be displayed in the global tab?
2. not clear here that multiple entities can be specified for an event.
...
Installation/Upgrade
Add additional fields to audit_log table upon upgrade
Add the permission(ActionGroup) to manipulate External Events to other admin roles
already defined upon upgrade.
but in permission it is stated only superuser and a new role will be
given this actiongroup, and here more admin roles are mentioned (if so,
which is the correct one).
Thanks,
Itamar