Re: [Engine-devel] Managing permissions on network

From: "Itamar Heim" <iheim(a)redhat.com&gt; To: "Livnat Peer" <lpeer(a)redhat.com&gt; Cc: engine-devel(a)ovirt.org, "Michal Skrivanek" <mskrivan(a)redhat.com&gt;, "Andrew Cathrow" <acathrow(a)redhat.com&gt;, "Gilad Chaplik" <gchaplik(a)redhat.com&gt;, "Doron Fediuck" <dfediuck(a)redhat.com&gt; Sent: Tuesday, November 13, 2012 8:19:01 PM Subject: Re: [Engine-devel] Managing permissions on network On 11/13/2012 07:18 PM, Livnat Peer wrote: > On 13/11/12 15:39, Itamar Heim wrote: >> On 11/13/2012 03:37 PM, Livnat Peer wrote: >>> On 13/11/12 15:19, Itamar Heim wrote: >>>> On 11/13/2012 12:45 PM, Livnat Peer wrote: >>>>> Interesting point, I think that if a user has permission to >>>>> create a VM >>>>> from a specific template we should give him permission to use >>>>> the >>>>> template networks on this VM implicitly upon the VM creation. >>>> >>>> having a permission to a template does not mean a permission to >>>> the >>>> default network of that VM, especially as we'll use templates >>>> more as >>>> instance types. >>> >>> Another alternative is to require permission on the network as >>> well as >>> the template. >>> I must say I don't really like it, although I agree with your >>> comment, >>> we require too many operations for enabling a user to create a VM >>> from >>> template (permission on the template, quota on the storage, >>> permissions >>> on the network, next we'll require a PHD ;)). >>> >>> Anyone has a better idea? >> >> I assume most networks would be given either to 'everyone' or >> groups of >> users, not per user (and if the network is per user/tenant, then >> it must >> be done per user. > > Which reminds that I wanted to propose adding a property on a > network > which is called public. > It's just a UI feature to give a NetworkUser on this network to > 'everyone'. It makes making a network public easier for the user. > > In addition during upgrade we should make all existing networks > public > networks and not allocate specific permissions for users on > networks. > > In addition it also means a user is given permission on a network > and > then he can use it for any VM he owns. Isn't that problematic? We > can't > limit a user to use a network on a specific VM. I think that's fine. don't let user edit that vm if you don't trust them. > >> i may not remember correctly, but i thought when giving quota to >> user we >> also give some permissions with it (on cluster and storage)? > > I am not sure what is the current implementation as it changed a > lot, > but last I tracked we checked for either quota or permissions we > did not > give implicit permissions when creating a quota. > gilad/doron?