On 03/15/2012 05:46 PM, Itamar Heim wrote:
On 03/15/2012 05:34 PM, Omer Frenkel wrote:
>>> > > 1. "Create disk - requires permissions on the Storage
Domain,
>>> > > (can't
>>> > > assume Quota is sufficient to permit user creating the disk on
>>> the
>>> > > Storage Domain, as Quota might be disabled)"
>>> > >
>>> > > I'd also specify create disk for regular disks is at storage
>>> domain
>>> > > level?, while direct lun disks require system level permission
of
>>> > > add disk.
>>> > >
>>> > > so, if quota is disabled, how important is it to prevent
creation
>>> > > of
>>> > > disks (other than direct lun ones, which would require a
>>> permission
>>> > > similar to storage domain creation)?
>>> > >
>>> > > if this is added, it has to be implicitly added / not needed if
>>> > > user has
>>> > > quota (i.e., having a quota should be similar to having a
>>> > > permission as
>>> > > far as the check goes).
>>> > >
>> >
>> > We should look into it, how complicate is it to validate if user has
>> > either quota or permission, and allow creating a disk on a SD if
>> > either
>> > exists.
> this might be confusing to the user as he can disable the quota,
> then stuff would stop working.
>
we can't require both quota and permissions from user on storage domains
- that's cumbersome.
question is if we can limit the need for permissions to disks only to
places where they are needed (shared, direct, floating)?
Wiki is updated with a proposal for this issue. In a nutshell, adding
'automatic' permissions on the Storage Domain (or to Storage Pool for
Global quota) to relevant users when performing Quota specific actions
so they be used regardless quota concern (e.g. when Quota is disabled
for DC):
http://www.ovirt.org/wiki/Features/DiskPermissions#Design
_______________________________________________
Engine-devel mailing list
Engine-devel(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/engine-devel