Re: [Engine-devel] Clone VM from snapshot feature

On 02/26/2012 03:20 PM, Yair Zaslavsky wrote: ... >>>> 4. MLA - what permission does one need to have on source VM/snapsot to >>>> clone it? >>>> if a non-owner can clone a VM/snapshot, and become owner of the new >>>> entity, need to make sure no privilege escalation flows exist. >>>> is the intent to share the code of clone VM with AddVm (which is what >>>> clone is), with a task to clone the disks rather than create them >>>> (otherwise you need to duplicate the code for quota and permission >>>> handling?) >>> If I understand you correctly - Cloning images commands >>> (AddVmFromTemplate, cloning vm from snapshot, etc..) will invoke a >>> CopyImage internal command. >> >> iiuc, internal commands don't perform permission checks? > Correct, they do not. then how do you not duplicate checks like user is allowed to the cluster (and later, to custom properties, logical networks, shared disks, etc.)