Re: [Engine-devel] Disk Permissions Feature

From: "Omer Frenkel" <ofrenkel(a)redhat.com&gt; To: "Oved Ourfalli" <ovedo(a)redhat.com&gt; Cc: engine-devel(a)ovirt.org Sent: Sunday, March 18, 2012 11:27:33 AM Subject: Re: [Engine-devel] Disk Permissions Feature ----- Original Message ----- > From: "Oved Ourfalli" <ovedo(a)redhat.com&gt; > To: "Itamar Heim" <iheim(a)redhat.com&gt; > Cc: engine-devel(a)ovirt.org, "Omer Frenkel" <ofrenkel(a)redhat.com&gt; > Sent: Sunday, March 18, 2012 11:09:54 AM > Subject: Re: [Engine-devel] Disk Permissions Feature > > > > ----- Original Message ----- > > From: "Itamar Heim" <iheim(a)redhat.com&gt; > > To: "Omer Frenkel" <ofrenkel(a)redhat.com&gt; > > Cc: engine-devel(a)ovirt.org > > Sent: Thursday, March 15, 2012 5:46:07 PM > > Subject: Re: [Engine-devel] Disk Permissions Feature > > > > On 03/15/2012 05:34 PM, Omer Frenkel wrote: > > >>> > > 1. "Create disk - requires permissions on the Storage > > >>> > > Domain, > > >>> > > (can't > > >>> > > assume Quota is sufficient to permit user creating the > > >>> > > disk > > >>> > > on the > > >>> > > Storage Domain, as Quota might be disabled)" > > >>> > > > > >>> > > I'd also specify create disk for regular disks is at > > >>> > > storage domain > > >>> > > level?, while direct lun disks require system level > > >>> > > permission of > > >>> > > add disk. > > >>> > > > > >>> > > so, if quota is disabled, how important is it to > > >>> > > prevent > > >>> > > creation > > >>> > > of > > >>> > > disks (other than direct lun ones, which would require > > >>> > > a > > >>> > > permission > > >>> > > similar to storage domain creation)? > > >>> > > > > >>> > > if this is added, it has to be implicitly added / not > > >>> > > needed if > > >>> > > user has > > >>> > > quota (i.e., having a quota should be similar to having > > >>> > > a > > >>> > > permission as > > >>> > > far as the check goes). > > >>> > > > > >> > > > >> > We should look into it, how complicate is it to validate if > > >> > user has > > >> > either quota or permission, and allow creating a disk on a > > >> > SD > > >> > if > > >> > either > > >> > exists. > > > this might be confusing to the user as he can disable the > > > quota, > > > then stuff would stop working. > > > > > > > we can't require both quota and permissions from user on storage > > domains > > - that's cumbersome. > > question is if we can limit the need for permissions to disks > > only > > to > > places where they are needed (shared, direct, floating)? > +1 on that. > I also think it is only relevant on attaching a disk to a VM, as > the > other use-cases are simpler: > 1. Attach disk to VM - would require having permissions on the disk > (whether it is shared, direct lun or floating) > 2. Add disk to VM - would only require quota (if enforced). > 3. Create disk (i.e., floating/shared disk) - would only require > quota (if enforced). and if not enforced? anyone can create as much disks as he like? we thought of requiring permissions if quota is disabled, but i think its confusing to the user as he plays with

> > > _______________________________________________ > > Engine-devel mailing list > > Engine-devel(a)ovirt.org > > http://lists.ovirt.org/mailman/listinfo/engine-devel > > > _______________________________________________ Engine-devel mailing list Engine-devel(a)ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-devel