Re: [Engine-devel] Clone VM from snapshot feature

On 02/26/2012 03:19 PM, Itamar Heim wrote: > On 02/26/2012 03:20 PM, Yair Zaslavsky wrote: > ... >>>>> 4. MLA - what permission does one need to have on source VM/snapsot to >>>>> clone it? >>>>> if a non-owner can clone a VM/snapshot, and become owner of the new >>>>> entity, need to make sure no privilege escalation flows exist. >>>>> is the intent to share the code of clone VM with AddVm (which is what >>>>> clone is), with a task to clone the disks rather than create them >>>>> (otherwise you need to duplicate the code for quota and permission >>>>> handling?) >>>> If I understand you correctly - Cloning images commands >>>> (AddVmFromTemplate, cloning vm from snapshot, etc..) will invoke a >>>> CopyImage internal command. >>> >>> iiuc, internal commands don't perform permission checks? >> Correct, they do not. > > then how do you not duplicate checks like user is allowed to the cluster > (and later, to custom properties, logical networks, shared disks, etc.) Not sure if I understand - are you asking if why I'm not duplicating this from the original VM?