Will any of these groups and/or permissions be drawn from LDAP?
Frankly, system admins are not looking for yet another console to
manage permissions.
--Charlie
On Tue, Nov 13, 2012 at 1:19 PM, Itamar Heim <iheim(a)redhat.com> wrote:
On 11/13/2012 07:18 PM, Livnat Peer wrote:
>
> On 13/11/12 15:39, Itamar Heim wrote:
>>
>> On 11/13/2012 03:37 PM, Livnat Peer wrote:
>>>
>>> On 13/11/12 15:19, Itamar Heim wrote:
>>>>
>>>> On 11/13/2012 12:45 PM, Livnat Peer wrote:
>>>>>
>>>>> Interesting point, I think that if a user has permission to create a
>>>>> VM
>>>>> from a specific template we should give him permission to use the
>>>>> template networks on this VM implicitly upon the VM creation.
>>>>
>>>>
>>>> having a permission to a template does not mean a permission to the
>>>> default network of that VM, especially as we'll use templates more
as
>>>> instance types.
>>>
>>>
>>> Another alternative is to require permission on the network as well as
>>> the template.
>>> I must say I don't really like it, although I agree with your comment,
>>> we require too many operations for enabling a user to create a VM from
>>> template (permission on the template, quota on the storage, permissions
>>> on the network, next we'll require a PHD ;)).
>>>
>>> Anyone has a better idea?
>>
>>
>> I assume most networks would be given either to 'everyone' or groups of
>> users, not per user (and if the network is per user/tenant, then it must
>> be done per user.
>
>
> Which reminds that I wanted to propose adding a property on a network
> which is called public.
> It's just a UI feature to give a NetworkUser on this network to
> 'everyone'. It makes making a network public easier for the user.
>
> In addition during upgrade we should make all existing networks public
> networks and not allocate specific permissions for users on networks.
>
> In addition it also means a user is given permission on a network and
> then he can use it for any VM he owns. Isn't that problematic? We can't
> limit a user to use a network on a specific VM.
I think that's fine.
don't let user edit that vm if you don't trust them.
>
>> i may not remember correctly, but i thought when giving quota to user we
>> also give some permissions with it (on cluster and storage)?
>
>
> I am not sure what is the current implementation as it changed a lot,
> but last I tracked we checked for either quota or permissions we did not
> give implicit permissions when creating a quota.
>
gilad/doron?
_______________________________________________
Engine-devel mailing list
Engine-devel(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/engine-devel