Re: [ovirt-users] User is not authorized, ldap OK, but no user VM

The users are attempting to log in via the user portal when they get the error. On Tue, Jun 30, 2015 at 3:28 PM, Donny Davis <donny(a)cloudspin.me&gt; wrote: > The power user role covers login, so that is not your problem. Is this > on the user portal or webadmin? > On Jun 30, 2015 6:20 PM, "David Smith" <dsmith(a)mypchelp.com&gt; wrote: > >> I used the "everyone" user at the data center level and added the >> permissions/role of "PowerUserRole" >> >> What other permission/role are you saying I should assign? >> >> Unfortunately we aren't using an "ldap group" so there's nothing to >> assign to an ldap group-- the users are filtered in such a manner that if >> they auth and get through the filter they should have access. >> >> On Tue, Jun 30, 2015 at 3:16 PM, Donny Davis <donny(a)cloudspin.me&gt; wrote: >> >>> Add login permissions only at the data center for the group. This >>> allows them to login, but not view anything. You have to create custom >>> permission to do what you are looking for. >>> On Jun 30, 2015 6:13 PM, "David Smith" <dsmith(a)mypchelp.com&gt; wrote: >>> >>>> Correct, each user has their own VMs. Only a few share VMs (those >>>> permissions are assigned manually) >>>> >>>> The issue is that when they have 0 VMs assigned to them, the system >>>> throws the login error that they're not authorized, at least until I add a >>>> placeholder VM so they can log in and set themselves up. >>>> >>>> >>>> On Tue, Jun 30, 2015 at 3:09 PM, Donny Davis <donny(a)cloudspin.me&gt; >>>> wrote: >>>> >>>>> You are looking for this to look like its multi tenant? >>>>> >>>>> I setup CloudSpin to do exactly that. Each user can only see their >>>>> own VMS. >>>>> Do I have your question correct? >>>>> >>>>> Donny D >>>>> On Jun 30, 2015 5:27 PM, "David Smith" <dsmith(a)mypchelp.com&gt; wrote: >>>>> >>>>>> version 3.5.2-1.el6 >>>>>> using ldap authz; this piece is working OK, and verified OK. >>>>>> >>>>>> I use the "Everyone" user to provide default permissions; that >>>>>> includes PowerUserRole for the data center, a bunch of >>>>>> usertemplatebasedVMs, some VnicProfileUser, DiskProfileUser, etc. >>>>>> >>>>>> I add a new user in LDAP; and verify LDAP credentials work (ie, log >>>>>> in to another system that uses the same ldap server) >>>>>> LDAP confirmed working for *other* ovirt users-- not an LDAP issue >>>>>> as far as I can tell. >>>>>> >>>>>> I do *not* specifically add each LDAP user to oVirt, they're added >>>>>> to "groups" in LDAP, so if they have the right group, they should be able >>>>>> to authenticate to oVirt and use the system without me adding each user >>>>>> individually. >>>>>> >>>>>> In any case the narrowed down problem is this: >>>>>> If the user doesn't have permissions (UserRole, etc) for *any* VMs, >>>>>> instead of logging in and getting a blank VM list, they get "User is not >>>>>> authorized to perform this action." >>>>>> >>>>>> If I add that specific user to a test placeholder VM, they can log >>>>>> in. Once they have a VM created, I can erase their user-specific >>>>>> permissions to that initial test VM and everything works as expected. They >>>>>> are able to log in, create VMs, etc. >>>>>> >>>>>> If I remove all permissions for VMs from a user, they get this error. >>>>>> >>>>>> Expected behavior: >>>>>> User without any permissions to any VMs should simply get a blank VM >>>>>> list on login. That way they can create a VM and go from there. >>>>>> >>>>>> Thanks for any help/suggestions, >>>>>> David >>>>>> >>>>>> _______________________________________________ >>>>>> Users mailing list >>>>>> Users(a)ovirt.org >>>>>> http://lists.ovirt.org/mailman/listinfo/users >>>>>> >>>>>> >>>> >>