Re: [Users] template provisioning permissions
Verified this is present in latest engine built from master with latest
VDSM built from master.
On the surface this literally seems as simple as a lack of Read-Only access
to the template image when requesting to clone it from the template on the
storage domain wherein the user cloning from the template has no
permissions.
- DHC
On Wed, Mar 13, 2013 at 4:34 PM, Dead Horse
<deadhorseconsulting(a)gmail.com>wrote:
Got an interesting one here as pertaining to template permissions
and
provisioning.
Given the following setup/situation:
A cluster with a user A assigned poweruser role permissions on the cluster.
- User A is assigned poweruser role permissions to storage domain A
- User A is a consumer of quota A which is assigned to specific storage
domain A
A cluster with a user B assigned poweruser role permissions on the cluster.
- User B is assigned poweruser role permissions to storage domain B
- User B is a consumer of quota B which is assigned to specific storage
domain B
User A creates a VM and makes it a template of it with permissions of
everyone as UserTemplateBasedVM.
User B tries to create a VM based on the template that User A created.
While the base VM profile can be created the storage provisioning
encounters an issue.
Via Template provisioning option with the thin provision option will fail
due to the fact that User B does not have proper permissions to User A's
storage domain. The symptom of this expected failure is the target storage
domain pull-down is empty. (It really should show something or be greyed
out rather than just be blank at least some sort of user notification).
The real issue here is with the clone provisioning option. The idea here
is to be to clone a copy of the template disks into User B's storage domain
as a target where User B has poweruser role permissions. The problem here
is that this fails just like the above thin provision which should not be
the case. The target pulldown still blank it should by default show the
target storage domain to which User B has permissions to that being Storage
domain B.
Further debugging yields that by assigning UserTemplateVM permissions to
User A's storage domain allows User B to use either of the options above
although the only one really desired is the clone option since we don't
want User B creating VM's in User A's storage domain. There still however
was an issue upon selecting clone and selecting Storage domain B as the
target the VM is created but the disk is created in Storage domain A
instead of storage domain B.
Running build of the engine is built from commit:
7354d3283627bdbe30dd9c15ce45eba375280a8c
- DHC
Attachments:
- attachment.html (text/html — 3.2 KB)