12:27 a.m.
version 3.5.2-1.el6
using ldap authz; this piece is working OK, and verified OK.
I use the "Everyone" user to provide default permissions; that includes
PowerUserRole for the data center, a bunch of usertemplatebasedVMs, some
VnicProfileUser, DiskProfileUser, etc.
I add a new user in LDAP; and verify LDAP credentials work (ie, log in to
another system that uses the same ldap server)
LDAP confirmed working for *other* ovirt users-- not an LDAP issue as far
as I can tell.
I do *not* specifically add each LDAP user to oVirt, they're added to
"groups" in LDAP, so if they have the right group, they should be able to
authenticate to oVirt and use the system without me adding each user
individually.
In any case the narrowed down problem is this:
If the user doesn't have permissions (UserRole, etc) for *any* VMs, instead
of logging in and getting a blank VM list, they get "User is not authorized
to perform this action."
If I add that specific user to a test placeholder VM, they can log in. Once
they have a VM created, I can erase their user-specific permissions to that
initial test VM and everything works as expected. They are able to log in,
create VMs, etc.
If I remove all permissions for VMs from a user, they get this error.
Expected behavior:
User without any permissions to any VMs should simply get a blank VM list
on login. That way they can create a VM and go from there.
Thanks for any help/suggestions,
David
1:09 a.m.
You are looking for this to look like its multi tenant?
I setup CloudSpin to do exactly that. Each user can only see their own VMS.
Do I have your question correct?
Donny D
On Jun 30, 2015 5:27 PM, "David Smith" <dsmith(a)mypchelp.com> wrote:
version 3.5.2-1.el6
using ldap authz; this piece is working OK, and verified OK.
I use the "Everyone" user to provide default permissions; that includes
PowerUserRole for the data center, a bunch of usertemplatebasedVMs, some
VnicProfileUser, DiskProfileUser, etc.
I add a new user in LDAP; and verify LDAP credentials work (ie, log in to
another system that uses the same ldap server)
LDAP confirmed working for *other* ovirt users-- not an LDAP issue as far
as I can tell.
I do *not* specifically add each LDAP user to oVirt, they're added to
"groups" in LDAP, so if they have the right group, they should be able to
authenticate to oVirt and use the system without me adding each user
individually.
In any case the narrowed down problem is this:
If the user doesn't have permissions (UserRole, etc) for *any* VMs,
instead of logging in and getting a blank VM list, they get "User is not
authorized to perform this action."
If I add that specific user to a test placeholder VM, they can log in.
Once they have a VM created, I can erase their user-specific permissions to
that initial test VM and everything works as expected. They are able to log
in, create VMs, etc.
If I remove all permissions for VMs from a user, they get this error.
Expected behavior:
User without any permissions to any VMs should simply get a blank VM list
on login. That way they can create a VM and go from there.
Thanks for any help/suggestions,
David
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
1:13 a.m.
Correct, each user has their own VMs. Only a few share VMs (those
permissions are assigned manually)
The issue is that when they have 0 VMs assigned to them, the system throws
the login error that they're not authorized, at least until I add a
placeholder VM so they can log in and set themselves up.
On Tue, Jun 30, 2015 at 3:09 PM, Donny Davis <donny(a)cloudspin.me> wrote:
You are looking for this to look like its multi tenant?
I setup CloudSpin to do exactly that. Each user can only see their own
VMS.
Do I have your question correct?
Donny D
On Jun 30, 2015 5:27 PM, "David Smith" <dsmith(a)mypchelp.com> wrote:
> version 3.5.2-1.el6
> using ldap authz; this piece is working OK, and verified OK.
>
> I use the "Everyone" user to provide default permissions; that includes
> PowerUserRole for the data center, a bunch of usertemplatebasedVMs, some
> VnicProfileUser, DiskProfileUser, etc.
>
> I add a new user in LDAP; and verify LDAP credentials work (ie, log in to
> another system that uses the same ldap server)
> LDAP confirmed working for *other* ovirt users-- not an LDAP issue as far
> as I can tell.
>
> I do *not* specifically add each LDAP user to oVirt, they're added to
> "groups" in LDAP, so if they have the right group, they should be able to
> authenticate to oVirt and use the system without me adding each user
> individually.
>
> In any case the narrowed down problem is this:
> If the user doesn't have permissions (UserRole, etc) for *any* VMs,
> instead of logging in and getting a blank VM list, they get "User is not
> authorized to perform this action."
>
> If I add that specific user to a test placeholder VM, they can log in.
> Once they have a VM created, I can erase their user-specific permissions to
> that initial test VM and everything works as expected. They are able to log
> in, create VMs, etc.
>
> If I remove all permissions for VMs from a user, they get this error.
>
> Expected behavior:
> User without any permissions to any VMs should simply get a blank VM list
> on login. That way they can create a VM and go from there.
>
> Thanks for any help/suggestions,
> David
>
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
>
1:16 a.m.
Add login permissions only at the data center for the group. This allows
them to login, but not view anything. You have to create custom permission
to do what you are looking for.
On Jun 30, 2015 6:13 PM, "David Smith" <dsmith(a)mypchelp.com> wrote:
Correct, each user has their own VMs. Only a few share VMs (those
permissions are assigned manually)
The issue is that when they have 0 VMs assigned to them, the system throws
the login error that they're not authorized, at least until I add a
placeholder VM so they can log in and set themselves up.
On Tue, Jun 30, 2015 at 3:09 PM, Donny Davis <donny(a)cloudspin.me> wrote:
> You are looking for this to look like its multi tenant?
>
> I setup CloudSpin to do exactly that. Each user can only see their own
> VMS.
> Do I have your question correct?
>
> Donny D
> On Jun 30, 2015 5:27 PM, "David Smith" <dsmith(a)mypchelp.com> wrote:
>
>> version 3.5.2-1.el6
>> using ldap authz; this piece is working OK, and verified OK.
>>
>> I use the "Everyone" user to provide default permissions; that
includes
>> PowerUserRole for the data center, a bunch of usertemplatebasedVMs, some
>> VnicProfileUser, DiskProfileUser, etc.
>>
>> I add a new user in LDAP; and verify LDAP credentials work (ie, log in
>> to another system that uses the same ldap server)
>> LDAP confirmed working for *other* ovirt users-- not an LDAP issue as
>> far as I can tell.
>>
>> I do *not* specifically add each LDAP user to oVirt, they're added to
>> "groups" in LDAP, so if they have the right group, they should be able
to
>> authenticate to oVirt and use the system without me adding each user
>> individually.
>>
>> In any case the narrowed down problem is this:
>> If the user doesn't have permissions (UserRole, etc) for *any* VMs,
>> instead of logging in and getting a blank VM list, they get "User is not
>> authorized to perform this action."
>>
>> If I add that specific user to a test placeholder VM, they can log in.
>> Once they have a VM created, I can erase their user-specific permissions to
>> that initial test VM and everything works as expected. They are able to log
>> in, create VMs, etc.
>>
>> If I remove all permissions for VMs from a user, they get this error.
>>
>> Expected behavior:
>> User without any permissions to any VMs should simply get a blank VM
>> list on login. That way they can create a VM and go from there.
>>
>> Thanks for any help/suggestions,
>> David
>>
>> _______________________________________________
>> Users mailing list
>> Users(a)ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
>>
1:19 a.m.
http://lists.ovirt.org/pipermail/users/2015-January/030981.html
On Jun 30, 2015 6:16 PM, "Donny Davis" <donny(a)cloudspin.me> wrote:
Add login permissions only at the data center for the group. This
allows
them to login, but not view anything. You have to create custom permission
to do what you are looking for.
On Jun 30, 2015 6:13 PM, "David Smith" <dsmith(a)mypchelp.com> wrote:
> Correct, each user has their own VMs. Only a few share VMs (those
> permissions are assigned manually)
>
> The issue is that when they have 0 VMs assigned to them, the system
> throws the login error that they're not authorized, at least until I add a
> placeholder VM so they can log in and set themselves up.
>
>
> On Tue, Jun 30, 2015 at 3:09 PM, Donny Davis <donny(a)cloudspin.me> wrote:
>
>> You are looking for this to look like its multi tenant?
>>
>> I setup CloudSpin to do exactly that. Each user can only see their own
>> VMS.
>> Do I have your question correct?
>>
>> Donny D
>> On Jun 30, 2015 5:27 PM, "David Smith" <dsmith(a)mypchelp.com>
wrote:
>>
>>> version 3.5.2-1.el6
>>> using ldap authz; this piece is working OK, and verified OK.
>>>
>>> I use the "Everyone" user to provide default permissions; that
includes
>>> PowerUserRole for the data center, a bunch of usertemplatebasedVMs, some
>>> VnicProfileUser, DiskProfileUser, etc.
>>>
>>> I add a new user in LDAP; and verify LDAP credentials work (ie, log in
>>> to another system that uses the same ldap server)
>>> LDAP confirmed working for *other* ovirt users-- not an LDAP issue as
>>> far as I can tell.
>>>
>>> I do *not* specifically add each LDAP user to oVirt, they're added to
>>> "groups" in LDAP, so if they have the right group, they should be
able to
>>> authenticate to oVirt and use the system without me adding each user
>>> individually.
>>>
>>> In any case the narrowed down problem is this:
>>> If the user doesn't have permissions (UserRole, etc) for *any* VMs,
>>> instead of logging in and getting a blank VM list, they get "User is
not
>>> authorized to perform this action."
>>>
>>> If I add that specific user to a test placeholder VM, they can log in.
>>> Once they have a VM created, I can erase their user-specific permissions to
>>> that initial test VM and everything works as expected. They are able to log
>>> in, create VMs, etc.
>>>
>>> If I remove all permissions for VMs from a user, they get this error.
>>>
>>> Expected behavior:
>>> User without any permissions to any VMs should simply get a blank VM
>>> list on login. That way they can create a VM and go from there.
>>>
>>> Thanks for any help/suggestions,
>>> David
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users(a)ovirt.org
>>> http://lists.ovirt.org/mailman/listinfo/users
>>>
>>>
>
1:28 a.m.
In that link, the referenced permissions don't exist under "configure" when
logged in to the admin portal; I must be missing some finer detail.
Also the system permissions section in "Configure" doesn't allow you to add
the user "everyone"-- and since we're not using LDAP groups, that
complicates things.
Before I switched to our corporate LDAP, I used a group in a private LDAP
server and everything worked great, permissions were fine as I describe--
but since we switched to Corp LDAP, they don't use the concept of groups, I
tried changing to use the "everyone" user to assign permissions, which
works great except this one scenario where they have 0 VMs in their name.
On Tue, Jun 30, 2015 at 3:19 PM, Donny Davis <donny(a)cloudspin.me> wrote:
http://lists.ovirt.org/pipermail/users/2015-January/030981.html
On Jun 30, 2015 6:16 PM, "Donny Davis" <donny(a)cloudspin.me> wrote:
> Add login permissions only at the data center for the group. This allows
> them to login, but not view anything. You have to create custom permission
> to do what you are looking for.
> On Jun 30, 2015 6:13 PM, "David Smith" <dsmith(a)mypchelp.com> wrote:
>
>> Correct, each user has their own VMs. Only a few share VMs (those
>> permissions are assigned manually)
>>
>> The issue is that when they have 0 VMs assigned to them, the system
>> throws the login error that they're not authorized, at least until I add a
>> placeholder VM so they can log in and set themselves up.
>>
>>
>> On Tue, Jun 30, 2015 at 3:09 PM, Donny Davis <donny(a)cloudspin.me> wrote:
>>
>>> You are looking for this to look like its multi tenant?
>>>
>>> I setup CloudSpin to do exactly that. Each user can only see their own
>>> VMS.
>>> Do I have your question correct?
>>>
>>> Donny D
>>> On Jun 30, 2015 5:27 PM, "David Smith" <dsmith(a)mypchelp.com>
wrote:
>>>
>>>> version 3.5.2-1.el6
>>>> using ldap authz; this piece is working OK, and verified OK.
>>>>
>>>> I use the "Everyone" user to provide default permissions; that
>>>> includes PowerUserRole for the data center, a bunch of
>>>> usertemplatebasedVMs, some VnicProfileUser, DiskProfileUser, etc.
>>>>
>>>> I add a new user in LDAP; and verify LDAP credentials work (ie, log in
>>>> to another system that uses the same ldap server)
>>>> LDAP confirmed working for *other* ovirt users-- not an LDAP issue as
>>>> far as I can tell.
>>>>
>>>> I do *not* specifically add each LDAP user to oVirt, they're added
to
>>>> "groups" in LDAP, so if they have the right group, they should
be able to
>>>> authenticate to oVirt and use the system without me adding each user
>>>> individually.
>>>>
>>>> In any case the narrowed down problem is this:
>>>> If the user doesn't have permissions (UserRole, etc) for *any* VMs,
>>>> instead of logging in and getting a blank VM list, they get "User is
not
>>>> authorized to perform this action."
>>>>
>>>> If I add that specific user to a test placeholder VM, they can log in.
>>>> Once they have a VM created, I can erase their user-specific permissions
to
>>>> that initial test VM and everything works as expected. They are able to
log
>>>> in, create VMs, etc.
>>>>
>>>> If I remove all permissions for VMs from a user, they get this error.
>>>>
>>>> Expected behavior:
>>>> User without any permissions to any VMs should simply get a blank VM
>>>> list on login. That way they can create a VM and go from there.
>>>>
>>>> Thanks for any help/suggestions,
>>>> David
>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users(a)ovirt.org
>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>
>>>>
>>
3433
days inactive
3433
days old
5 comments
2 participants
participants (2)
-
David Smith -
Donny Davis