4:52 a.m.
Hi,
Currently I have run into a problem about permissions when creating vm from template.
Say if non admin user A in power user portal want to create vm from template C created by
non admin user B, I found out that A need to have both power user role and
userbasedtemplatevm role to make it work. If i only assign userbasedtemplatevm to C, A can
only view the template in power user portal but not able to create vm from it.
So is this the expected behavior? I don't quite understand what userbasedtemplatevm is
used for. I noticed that making template C public have the effect of assign
userbasedtemplatevm to everyone, but that seems not enough to let everyone use it.
My engine version is 3.3.4.
Any ideas? thanks for any help!
10:18 a.m.
----- Original Message -----
From: "plysan" <plysab(a)gmail.com>
To: users(a)ovirt.org
Sent: Sunday, April 13, 2014 3:52:55 AM
Subject: [ovirt-users] Question about power user and public template
Hi,
Currently I have run into a problem about permissions when creating vm from
template.
Say if non admin user A in power user portal want to create vm from template
C created by non admin user B, I found out that A need to have both power
user role and userbasedtemplatevm role to make it work. If i only assign
userbasedtemplatevm to C, A can only view the template in power user portal
but not able to create vm from it.
I'd say the problem is that the template has some disks and as a
"UserTemplateBasedVm" only you are
not allowed to "Access Image Storage Domains"?
For details about specific roles and what can be done by which role you can have a look
at:
webadmin -> "Configure" in top right corner -> "Roles" side tab
-> pick a specific role -> "Edit" button
So is this the expected behavior? I don't quite understand what
userbasedtemplatevm is used for. I noticed that making template C public
have the effect of assign userbasedtemplatevm to everyone, but that seems
not enough to let everyone use it.
My engine version is 3.3.4.
Any ideas? thanks for any help!
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
9:15 p.m.
2014-04-14 15:18 GMT+08:00 Tomas Jelinek <tjelinek(a)redhat.com>:
----- Original Message -----
> From: "plysan" <plysab(a)gmail.com>
> To: users(a)ovirt.org
> Sent: Sunday, April 13, 2014 3:52:55 AM
> Subject: [ovirt-users] Question about power user and public template
>
> Hi,
>
> Currently I have run into a problem about permissions when creating vm
from
> template.
>
> Say if non admin user A in power user portal want to create vm from
template
> C created by non admin user B, I found out that A need to have both power
> user role and userbasedtemplatevm role to make it work. If i only assign
> userbasedtemplatevm to C, A can only view the template in power user
portal
> but not able to create vm from it.
I'd say the problem is that the template has some disks and as a
"UserTemplateBasedVm" only you are
not allowed to "Access Image Storage Domains"?
Thanks for pointing that out, I really didn't think the disk has
permissions too :)
Because PowerUserRole has more permissions than UserTemplateBasedVm, so I
think assigning PowerUserRole is enough to see the template in power user
portal. Based on this thought, I did the following two experiment:
1. I assigned PowerUserRole to user A in Configure -> System Permissions,
but after that I still cannot see template C in power user portal.
The above role assignment result in user A having PowerUserRole inherited
from System Permission, and based on [1], user A should have PowerUserRole
on template C, right ?
2. Now based on 1 if I explicitly add PowerUserRole to user A on template
C, I can see template C and create vms from it.
For my understanding, the above two role assignment should have the same
result.
Any ideas?
[1]:
http://lists.ovirt.org/pipermail/engine-devel/2012-December/003229.html
For details about specific roles and what can be done by which role
you
can have a look at:
webadmin -> "Configure" in top right corner -> "Roles" side tab
-> pick a
specific role -> "Edit" button
>
> So is this the expected behavior? I don't quite understand what
> userbasedtemplatevm is used for. I noticed that making template C public
> have the effect of assign userbasedtemplatevm to everyone, but that seems
> not enough to let everyone use it.
>
> My engine version is 3.3.4.
>
> Any ideas? thanks for any help!
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
4:02 p.m.
----- Original Message -----
From: "plysan" <plysab(a)gmail.com>
To: "Tomas Jelinek" <tjelinek(a)redhat.com>
Cc: "Users(a)ovirt.org List" <users(a)ovirt.org>
Sent: Wednesday, April 16, 2014 8:15:43 PM
Subject: Re: [ovirt-users] Question about power user and public template
2014-04-14 15:18 GMT+08:00 Tomas Jelinek <tjelinek(a)redhat.com>:
>
>
> ----- Original Message -----
> > From: "plysan" <plysab(a)gmail.com>
> > To: users(a)ovirt.org
> > Sent: Sunday, April 13, 2014 3:52:55 AM
> > Subject: [ovirt-users] Question about power user and public template
> >
> > Hi,
> >
> > Currently I have run into a problem about permissions when creating vm
> from
> > template.
> >
> > Say if non admin user A in power user portal want to create vm from
> template
> > C created by non admin user B, I found out that A need to have both power
> > user role and userbasedtemplatevm role to make it work. If i only assign
> > userbasedtemplatevm to C, A can only view the template in power user
> portal
> > but not able to create vm from it.
>
> I'd say the problem is that the template has some disks and as a
> "UserTemplateBasedVm" only you are
> not allowed to "Access Image Storage Domains"?
>
Thanks for pointing that out, I really didn't think the disk has
permissions too :)
Because PowerUserRole has more permissions than UserTemplateBasedVm, so I
think assigning PowerUserRole is enough to see the template in power user
portal. Based on this thought, I did the following two experiment:
1. I assigned PowerUserRole to user A in Configure -> System Permissions,
but after that I still cannot see template C in power user portal.
The above role assignment result in user A having PowerUserRole inherited
from System Permission, and based on [1], user A should have PowerUserRole
on template C, right ?
yes, you should be able to verify this in the webadmin->template main
tab->permissions subtab
2. Now based on 1 if I explicitly add PowerUserRole to user A on template
C, I can see template C and create vms from it.
but it should already be there. And also, since you have created the template as public
"everyone" should have the
"UserTemplateBasedVm" on it. You could verify this on the same subtab.
For my understanding, the above two role assignment should have the same
result.
Any ideas?
so, if you have a template on which "everyone" has
"UserTemplateBasedVm" and a user with "PowerUserRole" and you can not
see it in the userportal,
it should be a bug. But for me it seems working on current upstream code...
[1]:
http://lists.ovirt.org/pipermail/engine-devel/2012-December/003229.html
> For details about specific roles and what can be done by which role you
> can have a look at:
> webadmin -> "Configure" in top right corner -> "Roles"
side tab -> pick a
> specific role -> "Edit" button
>
> >
> > So is this the expected behavior? I don't quite understand what
> > userbasedtemplatevm is used for. I noticed that making template C public
> > have the effect of assign userbasedtemplatevm to everyone, but that seems
> > not enough to let everyone use it.
> >
> > My engine version is 3.3.4.
> >
> > Any ideas? thanks for any help!
> > _______________________________________________
> > Users mailing list
> > Users(a)ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> >
>
6:46 p.m.
Hi Tomas,
Sorry for the late response :P
2014-04-17 21:02 GMT+08:00 Tomas Jelinek <tjelinek(a)redhat.com>:
----- Original Message -----
> From: "plysan" <plysab(a)gmail.com>
> To: "Tomas Jelinek" <tjelinek(a)redhat.com>
> Cc: "Users(a)ovirt.org List" <users(a)ovirt.org>
> Sent: Wednesday, April 16, 2014 8:15:43 PM
> Subject: Re: [ovirt-users] Question about power user and public template
>
> 2014-04-14 15:18 GMT+08:00 Tomas Jelinek <tjelinek(a)redhat.com>:
>
> >
> >
> > ----- Original Message -----
> > > From: "plysan" <plysab(a)gmail.com>
> > > To: users(a)ovirt.org
> > > Sent: Sunday, April 13, 2014 3:52:55 AM
> > > Subject: [ovirt-users] Question about power user and public template
> > >
> > > Hi,
> > >
> > > Currently I have run into a problem about permissions when creating
vm
> > from
> > > template.
> > >
> > > Say if non admin user A in power user portal want to create vm from
> > template
> > > C created by non admin user B, I found out that A need to have both
power
> > > user role and userbasedtemplatevm role to make it work. If i only
assign
> > > userbasedtemplatevm to C, A can only view the template in power user
> > portal
> > > but not able to create vm from it.
> >
> > I'd say the problem is that the template has some disks and as a
> > "UserTemplateBasedVm" only you are
> > not allowed to "Access Image Storage Domains"?
> >
> Thanks for pointing that out, I really didn't think the disk has
> permissions too :)
>
> Because PowerUserRole has more permissions than UserTemplateBasedVm, so I
> think assigning PowerUserRole is enough to see the template in power user
> portal. Based on this thought, I did the following two experiment:
>
> 1. I assigned PowerUserRole to user A in Configure -> System Permissions,
> but after that I still cannot see template C in power user portal.
> The above role assignment result in user A having PowerUserRole inherited
> from System Permission, and based on [1], user A should have
PowerUserRole
> on template C, right ?
yes, you should be able to verify this in the webadmin->template main
tab->permissions subtab
>
> 2. Now based on 1 if I explicitly add PowerUserRole to user A on template
> C, I can see template C and create vms from it.
but it should already be there. And also, since you have created the
template as public "everyone" should have the
"UserTemplateBasedVm" on it. You could verify this on the same subtab.
I think my experiment above is not clear enough, so I made another one, and
found the following behavior:
1. If user has only PowerUser role which is inherited from system on a
template, he cannot see the template on userportal. And base on this if
UserTemplateBasedVm role is added to the user, the user can see it in
userportal now.
2. If user has only PowerUser role assigned independently (not inherited
from system) on a template, he can see the template in userportal.
IIUC, PowerUser role inherited from system should have the same behavior
with PowerUser role assigned independently.
Ideas ?
---
Thanks
plysan
>
> For my understanding, the above two role assignment should have the same
> result.
>
> Any ideas?
so, if you have a template on which "everyone" has
"UserTemplateBasedVm"
and a user with "PowerUserRole" and you can not see it in the userportal,
it should be a bug. But for me it seems working on current upstream code...
>
> [1]:
> http://lists.ovirt.org/pipermail/engine-devel/2012-December/003229.html
>
>
> > For details about specific roles and what can be done by which role you
> > can have a look at:
> > webadmin -> "Configure" in top right corner ->
"Roles" side tab ->
pick a
> > specific role -> "Edit" button
> >
> > >
> > > So is this the expected behavior? I don't quite understand what
> > > userbasedtemplatevm is used for. I noticed that making template C
public
> > > have the effect of assign userbasedtemplatevm to everyone, but that
seems
> > > not enough to let everyone use it.
> > >
> > > My engine version is 3.3.4.
> > >
> > > Any ideas? thanks for any help!
> > > _______________________________________________
> > > Users mailing list
> > > Users(a)ovirt.org
> > > http://lists.ovirt.org/mailman/listinfo/users
> > >
> >
>
3852
days inactive
3876
days old
4 comments
2 participants
participants (2)
-
plysan -
Tomas Jelinek