From alexis.hauser at imt-atlantique.fr Sun Mar  5 11:59:27 2017
Content-Type: multipart/mixed; boundary="===============1493143466809138545=="
MIME-Version: 1.0
From: Alexis HAUSER <alexis.hauser at imt-atlantique.fr>
To: users at ovirt.org
Subject: [ovirt-users] VM Permissions (3.6)
Date: Sun, 05 Mar 2017 12:51:19 +0100
Message-ID: <2060067566.2283924.1488714679597.JavaMail.zimbra@telecom-bretagne.eu>
In-Reply-To: 603244227.2282761.1488714387950.JavaMail.zimbra@telecom-bretagne.eu

--===============1493143466809138545==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

------=3D_Part_2283923_195487747.1488714679596
Content-Type: text/plain; charset=3Dutf-8
Content-Transfer-Encoding: 7bit

hi, I'm trying to figure out how to manage VM permissions with ovirt. =

>From what I've understood, if you add a user to user role in the system pr=
eferences, this user can access every VM and resources on the cluster, with=
 the associated permissions; right ? =

Now, if I want to control who has access to each VM : I musn't add this use=
r to user role from the system tab; but instead add it on each resources (l=
ike on each VM) it should access ? =


Is there another way to manage permissions ? How you guys do personally man=
age this ? Do you automate it with scripts ? =


Thanks for you ideas and suggestions =


(using 3.6) =


------=3D_Part_2283923_195487747.1488714679596
Content-Type: text/html; charset=3Dutf-8
Content-Transfer-Encoding: 7bit

<html><body><div style=3D"font-family: times new roman, new york, times, se=
rif; font-size: 12pt; color: #000000"><div>hi, I'm trying to figure out how=
 to manage VM permissions with ovirt.<br></div><div>From what I've understo=
od, if you add a user to user role in the system preferences, this user can=
 access every VM and resources on the cluster, with the associated permissi=
ons; right ?<br></div><div>Now, if I want to control who has access to each=
 VM : I musn't add this user to user role from the system tab; but instead =
add it on each resources (like on each VM) it should access ?<br></div><div=
><br></div><div>Is there another way to manage permissions ? How you guys d=
o personally manage this ? Do you automate it with scripts ?<br></div><div>=
<br></div><div>Thanks for you ideas and suggestions<br></div><div><br></div=
><div>(using 3.6)<br></div></div></body></html>
------=3D_Part_2283923_195487747.1488714679596--

--===============1493143466809138545==
Content-Type: multipart/alternative
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.bin"

LS0tLS0tPV9QYXJ0XzIyODM5MjNfMTk1NDg3NzQ3LjE0ODg3MTQ2Nzk1OTYKQ29udGVudC1UeXBl
OiB0ZXh0L3BsYWluOyBjaGFyc2V0PXV0Zi04CkNvbnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6IDdi
aXQKCmhpLCBJJ20gdHJ5aW5nIHRvIGZpZ3VyZSBvdXQgaG93IHRvIG1hbmFnZSBWTSBwZXJtaXNz
aW9ucyB3aXRoIG92aXJ0LiAKPkZyb20gd2hhdCBJJ3ZlIHVuZGVyc3Rvb2QsIGlmIHlvdSBhZGQg
YSB1c2VyIHRvIHVzZXIgcm9sZSBpbiB0aGUgc3lzdGVtIHByZWZlcmVuY2VzLCB0aGlzIHVzZXIg
Y2FuIGFjY2VzcyBldmVyeSBWTSBhbmQgcmVzb3VyY2VzIG9uIHRoZSBjbHVzdGVyLCB3aXRoIHRo
ZSBhc3NvY2lhdGVkIHBlcm1pc3Npb25zOyByaWdodCA/IApOb3csIGlmIEkgd2FudCB0byBjb250
cm9sIHdobyBoYXMgYWNjZXNzIHRvIGVhY2ggVk0gOiBJIG11c24ndCBhZGQgdGhpcyB1c2VyIHRv
IHVzZXIgcm9sZSBmcm9tIHRoZSBzeXN0ZW0gdGFiOyBidXQgaW5zdGVhZCBhZGQgaXQgb24gZWFj
aCByZXNvdXJjZXMgKGxpa2Ugb24gZWFjaCBWTSkgaXQgc2hvdWxkIGFjY2VzcyA/IAoKSXMgdGhl
cmUgYW5vdGhlciB3YXkgdG8gbWFuYWdlIHBlcm1pc3Npb25zID8gSG93IHlvdSBndXlzIGRvIHBl
cnNvbmFsbHkgbWFuYWdlIHRoaXMgPyBEbyB5b3UgYXV0b21hdGUgaXQgd2l0aCBzY3JpcHRzID8g
CgpUaGFua3MgZm9yIHlvdSBpZGVhcyBhbmQgc3VnZ2VzdGlvbnMgCgoodXNpbmcgMy42KSAKCi0t
LS0tLT1fUGFydF8yMjgzOTIzXzE5NTQ4Nzc0Ny4xNDg4NzE0Njc5NTk2CkNvbnRlbnQtVHlwZTog
dGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04CkNvbnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6IDdiaXQK
CjxodG1sPjxib2R5PjxkaXYgc3R5bGU9ImZvbnQtZmFtaWx5OiB0aW1lcyBuZXcgcm9tYW4sIG5l
dyB5b3JrLCB0aW1lcywgc2VyaWY7IGZvbnQtc2l6ZTogMTJwdDsgY29sb3I6ICMwMDAwMDAiPjxk
aXY+aGksIEknbSB0cnlpbmcgdG8gZmlndXJlIG91dCBob3cgdG8gbWFuYWdlIFZNIHBlcm1pc3Np
b25zIHdpdGggb3ZpcnQuPGJyPjwvZGl2PjxkaXY+RnJvbSB3aGF0IEkndmUgdW5kZXJzdG9vZCwg
aWYgeW91IGFkZCBhIHVzZXIgdG8gdXNlciByb2xlIGluIHRoZSBzeXN0ZW0gcHJlZmVyZW5jZXMs
IHRoaXMgdXNlciBjYW4gYWNjZXNzIGV2ZXJ5IFZNIGFuZCByZXNvdXJjZXMgb24gdGhlIGNsdXN0
ZXIsIHdpdGggdGhlIGFzc29jaWF0ZWQgcGVybWlzc2lvbnM7IHJpZ2h0ID88YnI+PC9kaXY+PGRp
dj5Ob3csIGlmIEkgd2FudCB0byBjb250cm9sIHdobyBoYXMgYWNjZXNzIHRvIGVhY2ggVk0gOiBJ
IG11c24ndCBhZGQgdGhpcyB1c2VyIHRvIHVzZXIgcm9sZSBmcm9tIHRoZSBzeXN0ZW0gdGFiOyBi
dXQgaW5zdGVhZCBhZGQgaXQgb24gZWFjaCByZXNvdXJjZXMgKGxpa2Ugb24gZWFjaCBWTSkgaXQg
c2hvdWxkIGFjY2VzcyA/PGJyPjwvZGl2PjxkaXY+PGJyPjwvZGl2PjxkaXY+SXMgdGhlcmUgYW5v
dGhlciB3YXkgdG8gbWFuYWdlIHBlcm1pc3Npb25zID8gSG93IHlvdSBndXlzIGRvIHBlcnNvbmFs
bHkgbWFuYWdlIHRoaXMgPyBEbyB5b3UgYXV0b21hdGUgaXQgd2l0aCBzY3JpcHRzID88YnI+PC9k
aXY+PGRpdj48YnI+PC9kaXY+PGRpdj5UaGFua3MgZm9yIHlvdSBpZGVhcyBhbmQgc3VnZ2VzdGlv
bnM8YnI+PC9kaXY+PGRpdj48YnI+PC9kaXY+PGRpdj4odXNpbmcgMy42KTxicj48L2Rpdj48L2Rp
dj48L2JvZHk+PC9odG1sPgotLS0tLS09X1BhcnRfMjI4MzkyM18xOTU0ODc3NDcuMTQ4ODcxNDY3
OTU5Ni0tCg==

--===============1493143466809138545==--

From oourfali at redhat.com Mon Mar  6 12:03:40 2017
Content-Type: multipart/mixed; boundary="===============6372664268135244922=="
MIME-Version: 1.0
From: Oved Ourfali <oourfali at redhat.com>
To: users at ovirt.org
Subject: Re: [ovirt-users] VM Permissions (3.6)
Date: Mon, 06 Mar 2017 14:03:38 +0200
Message-ID: <CAJ_kCt7c29PdQ9X5ZOcueKBtx82QzDyP5GdRxnpLErYGEPnX2A@mail.gmail.com>
In-Reply-To: 2060067566.2283924.1488714679597.JavaMail.zimbra@telecom-bretagne.eu

--===============6372664268135244922==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Hi Alexis,

Permissions in oVirt consist of three parts:
1. The user/group
2. The role
3. The object

So, if you want a user to be able to "use" a VM, it should be enough to
grant him a UserRole on the VM object (no need to go to the system
preferences for that one).
If you want a user to be the owner of a VM (allows more actions on that VM
than UserRole), then you should grant him with UserVmManager on the VM
object.

The role itself consists of actions that are allowed to be done with it.
You can view these actions in the UI through the system preferences dialog.

When you grant permissions on the system preferences dialog, then it means
the "object" you grant on is the "system" object, which is in the higher
part of the objects tree.
Normally you won't need that for users.

As for managing permissions, it can be done either via the UI, or the API,
or one of the SDKs.
I guess it is a matter of preference and needs.

Cheers,
Oved


On Sun, Mar 5, 2017 at 1:51 PM, Alexis HAUSER <
alexis.hauser(a)imt-atlantique.fr> wrote:

> hi, I'm trying to figure out how to manage VM permissions with ovirt.
> From what I've understood, if you add a user to user role in the system
> preferences, this user can access every VM and resources on the cluster,
> with the associated permissions; right ?
> Now, if I want to control who has access to each VM : I musn't add this
> user to user role from the system tab; but instead add it on each resourc=
es
> (like on each VM) it should access ?
>
> Is there another way to manage permissions ? How you guys do personally
> manage this ? Do you automate it with scripts ?
>
> Thanks for you ideas and suggestions
>
> (using 3.6)
>
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
>

--===============6372664268135244922==
Content-Type: text/html
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.html"

PGRpdiBkaXI9Imx0ciI+PGRpdj5IaSBBbGV4aXMsPC9kaXY+PGRpdj48YnI+PC9kaXY+UGVybWlz
c2lvbnMgaW4gb1ZpcnQgY29uc2lzdCBvZiB0aHJlZSBwYXJ0czo8ZGl2PjEuIFRoZSB1c2VyL2dy
b3VwPC9kaXY+PGRpdj4yLiBUaGUgcm9sZTwvZGl2PjxkaXY+My4gVGhlIG9iamVjdDwvZGl2Pjxk
aXY+PGJyPjwvZGl2PjxkaXY+U28sIGlmIHlvdSB3YW50IGEgdXNlciB0byBiZSBhYmxlIHRvICZx
dW90O3VzZSZxdW90OyBhIFZNLCBpdCBzaG91bGQgYmUgZW5vdWdoIHRvIGdyYW50IGhpbSBhIFVz
ZXJSb2xlIG9uIHRoZSBWTSBvYmplY3QgKG5vIG5lZWQgdG8gZ28gdG8gdGhlIHN5c3RlbSBwcmVm
ZXJlbmNlcyBmb3IgdGhhdCBvbmUpLjwvZGl2PjxkaXY+SWYgeW91IHdhbnQgYSB1c2VyIHRvIGJl
IHRoZSBvd25lciBvZiBhIFZNIChhbGxvd3MgbW9yZSBhY3Rpb25zIG9uIHRoYXQgVk0gdGhhbiBV
c2VyUm9sZSksIHRoZW4geW91IHNob3VsZCBncmFudCBoaW0gd2l0aCBVc2VyVm1NYW5hZ2VyIG9u
IHRoZSBWTSBvYmplY3QuPC9kaXY+PGRpdj48YnI+PC9kaXY+PGRpdj5UaGUgcm9sZSBpdHNlbGYg
Y29uc2lzdHMgb2YgYWN0aW9ucyB0aGF0IGFyZSBhbGxvd2VkIHRvIGJlIGRvbmUgd2l0aCBpdC4g
WW91IGNhbiB2aWV3IHRoZXNlIGFjdGlvbnMgaW4gdGhlIFVJIHRocm91Z2ggdGhlIHN5c3RlbSBw
cmVmZXJlbmNlcyBkaWFsb2cuPC9kaXY+PGRpdj48YnI+PC9kaXY+PGRpdj5XaGVuIHlvdSBncmFu
dCBwZXJtaXNzaW9ucyBvbiB0aGUgc3lzdGVtIHByZWZlcmVuY2VzIGRpYWxvZywgdGhlbiBpdCBt
ZWFucyB0aGUgJnF1b3Q7b2JqZWN0JnF1b3Q7IHlvdSBncmFudCBvbiBpcyB0aGUgJnF1b3Q7c3lz
dGVtJnF1b3Q7IG9iamVjdCwgd2hpY2ggaXMgaW4gdGhlIGhpZ2hlciBwYXJ0IG9mIHRoZSBvYmpl
Y3RzIHRyZWUuPC9kaXY+PGRpdj5Ob3JtYWxseSB5b3Ugd29uJiMzOTt0IG5lZWQgdGhhdCBmb3Ig
dXNlcnMuPC9kaXY+PGRpdj48YnI+PC9kaXY+PGRpdj5BcyBmb3IgbWFuYWdpbmcgcGVybWlzc2lv
bnMsIGl0IGNhbiBiZSBkb25lIGVpdGhlciB2aWEgdGhlIFVJLCBvciB0aGUgQVBJLCBvciBvbmUg
b2YgdGhlIFNES3MuPC9kaXY+PGRpdj5JIGd1ZXNzIGl0IGlzIGEgbWF0dGVyIG9mIHByZWZlcmVu
Y2UgYW5kIG5lZWRzLjwvZGl2PjxkaXY+PGJyPjwvZGl2PjxkaXY+Q2hlZXJzLDwvZGl2PjxkaXY+
T3ZlZDwvZGl2PjxkaXY+PGJyPjwvZGl2PjwvZGl2PjxkaXYgY2xhc3M9ImdtYWlsX2V4dHJhIj48
YnI+PGRpdiBjbGFzcz0iZ21haWxfcXVvdGUiPk9uIFN1biwgTWFyIDUsIDIwMTcgYXQgMTo1MSBQ
TSwgQWxleGlzIEhBVVNFUiA8c3BhbiBkaXI9Imx0ciI+Jmx0OzxhIGhyZWY9Im1haWx0bzphbGV4
aXMuaGF1c2VyQGltdC1hdGxhbnRpcXVlLmZyIiB0YXJnZXQ9Il9ibGFuayI+YWxleGlzLmhhdXNl
ckBpbXQtYXRsYW50aXF1ZS5mcjwvYT4mZ3Q7PC9zcGFuPiB3cm90ZTo8YnI+PGJsb2NrcXVvdGUg
Y2xhc3M9ImdtYWlsX3F1b3RlIiBzdHlsZT0ibWFyZ2luOjAgMCAwIC44ZXg7Ym9yZGVyLWxlZnQ6
MXB4ICNjY2Mgc29saWQ7cGFkZGluZy1sZWZ0OjFleCI+PGRpdj48ZGl2IHN0eWxlPSJmb250LWZh
bWlseTp0aW1lcyBuZXcgcm9tYW4sbmV3IHlvcmssdGltZXMsc2VyaWY7Zm9udC1zaXplOjEycHQ7
Y29sb3I6IzAwMDAwMCI+PGRpdj5oaSwgSSYjMzk7bSB0cnlpbmcgdG8gZmlndXJlIG91dCBob3cg
dG8gbWFuYWdlIFZNIHBlcm1pc3Npb25zIHdpdGggb3ZpcnQuPGJyPjwvZGl2PjxkaXY+RnJvbSB3
aGF0IEkmIzM5O3ZlIHVuZGVyc3Rvb2QsIGlmIHlvdSBhZGQgYSB1c2VyIHRvIHVzZXIgcm9sZSBp
biB0aGUgc3lzdGVtIHByZWZlcmVuY2VzLCB0aGlzIHVzZXIgY2FuIGFjY2VzcyBldmVyeSBWTSBh
bmQgcmVzb3VyY2VzIG9uIHRoZSBjbHVzdGVyLCB3aXRoIHRoZSBhc3NvY2lhdGVkIHBlcm1pc3Np
b25zOyByaWdodCA/PGJyPjwvZGl2PjxkaXY+Tm93LCBpZiBJIHdhbnQgdG8gY29udHJvbCB3aG8g
aGFzIGFjY2VzcyB0byBlYWNoIFZNIDogSSBtdXNuJiMzOTt0IGFkZCB0aGlzIHVzZXIgdG8gdXNl
ciByb2xlIGZyb20gdGhlIHN5c3RlbSB0YWI7IGJ1dCBpbnN0ZWFkIGFkZCBpdCBvbiBlYWNoIHJl
c291cmNlcyAobGlrZSBvbiBlYWNoIFZNKSBpdCBzaG91bGQgYWNjZXNzID88YnI+PC9kaXY+PGRp
dj48YnI+PC9kaXY+PGRpdj5JcyB0aGVyZSBhbm90aGVyIHdheSB0byBtYW5hZ2UgcGVybWlzc2lv
bnMgPyBIb3cgeW91IGd1eXMgZG8gcGVyc29uYWxseSBtYW5hZ2UgdGhpcyA/IERvIHlvdSBhdXRv
bWF0ZSBpdCB3aXRoIHNjcmlwdHMgPzxicj48L2Rpdj48ZGl2Pjxicj48L2Rpdj48ZGl2PlRoYW5r
cyBmb3IgeW91IGlkZWFzIGFuZCBzdWdnZXN0aW9uczxicj48L2Rpdj48ZGl2Pjxicj48L2Rpdj48
ZGl2Pih1c2luZyAzLjYpPGJyPjwvZGl2PjwvZGl2PjwvZGl2Pjxicj5fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX188d2JyPl9fX19fX19fX19fX19fX19fPGJyPgpVc2VycyBtYWlsaW5nIGxp
c3Q8YnI+CjxhIGhyZWY9Im1haWx0bzpVc2Vyc0BvdmlydC5vcmciPlVzZXJzQG92aXJ0Lm9yZzwv
YT48YnI+CjxhIGhyZWY9Imh0dHA6Ly9saXN0cy5vdmlydC5vcmcvbWFpbG1hbi9saXN0aW5mby91
c2VycyIgcmVsPSJub3JlZmVycmVyIiB0YXJnZXQ9Il9ibGFuayI+aHR0cDovL2xpc3RzLm92aXJ0
Lm9yZy88d2JyPm1haWxtYW4vbGlzdGluZm8vdXNlcnM8L2E+PGJyPgo8YnI+PC9ibG9ja3F1b3Rl
PjwvZGl2Pjxicj48L2Rpdj4K

--===============6372664268135244922==--