Got an interesting one here as pertaining to template permissions and
provisioning.
Given the following setup/situation:
A cluster with a user A assigned poweruser role permissions on the cluster.
- User A is assigned poweruser role permissions to storage domain A
- User A is a consumer of quota A which is assigned to specific storage
domain A
A cluster with a user B assigned poweruser role permissions on the cluster.
- User B is assigned poweruser role permissions to storage domain B
- User B is a consumer of quota B which is assigned to specific storage
domain B
User A creates a VM and makes it a template of it with permissions of
everyone as UserTemplateBasedVM.
User B tries to create a VM based on the template that User A created.
While the base VM profile can be created the storage provisioning
encounters an issue.
Via Template provisioning option with the thin provision option will fail
due to the fact that User B does not have proper permissions to User A's
storage domain. The symptom of this expected failure is the target storage
domain pull-down is empty. (It really should show something or be greyed
out rather than just be blank at least some sort of user notification).
The real issue here is with the clone provisioning option. The idea here is
to be to clone a copy of the template disks into User B's storage domain as
a target where User B has poweruser role permissions. The problem here is
that this fails just like the above thin provision which should not be the
case. The target pulldown still blank it should by default show the target
storage domain to which User B has permissions to that being Storage domain
B.
Further debugging yields that by assigning UserTemplateVM permissions to
User A's storage domain allows User B to use either of the options above
although the only one really desired is the clone option since we don't
want User B creating VM's in User A's storage domain. There still however
was an issue upon selecting clone and selecting Storage domain B as the
target the VM is created but the disk is created in Storage domain A
instead of storage domain B.
Running build of the engine is built from commit:
7354d3283627bdbe30dd9c15ce45eba375280a8c
- DHC