Hi Tomas,

Sorry for the late response :P


2014-04-17 21:02 GMT+08:00 Tomas Jelinek <tjelinek@redhat.com>:


----- Original Message -----
> From: "plysan" <plysab@gmail.com>
> To: "Tomas Jelinek" <tjelinek@redhat.com>
> Cc: "Users@ovirt.org List" <users@ovirt.org>
> Sent: Wednesday, April 16, 2014 8:15:43 PM
> Subject: Re: [ovirt-users] Question about power user and public template
>
> 2014-04-14 15:18 GMT+08:00 Tomas Jelinek <tjelinek@redhat.com>:
>
> >
> >
> > ----- Original Message -----
> > > From: "plysan" <plysab@gmail.com>
> > > To: users@ovirt.org
> > > Sent: Sunday, April 13, 2014 3:52:55 AM
> > > Subject: [ovirt-users] Question about power user and public template
> > >
> > > Hi,
> > >
> > > Currently I have run into a problem about permissions when creating vm
> > from
> > > template.
> > >
> > > Say if non admin user A in power user portal want to create vm from
> > template
> > > C created by non admin user B, I found out that A need to have both power
> > > user role and userbasedtemplatevm role to make it work. If i only assign
> > > userbasedtemplatevm to C, A can only view the template in power user
> > portal
> > > but not able to create vm from it.
> >
> > I'd say the problem is that the template has some disks and as a
> > "UserTemplateBasedVm" only you are
> > not allowed to "Access Image Storage Domains"?
> >
> Thanks for pointing that out, I really didn't think the disk has
> permissions too :)
>
> Because PowerUserRole has more permissions than UserTemplateBasedVm, so I
> think assigning PowerUserRole is enough to see the template in power user
> portal.  Based on this thought, I did the following two experiment:
>
> 1. I assigned PowerUserRole to user A in Configure -> System Permissions,
> but after that I still cannot see template C in power user portal.
> The above role assignment result in user A having PowerUserRole inherited
> from System Permission, and based on [1], user A should have PowerUserRole
> on template C, right ?

yes, you should be able to verify this in the webadmin->template main tab->permissions subtab

>
> 2. Now based on 1 if I explicitly add PowerUserRole to user A on template
> C, I can see template C and create vms from it.

but it should already be there. And also, since you have created the template as public "everyone" should have the
"UserTemplateBasedVm" on it. You could verify this on the same subtab.
I think my experiment above is not clear enough, so I made another one, and found the following behavior:
1. If user has only PowerUser role which is inherited from system on a template, he cannot see the template on userportal. And base on this if UserTemplateBasedVm role is added to the user, the user can see it in userportal now.
2. If user has only PowerUser role assigned independently (not inherited from system) on a template, he can see the template in userportal.

IIUC, PowerUser role inherited from system should have the same behavior with PowerUser role assigned independently.

Ideas ?

---
Thanks
plysan

>
> For my understanding, the above two role assignment should have the same
> result.
>
> Any ideas?

so, if you have a template on which "everyone" has "UserTemplateBasedVm" and a user with "PowerUserRole" and you can not see it in the userportal,
it should be a bug. But for me it seems working on current upstream code...

>
> [1]:
> http://lists.ovirt.org/pipermail/engine-devel/2012-December/003229.html
>
>
> > For details about specific roles and what can be done by which role you
> > can have a look at:
> > webadmin -> "Configure" in top right corner -> "Roles" side tab -> pick a
> > specific role -> "Edit" button
> >
> > >
> > > So is this the expected behavior? I don't quite understand what
> > > userbasedtemplatevm is used for.  I noticed that making template C public
> > > have the effect of assign userbasedtemplatevm to everyone, but that seems
> > > not enough to let everyone use it.
> > >
> > > My engine version is 3.3.4.
> > >
> > > Any ideas? thanks for any help!
> > > _______________________________________________
> > > Users mailing list
> > > Users@ovirt.org
> > > http://lists.ovirt.org/mailman/listinfo/users
> > >
> >
>