Roles and Permissions and Inheritance
Is there a way to prevent Roles Assigned to Groups on Objects to only apply to where it is set? Basically looking for a way to do what we had done in VMWare which involved using the do not propagate permission setting. be able Seems to me that right now there is no way to set this so if i give access to something at the top level of a DC those accesses wlll overide if i then explcitly set another role and permission on an object underneath Lets take as a concrete example the ovirtmgmt network. I do not want users in the engine to be able to place VMs on this (but i want the Superusers to be able to still) How can i accomplish this with the way roles and permissions work with Ovirt? thanks! Brian
On Wed, 12 Dec 2018 15:25:56 -0000 "Brian Wilson" <briwils2@cisco.com> wrote:
Is there a way to prevent Roles Assigned to Groups on Objects to only apply to where it is set?
Basically looking for a way to do what we had done in VMWare which involved using the do not propagate permission setting.
be able Seems to me that right now there is no way to set this so if i give access to something at the top level of a DC those accesses wlll overide if i then explcitly set another role and permission on an object underneath
Lets take as a concrete example the ovirtmgmt network. I do not want users in the engine to be able to place VMs on this (but i want the Superusers to be able to still) How can i accomplish this with the way roles and permissions work with Ovirt?
The attachment of logical networks to VMs is manged in oVirt by "vNIC Profiles". The Boolean property "Public" of vNIC Profiles enables simple permission management to allow or deny the attachment of the logical network to a VM by Users. If "Public" is set, all Users are allowed to attach the related logical network to the VMs he/she is allowed to manage. If "Public" is not set, only Users/Administrators with the required permissions (e.g. "Assign vNIC Profile to VM") are allowed to attach the logical network to a VM. If you want to prevent users in the Engine to be able to place VMs on ovirtmgmt, you have to remove this "Public" permissions from the ovirtmgmt object. In the web UI, this can be done like this: In Administration > Configure > Roles Select the role "VnicProfileUser". This will show a table of the allowed User-Object pairs. Select the pair of the user "Everyone" and the "Object" ovirtmgmt and remove this pair. This will prevent users attaching their VMs to ovirtmgmt. Please make sure that there are no additional permissions on ovirtmgmt and/or its vNic Profile that violates the desired permissions level. However, if the VM was already created and has an interface attached to 'ovirtmgmt', these attainments has to be removed or replaced manually.
thanks! Brian _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/PY6ZITVTLFNXFX...
On Wed, Dec 12, 2018 at 5:27 PM Brian Wilson <briwils2@cisco.com> wrote:
Is there a way to prevent Roles Assigned to Groups on Objects to only apply to where it is set?
Basically looking for a way to do what we had done in VMWare which involved using the do not propagate permission setting.
be able Seems to me that right now there is no way to set this so if i give access to something at the top level of a DC those accesses wlll overide if i then explcitly set another role and permission on an object underneath
Lets take as a concrete example the ovirtmgmt network. I do not want users in the engine to be able to place VMs on this (but i want the Superusers to be able to still) How can i accomplish this with the way roles and permissions work with Ovirt?
There is an entity named Vnic Profile under the Network element. When creating the Vnic Profile, you can define if you'd want it to be 'publicly' used or not. In case you select the 'Public Use' option, a public permissions (permissions to a special inner user called EVERYONE) is granted on that profile. See attached screenshot of that profile: [image: Selection_978.png] However, if the VM was already created and has a nic attached to 'ovirtmgmt', the admin will need to remove or replace the profile of the restricted network.
thanks! Brian _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/PY6ZITVTLFNXFX...
-- Regards, Moti
This seems to work however still trying to solve the issue of if we dont give access to networks at a higher level (Cluster or DC) then it must be given at the Network level for every network that we would like them to have access to. Since we are using an AD group to assign access to the networks this would work for initially created network by we as admins but brings up an issue for networks they create themselves. We Also would like them to create networks and let that group have access to it but is seems we would have to allow them to assign permissions in the system to do that, which then opens up a whole other host of problems we wouldn't want like the ability to mitigate and access control we implement. Am I understanding how these permissions work and finding we cannot do the below or missing something that would allow the follow use case: Users of Platform are restricted from adding VMs to a few select networks Users of Platform are able to create, and share with other team members associated with an AD Group, new networks -- Strech here if it could be restricted to only certain labels to prevent them from using physical nics we haven't already assigned labels to as admins Users of Platform are not able to modify permissions on objects in inventory
On Tue, Jan 29, 2019 at 5:01 PM Brian Wilson <briwils2@cisco.com> wrote:
This seems to work however still trying to solve the issue of if we dont give access to networks at a higher level (Cluster or DC) then it must be given at the Network level for every network that we would like them to have access to. Since we are using an AD group to assign access to the networks this would work for initially created network by we as admins but brings up an issue for networks they create themselves.
Just to make clear - if you allow users to create networks on the system, you assigned to them Admin role that supports vm creation, and probably given them that role on the DC. This allows them to add vnic profile or have full control (update / delete) for that network.
We Also would like them to create networks and let that group have access to it but is seems we would have to allow them to assign permissions in the system to do that, which then opens up a whole other host of problems we wouldn't want like the ability to mitigate and access control we implement.
Am I understanding how these permissions work and finding we cannot do the below or missing something that would allow the follow use case:
Users of Platform are restricted from adding VMs to a few select networks Users of Platform are able to create, and share with other team members associated with an AD Group, new networks -- Strech here if it could be restricted to only certain labels to prevent them from using physical nics we haven't already assigned labels to as admins Users of Platform are not able to modify permissions on objects in inventory
The MLA (multi-level administration) or the permission model is configured based on 3 entities per permission: 1. The entity - which entity we'd like to grant the user permission on (could be the direct entity or higher level in that hierarchy) 2. The user - could be either a user or group that will be granted with the permission 3. The role - role contains list of action groups to permit. Could be predefined role or a custom role. In the mentioned use-case of user or group that creates a VM, where you'd like that user to be able to grant permission on that network to other users, that user should be granted with a role that permits giving permissions to other users on that network (or higher level, i.e. DC). You can define a custom role for that, containing the checked options as in the screenshot, and assign it on the network or on the dc for the user. If you'd like to grant that role on a DC to the AD group, they should be able to grant other users to use network (and/or its vnic profiles). If you'd like to restrict the permission only for the created network by the user, you should grant it manually (or by restapi script) on the new network. There isn't option to provide such role on the create network, since at time of creation, there is no such entity in the system. That might require its own RFE. Please let me know if that makes sense to you and if it solves the mentioned use-case. Thanks, Moti [image: Selection_999(006).png]
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/W2PFFSLZA4CZHY...
-- Regards, Moti
participants (3)
-
Brian Wilson -
Dominik Holler -
Moti Asayag