Hi list, I'm trying to remove the default "everyone" user from Ovirt, so that each user can have access to its own interface to manage a unique VM. I wonder if this is possible, because so far I'm unable to remove everyone user. Thank you _______________________________________________ Users mailing list -- users(a)ovirt.org To unsubscribe send an email to users-leave(a)ovirt.org

Hi Roy, Thanks for your feedback, I'm unable to remove the user from the cluster, I used the command "ovirt-aaa-jdbc-tool user add" to add the new user, and it seems that by default it took all permissions over the cluster. Is there any document describing this feature in details ?

Thanks On Tue, May 15, 2018 at 6:31 PM, Roy Golan <rgolan(a)redhat.com&gt; wrote: > 1. Make sure your users use the VM portal > 2. Assign permission on VM to a certain user to make sure it apears in > the portal. The Role should be VmOperator afaik. > > Permission set on objects higher in the hierarchy are cascading, i.e a > user with permission on a cluster would have the permission on the all the > vm in cluster. > > > On Tue, 15 May 2018 at 20:59 Aziz <azizgstest(a)gmail.com&gt; wrote: > >> Hi list, >> >> I'm trying to remove the default "everyone" user from Ovirt, so that >> each user can have access to its own interface to manage a unique VM. I >> wonder if this is possible, because so far I'm unable to remove everyone >> user. >> >> Thank you >> >> >> _______________________________________________ >> Users mailing list -- users(a)ovirt.org >> To unsubscribe send an email to users-leave(a)ovirt.org >> >

Hi, I'm fancing the same problem. The steps are - create user /tester/ using the ovirt-aaa-jdbc-tool - login as admin into admin portal - add tester user in Administation -> Users - choose one VM and add UserRole role - login as testr into User Potal - user could see all VM.. The problem could be, that the user is part of the group Everyone and this group could be found in Administration -> Configure > System Permissions. When you check the group permisson, it seems to be automatically populated by engine. In my case I[m using default DC, default cluster and 'internal' profile . Seems that all engine object is included in Everyone group. regards Peter On 15/05/2018 22:03, Roy Golan wrote: > On Tue, 15 May 2018 at 21:47 Aziz <azizgstest(a)gmail.com > <mailto:azizgstest@gmail.com>> wrote: > Hi Roy, > Thanks for your feedback, I'm unable to remove the user from the > cluster, I used the command "|ovirt-aaa-jdbc-tool user add|" to > add the new user, and it seems that by default it took all > permissions over the cluster. Is there any document describing > this feature in details ? > In the webadmin go to Administration -> Configure > System > Permissions. If the user is there, remove him. Then search for > the VM and add permissions to the user on the VM Check your end > result in the 'permisions' section of the VM to see who has > permissions on it. > This should be helpful, quite long though > https://www.ovirt.org/documentation/admin-guide/chap-Users_and_Roles/ > > This is for the tool itself > https://www.ovirt.org/develop/release-management/features/infra/aaa-j

> >

> Thanks > On Tue, May 15, 2018 at 6:31 PM, Roy Golan <rgolan(a)redhat.com > <mailto:rgolan@redhat.com>> wrote: > 1. Make sure your users use the VM portal 2. Assign permission on > VM to a certain user to make sure it apears in the portal. The > Role should be VmOperator afaik. > Permission set on objects higher in the hierarchy are cascading, > i.e a user with permission on a cluster would have the permission > on the all the vm in cluster. > On Tue, 15 May 2018 at 20:59 Aziz <azizgstest(a)gmail.com > <mailto:azizgstest@gmail.com>> wrote: > Hi list, > I'm trying to remove the default "everyone" user from Ovirt, so > that each user can have access to its own interface to manage a > unique VM. I wonder if this is possible, because so far I'm > unable to remove everyone user. > Thank you > _______________________________________________ Users mailing > list -- users(a)ovirt.org <mailto:users@ovirt.org> To unsubscribe > send an email to users-leave(a)ovirt.org > <mailto:users-leave@ovirt.org> > _______________________________________________ Users mailing > list -- users(a)ovirt.org To unsubscribe send an email to > users-leave(a)ovirt.org

Hi All, Thank you Roy, this is working now as expected, however, I think the Edit button, should be removed for this user, there is no need to display the edit button if the user cannot use it to perform any operation, am I missing something ? You mean in the VM portal the user sees he can edit a VM when he doesn't

Best regards On Wed, May 16, 2018 at 9:12 AM, Peter Hudec <phudec(a)cnc.sk&gt; wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > I have found 2 related bug, a little bit older > > https://bugzilla.redhat.com/show_bug.cgi?id=1209505 > https://bugzilla.redhat.com/show_bug.cgi?id=1225274 > > But these are related only to DiskProfile. > > I haven't found any work about 'Everyone' group in documentation, so > I'm little bit confused why there is such a group. > > Peter > > On 15/05/2018 23:02, Peter Hudec wrote: > > Hi, > > > > I'm fancing the same problem. > > > > The steps are - create user /tester/ using the ovirt-aaa-jdbc-tool > > - login as admin into admin portal - add tester user in > > Administation -> Users - choose one VM and add UserRole role > > > > - login as testr into User Potal - user could see all VM.. > > > > The problem could be, that the user is part of the group Everyone > > and this group could be found in Administration -> Configure > > > System Permissions. When you check the group permisson, it seems > > to be automatically populated by engine. > > > > In my case I[m using default DC, default cluster and 'internal' > > profile . > > > > Seems that all engine object is included in Everyone group. > > > > regards Peter > > > > On 15/05/2018 22:03, Roy Golan wrote: > > > > > >> On Tue, 15 May 2018 at 21:47 Aziz <azizgstest(a)gmail.com > >> <mailto:azizgstest@gmail.com>> wrote: > > > >> Hi Roy, > > > >> Thanks for your feedback, I'm unable to remove the user from the > >> cluster, I used the command "|ovirt-aaa-jdbc-tool user add|" to > >> add the new user, and it seems that by default it took all > >> permissions over the cluster. Is there any document describing > >> this feature in details ? > > > > > > > >> In the webadmin go to Administration -> Configure > System > >> Permissions. If the user is there, remove him. Then search for > >> the VM and add permissions to the user on the VM Check your end > >> result in the 'permisions' section of the VM to see who has > >> permissions on it. > > > >> This should be helpful, quite long though > >> https://www.ovirt.org/documentation/admin-guide/chap-Users_and_Roles/ > > > >> > >> > > > > This is for the tool itself > >> https://www.ovirt.org/develop/release-management/features/infra/aaa-j > d > > > >> > >> > bc/ > > > > > > > > > >> Thanks > > > >> On Tue, May 15, 2018 at 6:31 PM, Roy Golan <rgolan(a)redhat.com > >> <mailto:rgolan@redhat.com>> wrote: > > > >> 1. Make sure your users use the VM portal 2. Assign permission on > >> VM to a certain user to make sure it apears in the portal. The > >> Role should be VmOperator afaik. > > > >> Permission set on objects higher in the hierarchy are cascading, > >> i.e a user with permission on a cluster would have the permission > >> on the all the vm in cluster. > > > > > >> On Tue, 15 May 2018 at 20:59 Aziz <azizgstest(a)gmail.com > >> <mailto:azizgstest@gmail.com>> wrote: > > > >> Hi list, > > > >> I'm trying to remove the default "everyone" user from Ovirt, so > >> that each user can have access to its own interface to manage a > >> unique VM. I wonder if this is possible, because so far I'm > >> unable to remove everyone user. > > > >> Thank you > > > > > >> _______________________________________________ Users mailing > >> list -- users(a)ovirt.org <mailto:users@ovirt.org> To unsubscribe > >> send an email to users-leave(a)ovirt.org > >> <mailto:users-leave@ovirt.org> > > > > > > > > > >> _______________________________________________ Users mailing > >> list -- users(a)ovirt.org To unsubscribe send an email to > >> users-leave(a)ovirt.org > > > > > > > > > > - -- > *Peter Hudec* > Infraštruktúrny architekt > phudec(a)cnc.sk <mailto:phudec@cnc.sk> > > *CNC, a.s.* > Borská 6, 841 04 Bratislava > Recepcia: +421 2 35 000 100 > > Mobil:+421 905 997 203 <+421%20905%20997%20203> > *www.cnc.sk* <http:///www.cnc.sk> > > _______________________________________________ > Users mailing list -- users(a)ovirt.org > To unsubscribe send an email to users-leave(a)ovirt.org > _______________________________________________ Users mailing list -- users(a)ovirt.org To unsubscribe send an email to users-leave(a)ovirt.org

On Wed, May 16, 2018 at 9:09 AM, Roy Golan <rgolan(a)redhat.com&gt; wrote: > On Wed, 16 May 2018 at 16:01 Aziz <azizgstest(a)gmail.com&gt; wrote: > >> Hi All, >> >> Thank you Roy, this is working now as expected, however, I think the >> Edit button, should be removed for this user, there is no need to display >> the edit button if the user cannot use it to perform any operation, am I >> missing something ? >> >> You mean in the VM portal the user sees he can edit a VM when he > doesn't have permission to? I assume we don't go to a resolution of button > per permission ( +Greg Sheremeta <gshereme(a)redhat.com&gt; right? ) > Instead the user would get and error from the engine that he isn't > authorized to perform this action. > In both Administration Portal and VM Portal, we generally don't have pre-flight checks to see if users have access to buttons. There is an existing RFE, Bug 1221694 – [RFE] Role based views in webui https://bugzilla.redhat.com/show_bug.cgi?id=1221694 Greg > ​ > >> >> Best regards >> >> On Wed, May 16, 2018 at 9:12 AM, Peter Hudec <phudec(a)cnc.sk&gt; wrote: >> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA512 >>> >>> I have found 2 related bug, a little bit older >>> >>> https://bugzilla.redhat.com/show_bug.cgi?id=1209505 >>> https://bugzilla.redhat.com/show_bug.cgi?id=1225274 >>> >>> But these are related only to DiskProfile. >>> >>> I haven't found any work about 'Everyone' group in documentation, so >>> I'm little bit confused why there is such a group. >>> >>> Peter >>> >>> On 15/05/2018 23:02, Peter Hudec wrote: >>> > Hi, >>> > >>> > I'm fancing the same problem. >>> > >>> > The steps are - create user /tester/ using the ovirt-aaa-jdbc-tool >>> > - login as admin into admin portal - add tester user in >>> > Administation -> Users - choose one VM and add UserRole role >>> > >>> > - login as testr into User Potal - user could see all VM.. >>> > >>> > The problem could be, that the user is part of the group Everyone >>> > and this group could be found in Administration -> Configure > >>> > System Permissions. When you check the group permisson, it seems >>> > to be automatically populated by engine. >>> > >>> > In my case I[m using default DC, default cluster and 'internal' >>> > profile . >>> > >>> > Seems that all engine object is included in Everyone group. >>> > >>> > regards Peter >>> > >>> > On 15/05/2018 22:03, Roy Golan wrote: >>> > >>> > >>> >> On Tue, 15 May 2018 at 21:47 Aziz <azizgstest(a)gmail.com >>> >> <mailto:azizgstest@gmail.com>> wrote: >>> > >>> >> Hi Roy, >>> > >>> >> Thanks for your feedback, I'm unable to remove the user from the >>> >> cluster, I used the command "|ovirt-aaa-jdbc-tool user add|" to >>> >> add the new user, and it seems that by default it took all >>> >> permissions over the cluster. Is there any document describing >>> >> this feature in details ? >>> > >>> > >>> > >>> >> In the webadmin go to Administration -> Configure > System >>> >> Permissions. If the user is there, remove him. Then search for >>> >> the VM and add permissions to the user on the VM Check your end >>> >> result in the 'permisions' section of the VM to see who has >>> >> permissions on it. >>> > >>> >> This should be helpful, quite long though >>> >> https://www.ovirt.org/documentation/admin-guide/chap-Users_ >>> and_Roles/ >>> > >>> >> >>> >> >>> > >>> > This is for the tool itself >>> >> https://www.ovirt.org/develop/release-management/features/in >>> fra/aaa-j >>> d >>> > >>> >> >>> >> >>> bc/ >>> > >>> > >>> > >>> > >>> >> Thanks >>> > >>> >> On Tue, May 15, 2018 at 6:31 PM, Roy Golan <rgolan(a)redhat.com >>> >> <mailto:rgolan@redhat.com>> wrote: >>> > >>> >> 1. Make sure your users use the VM portal 2. Assign permission on >>> >> VM to a certain user to make sure it apears in the portal. The >>> >> Role should be VmOperator afaik. >>> > >>> >> Permission set on objects higher in the hierarchy are cascading, >>> >> i.e a user with permission on a cluster would have the permission >>> >> on the all the vm in cluster. >>> > >>> > >>> >> On Tue, 15 May 2018 at 20:59 Aziz <azizgstest(a)gmail.com >>> >> <mailto:azizgstest@gmail.com>> wrote: >>> > >>> >> Hi list, >>> > >>> >> I'm trying to remove the default "everyone" user from Ovirt, so >>> >> that each user can have access to its own interface to manage a >>> >> unique VM. I wonder if this is possible, because so far I'm >>> >> unable to remove everyone user. >>> > >>> >> Thank you >>> > >>> > >>> >> _______________________________________________ Users mailing >>> >> list -- users(a)ovirt.org <mailto:users@ovirt.org> To unsubscribe >>> >> send an email to users-leave(a)ovirt.org >>> >> <mailto:users-leave@ovirt.org> >>> > >>> > >>> > >>> > >>> >> _______________________________________________ Users mailing >>> >> list -- users(a)ovirt.org To unsubscribe send an email to >>> >> users-leave(a)ovirt.org >>> > >>> > >>> > >>> > >>> >>> - -- >>> *Peter Hudec* >>> Infraštruktúrny architekt >>> phudec(a)cnc.sk <mailto:phudec@cnc.sk> >>> >>> *CNC, a.s.* >>> Borská 6, 841 04 Bratislava >>> <https://maps.google.com/?q=Borsk%C3%A1+6,+841+04+Bratislava&entry=gma... >>> Recepcia: +421 2 35 000 100 >>> >>> Mobil:+421 905 997 203 <+421%20905%20997%20203> >>> *www.cnc.sk* <http:///www.cnc.sk> >>> >>> _______________________________________________ >>> Users mailing list -- users(a)ovirt.org >>> To unsubscribe send an email to users-leave(a)ovirt.org >>> >> >> _______________________________________________ >> Users mailing list -- users(a)ovirt.org >> To unsubscribe send an email to users-leave(a)ovirt.org >> > -- GREG SHEREMETA SENIOR SOFTWARE ENGINEER - TEAM LEAD - RHV UX Red Hat NA <https://www.redhat.com/> gshereme(a)redhat.com IRC: gshereme <https://red.ht/sig>

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi all, works !! ;) Seems that there is some caching in User Portal. But there is still a question how could I remove user from the role everyone ? For example I want to assign only specific vNIC Profiles, Storage Domains, ...

On 16/05/2018 14:57, Aziz wrote: > Hi All, > > Thank you Roy, this is working now as expected, however, I think > the Edit button, should be removed for this user, there is no need > to display the edit button if the user cannot use it to perform > any operation, am I missing something ? > > > Best regards > > On Wed, May 16, 2018 at 9:12 AM, Peter Hudec <phudec(a)cnc.sk > <mailto:phudec@cnc.sk>> wrote: > > I have found 2 related bug, a little bit older > > https://bugzilla.redhat.com/show_bug.cgi?id=1209505 > <https://bugzilla.redhat.com/show_bug.cgi?id=1209505> > https://bugzilla.redhat.com/show_bug.cgi?id=1225274 > <https://bugzilla.redhat.com/show_bug.cgi?id=1225274> > > But these are related only to DiskProfile. > > I haven't found any work about 'Everyone' group in documentation, > so I'm little bit confused why there is such a group. > > Peter > > On 15/05/2018 23:02, Peter Hudec wrote: >> Hi, > >> I'm fancing the same problem. > >> The steps are - create user /tester/ using the >> ovirt-aaa-jdbc-tool - login as admin into admin portal - add >> tester user in Administation -> Users - choose one VM and add >> UserRole role > >> - login as testr into User Potal - user could see all VM.. > >> The problem could be, that the user is part of the group >> Everyone and this group could be found in Administration -> >> Configure > System Permissions. When you check the group >> permisson, it seems to be automatically populated by engine. > >> In my case I[m using default DC, default cluster and 'internal' >> profile . > >> Seems that all engine object is included in Everyone group. > >> regards Peter > >> On 15/05/2018 22:03, Roy Golan wrote: > > >>> On Tue, 15 May 2018 at 21:47 Aziz <azizgstest(a)gmail.com > <mailto:azizgstest@gmail.com> >>> <mailto:azizgstest@gmail.com <mailto:azizgstest@gmail.com>>> >>> wrote: > >>> Hi Roy, > >>> Thanks for your feedback, I'm unable to remove the user from >>> the cluster, I used the command "|ovirt-aaa-jdbc-tool user >>> add|" to add the new user, and it seems that by default it took >>> all permissions over the cluster. Is there any document >>> describing this feature in details ? > > > >>> In the webadmin go to Administration -> Configure > System >>> Permissions. If the user is there, remove him. Then search for >>> the VM and add permissions to the user on the VM Check your >>> end result in the 'permisions' section of the VM to see who >>> has permissions on it. > >>> This should be helpful, quite long though >>> > https://www.ovirt.org/documentation/admin-guide/chap-Users_and_Roles/ > <https://www.ovirt.org/documentation/admin-guide/chap-Users_and_Roles/ > > > >>> >>> > >> This is for the tool itself >>> > https://www.ovirt.org/develop/release-management/features/infra/aaa-j > <https://www.ovirt.org/develop/release-management/features/infra/aaa-j > > > d > >>> >>> > bc/ > > > > >>> Thanks > >>> On Tue, May 15, 2018 at 6:31 PM, Roy Golan <rgolan(a)redhat.com > <mailto:rgolan@redhat.com> >>> <mailto:rgolan@redhat.com <mailto:rgolan@redhat.com>>> wrote: > >>> 1. Make sure your users use the VM portal 2. Assign permission >>> on VM to a certain user to make sure it apears in the portal. >>> The Role should be VmOperator afaik. > >>> Permission set on objects higher in the hierarchy are >>> cascading, i.e a user with permission on a cluster would have >>> the permission on the all the vm in cluster. > > >>> On Tue, 15 May 2018 at 20:59 Aziz <azizgstest(a)gmail.com > <mailto:azizgstest@gmail.com> >>> <mailto:azizgstest@gmail.com <mailto:azizgstest@gmail.com>>> >>> wrote: > >>> Hi list, > >>> I'm trying to remove the default "everyone" user from Ovirt, >>> so that each user can have access to its own interface to >>> manage a unique VM. I wonder if this is possible, because so >>> far I'm unable to remove everyone user. > >>> Thank you > > >>> _______________________________________________ Users mailing >>> list -- users(a)ovirt.org <mailto:users@ovirt.org> > <mailto:users@ovirt.org <mailto:users@ovirt.org>> To unsubscribe >>> send an email to users-leave(a)ovirt.org > <mailto:users-leave@ovirt.org> >>> <mailto:users-leave@ovirt.org <mailto:users-leave@ovirt.org>> > > > > >>> _______________________________________________ Users mailing >>> list -- users(a)ovirt.org <mailto:users@ovirt.org> To >>> unsubscribe > send an email to >>> users-leave(a)ovirt.org <mailto:users-leave@ovirt.org> > > > > > > _______________________________________________ Users mailing list > -- users(a)ovirt.org <mailto:users@ovirt.org> To unsubscribe send an > email to users-leave(a)ovirt.org <mailto:users-leave@ovirt.org> > > - -- *Peter Hudec* Infraštruktúrny architekt phudec(a)cnc.sk <mailto:phudec@cnc.sk> *CNC, a.s.* Borská 6, 841 04 Bratislava Recepcia: +421 2 35 000 100 Mobil:+421 905 997 203 <+421%20905%20997%20203> *www.cnc.sk* <http:///www.cnc.sk> _______________________________________________ Users mailing list -- users(a)ovirt.org To unsubscribe send an email to users-leave(a)ovirt.org