
On 07/11/2014 08:28 AM, Aline Manera wrote:
On 07/11/2014 03:31 AM, Wen Wang wrote:
Thanks Aline, I think there might be some issues by changing the xml file manually. From the *tabs.xml* we get the mode that a user should have but it doesn't change when we change user. I have applied your code and it's something like this:
Either using a guest or root we can only get the permitted tabs of the guest. Can we have the kimchi/config/ui/tabs.xml changed automatically according to the logged in user. Role distinguishing can be done in the back-end and add the right mode to this xml file automatically? Or else we might need to find other ways to transfer the user roles.
From what we have discussed in "[Kimchi-devel] RFC: Design of Authorization in Kimchi" I understood the "mode" attribute will only be used for a "user" role and ignored if the user has a "admin" role as he/she has full control on kimchi
Example, in JS would have a code like:
if "admin" in roles: # upload all tabs
elif "user" in roles: # read mode attribute
But thinking in the future roles we will have we will need to do what you proposed by changing tabs.xml automatically. I will send a V2 patch with that
It will not work for us! Creating the tabs.xml automatically implies in having multiples tabs.xml file - at least one file per user. So I suggest turn back to my first proposal and list on xml the "mode" per "role" As more roles are added, we just need to update this file to add a new element *access* <tab *id=host*> <*access* role="admin" mode="admin"/> <*access* role="user" mode="none"/> <title>Host</title> <path>tabs/host.html</path> </tab> <tab *id=guests*> <*access* role="admin" mode="admin"/> <*access* role="user" mode="byinstance"/> <title>Guests</title> <path>tabs/guests.html</path> </tab> Then we change /login to return the role per tab: POST /login {username: ..., password: ...} { username: ..., roles: {host: admin, templates: user, ...} } So according to roles we can get the mode each tab is configured. user_access = login.roles for tab in user_access: get mode from xml according to tab and role I will send an RFC patch with that soon. Hope it solves our issues.
Thanks for the review.
Best regards Wang Wen
On 7/11/2014 10:16 AM, alinefm@linux.vnet.ibm.com wrote:
From: Aline Manera<alinefm@linux.vnet.ibm.com>
Kimchi has 2 user roles: "admin" with full control of Kimchi features and "user" with limited access To describe how each tab should be displayed for a user, the "mode" attribute should be added. The "mode" attribute values are:
- none: do not show the tab; - admin: full instance access; - read-only: read-only access; - byInstance: each resource will have its configuration sent by the backend;
The user will only be able to manage the guests he/she is assigned for, because that the guest tab has 'mode' == admin As a user can edit a guest, he/she may need to know which networks and storage pools are configured, so set network and storage tab 'mode' to read-only. And as user should not perform any operation on host or templates, set their 'mode' attributes to 'none'.
Signed-off-by: Aline Manera<alinefm@linux.vnet.ibm.com> --- config/ui/tabs.xml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/config/ui/tabs.xml b/config/ui/tabs.xml index b045521..b8e7bd6 100644 --- a/config/ui/tabs.xml +++ b/config/ui/tabs.xml @@ -1,22 +1,22 @@ <?xml version="1.0" encoding="utf-8"?> <tabs> - <tab> + <tab mode="none"> <title>Host</title> <path>tabs/host.html</path> </tab> - <tab> + <tab mode="admin"> <title>Guests</title> <path>tabs/guests.html</path> </tab> - <tab> + <tab mode="none"> <title>Templates</title> <path>tabs/templates.html</path> </tab> - <tab> + <tab mode="read-only"> <title>Storage</title> <path>tabs/storage.html</path> </tab> - <tab> + <tab mode="read-only"> <title>Network</title> <path>tabs/network.html</path> </tab>
_______________________________________________ Kimchi-devel mailing list Kimchi-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/kimchi-devel
_______________________________________________ Kimchi-devel mailing list Kimchi-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/kimchi-devel