[PATCH 0/2] authorization: Backend changes
From: Aline Manera <alinefm@linux.vnet.ibm.com> This patchset provides the backend changes discussed in "[Kimchi-devel] RFC: Design of Authorization in Kimchi" Aline Manera (2): authorization: Update /login to return user roles instead of sudo parameter authorization: Add "mode" attribute to describe user view config/ui/tabs.xml | 10 +++++----- src/kimchi/auth.py | 12 ++++++++---- tests/test_rest.py | 6 ++++++ tests/utils.py | 6 +++--- 4 files changed, 22 insertions(+), 12 deletions(-) -- 1.9.3
From: Aline Manera <alinefm@linux.vnet.ibm.com> For now, Kimchi just supports 2 types of user roles: 'admin' - user has full control of Kimchi features and 'user' with limited access. But in future the idea is to have more and more roles so it is good to already provide the authorization support with that in mind. That way, instead of only returning if user has or not sudo permissions, the /login API will return the user roles. If the user has sudo permissions he/she will have 'admin' role, otherwise, 'user' role. curl -H "Content-Type: application/json" -H "Accept: application/json" http://localhost:8010/login -d'{"username": "guest", "password": "guest-passwd"}' -X POST {"username": "guest", "roles": ["user"], "groups": []} curl -H "Content-Type: application/json" -H "Accept: application/json" http://localhost:8010/login -d'{"username": "sysadmin", "password": "sysadmin-passwd"}' -X POST {"username": "sysadmin", "roles": ["admin"], "groups": []} Signed-off-by: Aline Manera <alinefm@linux.vnet.ibm.com> --- src/kimchi/auth.py | 12 ++++++++---- tests/test_rest.py | 6 ++++++ tests/utils.py | 6 +++--- 3 files changed, 17 insertions(+), 7 deletions(-) diff --git a/src/kimchi/auth.py b/src/kimchi/auth.py index 6a4a610..b1febf0 100644 --- a/src/kimchi/auth.py +++ b/src/kimchi/auth.py @@ -38,6 +38,7 @@ USER_NAME = 'username' USER_GROUPS = 'groups' USER_SUDO = 'sudo' +USER_ROLES = 'roles' REFRESH = 'robot-refresh' @@ -62,7 +63,7 @@ def __init__(self, username): self.user = {} self.user[USER_NAME] = username self.user[USER_GROUPS] = None - self.user[USER_SUDO] = False + self.user[USER_ROLES] = ['user'] def get_groups(self): self.user[USER_GROUPS] = [g.gr_name for g in grp.getgrall() @@ -74,10 +75,13 @@ def has_sudo(self): p = multiprocessing.Process(target=self._has_sudo, args=(result,)) p.start() p.join() - self.user[USER_SUDO] = bool(result.value) - return self.user[USER_SUDO] + if result.value: + self.user[USER_ROLES] = ['admin'] + return result.value def _has_sudo(self, result): + result.value = False + _master, slave = pty.openpty() os.setsid() fcntl.ioctl(slave, termios.TIOCSCTTY, 0) @@ -94,7 +98,7 @@ def _has_sudo(self, result): self.user[USER_NAME]]) for line in out.split('\n'): if line and re.search("(ALL)", line): - result.value = 1 + result.value = True debug("User %s can run any command with sudo" % result.value) return diff --git a/tests/test_rest.py b/tests/test_rest.py index ad8fc72..ba9431d 100644 --- a/tests/test_rest.py +++ b/tests/test_rest.py @@ -1552,6 +1552,12 @@ def test_auth_session(self): req = json.dumps({'username': user, 'password': pw}) resp = self.request('/login', req, 'POST', hdrs) self.assertEquals(200, resp.status) + + user_info = json.loads(resp.read()) + self.assertEquals(sorted(user_info.keys()), + ['groups', 'roles', 'username']) + self.assertEquals(user_info['roles'], [u'admin']) + cookie = resp.getheader('set-cookie') hdrs['Cookie'] = cookie diff --git a/tests/utils.py b/tests/utils.py index fd9b23c..4853b7a 100644 --- a/tests/utils.py +++ b/tests/utils.py @@ -157,8 +157,8 @@ def patch_auth(sudo=True): def _get_groups(self): return None - def _has_sudo(self): - return sudo + def _has_sudo(self, result): + result.value = sudo def _authenticate(username, password, service="passwd"): try: @@ -170,7 +170,7 @@ def _authenticate(username, password, service="passwd"): import kimchi.auth kimchi.auth.authenticate = _authenticate kimchi.auth.User.get_groups = _get_groups - kimchi.auth.User.has_sudo = _has_sudo + kimchi.auth.User._has_sudo = _has_sudo def normalize_xml(xml_str): -- 1.9.3
The login pattern has been changed to the traditional login page which the "username" and the "password" will be submitted using form. However the "/login" api is used in the login_window pattern that we no longer use. When using the "/login", browser get a "303" and redirect the page to |https://9.123.141.135:8001/#tabs/guests. from my point of view, I suppose we build another API that supplies the "GET" method for the browser to get the username and role. Or else pass the "username" and "role" through xml to have it stored into sessionstorage or cookie. For the roles, I recommend we have at least four for this release: *admin*, *by-instance*, *read-only*, *none*. It's the by-instance mode I have to explain. from the diagram, tab mode is used for xml transfering which tab is going to be displayed by user role. Take "Guest" tab for example, not only do we need to show the tab, but also we need to know the user's role so that we can display the proper vms. Different users need different privilege for action. admin has full access, guest might be divided into two roles: one is common users we give the user the ability to start/stop/delete the vms that belongs to him, the other one might be admin-user who is able to have the whole access to the action tab. To clarify that, we need the by-instance tab. and the sub-tab. Waiting for your comments Best Regards Wang Wen |On 7/11/2014 10:16 AM, alinefm@linux.vnet.ibm.com wrote:
From: Aline Manera <alinefm@linux.vnet.ibm.com>
For now, Kimchi just supports 2 types of user roles: 'admin' - user has full control of Kimchi features and 'user' with limited access. But in future the idea is to have more and more roles so it is good to already provide the authorization support with that in mind. That way, instead of only returning if user has or not sudo permissions, the /login API will return the user roles. If the user has sudo permissions he/she will have 'admin' role, otherwise, 'user' role.
curl -H "Content-Type: application/json" -H "Accept: application/json" http://localhost:8010/login -d'{"username": "guest", "password": "guest-passwd"}' -X POST
{"username": "guest", "roles": ["user"], "groups": []}
curl -H "Content-Type: application/json" -H "Accept: application/json" http://localhost:8010/login -d'{"username": "sysadmin", "password": "sysadmin-passwd"}' -X POST
{"username": "sysadmin", "roles": ["admin"], "groups": []}
Signed-off-by: Aline Manera <alinefm@linux.vnet.ibm.com> --- src/kimchi/auth.py | 12 ++++++++---- tests/test_rest.py | 6 ++++++ tests/utils.py | 6 +++--- 3 files changed, 17 insertions(+), 7 deletions(-)
diff --git a/src/kimchi/auth.py b/src/kimchi/auth.py index 6a4a610..b1febf0 100644 --- a/src/kimchi/auth.py +++ b/src/kimchi/auth.py @@ -38,6 +38,7 @@ USER_NAME = 'username' USER_GROUPS = 'groups' USER_SUDO = 'sudo' +USER_ROLES = 'roles' REFRESH = 'robot-refresh'
@@ -62,7 +63,7 @@ def __init__(self, username): self.user = {} self.user[USER_NAME] = username self.user[USER_GROUPS] = None - self.user[USER_SUDO] = False + self.user[USER_ROLES] = ['user']
def get_groups(self): self.user[USER_GROUPS] = [g.gr_name for g in grp.getgrall() @@ -74,10 +75,13 @@ def has_sudo(self): p = multiprocessing.Process(target=self._has_sudo, args=(result,)) p.start() p.join() - self.user[USER_SUDO] = bool(result.value) - return self.user[USER_SUDO] + if result.value: + self.user[USER_ROLES] = ['admin'] + return result.value
def _has_sudo(self, result): + result.value = False + _master, slave = pty.openpty() os.setsid() fcntl.ioctl(slave, termios.TIOCSCTTY, 0) @@ -94,7 +98,7 @@ def _has_sudo(self, result): self.user[USER_NAME]]) for line in out.split('\n'): if line and re.search("(ALL)", line): - result.value = 1 + result.value = True debug("User %s can run any command with sudo" % result.value) return diff --git a/tests/test_rest.py b/tests/test_rest.py index ad8fc72..ba9431d 100644 --- a/tests/test_rest.py +++ b/tests/test_rest.py @@ -1552,6 +1552,12 @@ def test_auth_session(self): req = json.dumps({'username': user, 'password': pw}) resp = self.request('/login', req, 'POST', hdrs) self.assertEquals(200, resp.status) + + user_info = json.loads(resp.read()) + self.assertEquals(sorted(user_info.keys()), + ['groups', 'roles', 'username']) + self.assertEquals(user_info['roles'], [u'admin']) + cookie = resp.getheader('set-cookie') hdrs['Cookie'] = cookie
diff --git a/tests/utils.py b/tests/utils.py index fd9b23c..4853b7a 100644 --- a/tests/utils.py +++ b/tests/utils.py @@ -157,8 +157,8 @@ def patch_auth(sudo=True): def _get_groups(self): return None
- def _has_sudo(self): - return sudo + def _has_sudo(self, result): + result.value = sudo
def _authenticate(username, password, service="passwd"): try: @@ -170,7 +170,7 @@ def _authenticate(username, password, service="passwd"): import kimchi.auth kimchi.auth.authenticate = _authenticate kimchi.auth.User.get_groups = _get_groups - kimchi.auth.User.has_sudo = _has_sudo + kimchi.auth.User._has_sudo = _has_sudo
def normalize_xml(xml_str):
On 07/11/2014 08:40 AM, Wen Wang wrote:
The login pattern has been changed to the traditional login page which the "username" and the "password" will be submitted using form. However the "/login" api is used in the login_window pattern that we no longer use. When using the "/login", browser get a "303" and redirect the page to |https://9.123.141.135:8001/#tabs/guests.
from my point of view, I suppose we build another API that supplies the "GET" method for the browser to get the username and role. Or else pass the "username" and "role" through xml to have it stored into sessionstorage or cookie.
Got your point! From backend code I have: @cherrypy.expose def login(self, *args, **kwargs): ... auth.login(username, password, **kwa) raise cherrypy.HTTPRedirect(next_url, 303) I suggest we do the redirection in the front end after receiving the login data @cherrypy.expose def login(self, *args, **kwargs): ... return auth.login(username, password, **kwa) And in UI get the data and redirect to right page What do you think?
For the roles, I recommend we have at least four for this release: *admin*, *by-instance*, *read-only*, *none*. It's the by-instance mode I have to explain.
The roles for 1.3 will be "admin" and "user" What you listed above are the "mode" attribute values
from the diagram, tab mode is used for xml transfering which tab is going to be displayed by user role. Take "Guest" tab for example, not only do we need to show the tab, but also we need to know the user's role so that we can display the proper vms. Different users need different privilege for action.
Related to the guest tab, if the user has access to a VM (ie, user is assigned to that VM) he/she will have full control in the VM admin has full access, guest might be
divided into two roles: one is common users we give the user the ability to start/stop/delete the vms that belongs to him, the other one might be admin-user who is able to have the whole access to the action tab. To clarify that, we need the by-instance tab. and the sub-tab.
Let me try to resume: "admin" role in Guest tab can do everything: manage all VMs, create new ones, etc "user" role in Guest tab can manage all the VMs listed and CAN NOT CREATE NEW ONE We just need to care about those 2 roles right now When we add more roles, we do the adjustments needed to accommodate them
Waiting for your comments
Best Regards
Wang Wen
|On 7/11/2014 10:16 AM, alinefm@linux.vnet.ibm.com wrote:
From: Aline Manera<alinefm@linux.vnet.ibm.com>
For now, Kimchi just supports 2 types of user roles: 'admin' - user has full control of Kimchi features and 'user' with limited access. But in future the idea is to have more and more roles so it is good to already provide the authorization support with that in mind. That way, instead of only returning if user has or not sudo permissions, the /login API will return the user roles. If the user has sudo permissions he/she will have 'admin' role, otherwise, 'user' role.
curl -H "Content-Type: application/json" -H "Accept: application/json" http://localhost:8010/login -d'{"username": "guest", "password": "guest-passwd"}' -X POST
{"username": "guest", "roles": ["user"], "groups": []}
curl -H "Content-Type: application/json" -H "Accept: application/json" http://localhost:8010/login -d'{"username": "sysadmin", "password": "sysadmin-passwd"}' -X POST
{"username": "sysadmin", "roles": ["admin"], "groups": []}
Signed-off-by: Aline Manera<alinefm@linux.vnet.ibm.com> --- src/kimchi/auth.py | 12 ++++++++---- tests/test_rest.py | 6 ++++++ tests/utils.py | 6 +++--- 3 files changed, 17 insertions(+), 7 deletions(-)
diff --git a/src/kimchi/auth.py b/src/kimchi/auth.py index 6a4a610..b1febf0 100644 --- a/src/kimchi/auth.py +++ b/src/kimchi/auth.py @@ -38,6 +38,7 @@ USER_NAME = 'username' USER_GROUPS = 'groups' USER_SUDO = 'sudo' +USER_ROLES = 'roles' REFRESH = 'robot-refresh'
@@ -62,7 +63,7 @@ def __init__(self, username): self.user = {} self.user[USER_NAME] = username self.user[USER_GROUPS] = None - self.user[USER_SUDO] = False + self.user[USER_ROLES] = ['user']
def get_groups(self): self.user[USER_GROUPS] = [g.gr_name for g in grp.getgrall() @@ -74,10 +75,13 @@ def has_sudo(self): p = multiprocessing.Process(target=self._has_sudo, args=(result,)) p.start() p.join() - self.user[USER_SUDO] = bool(result.value) - return self.user[USER_SUDO] + if result.value: + self.user[USER_ROLES] = ['admin'] + return result.value
def _has_sudo(self, result): + result.value = False + _master, slave = pty.openpty() os.setsid() fcntl.ioctl(slave, termios.TIOCSCTTY, 0) @@ -94,7 +98,7 @@ def _has_sudo(self, result): self.user[USER_NAME]]) for line in out.split('\n'): if line and re.search("(ALL)", line): - result.value = 1 + result.value = True debug("User %s can run any command with sudo" % result.value) return diff --git a/tests/test_rest.py b/tests/test_rest.py index ad8fc72..ba9431d 100644 --- a/tests/test_rest.py +++ b/tests/test_rest.py @@ -1552,6 +1552,12 @@ def test_auth_session(self): req = json.dumps({'username': user, 'password': pw}) resp = self.request('/login', req, 'POST', hdrs) self.assertEquals(200, resp.status) + + user_info = json.loads(resp.read()) + self.assertEquals(sorted(user_info.keys()), + ['groups', 'roles', 'username']) + self.assertEquals(user_info['roles'], [u'admin']) + cookie = resp.getheader('set-cookie') hdrs['Cookie'] = cookie
diff --git a/tests/utils.py b/tests/utils.py index fd9b23c..4853b7a 100644 --- a/tests/utils.py +++ b/tests/utils.py @@ -157,8 +157,8 @@ def patch_auth(sudo=True): def _get_groups(self): return None
- def _has_sudo(self): - return sudo + def _has_sudo(self, result): + result.value = sudo
def _authenticate(username, password, service="passwd"): try: @@ -170,7 +170,7 @@ def _authenticate(username, password, service="passwd"): import kimchi.auth kimchi.auth.authenticate = _authenticate kimchi.auth.User.get_groups = _get_groups - kimchi.auth.User.has_sudo = _has_sudo + kimchi.auth.User._has_sudo = _has_sudo
def normalize_xml(xml_str):
_______________________________________________ Kimchi-devel mailing list Kimchi-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/kimchi-devel
From: Aline Manera <alinefm@linux.vnet.ibm.com> Kimchi has 2 user roles: "admin" with full control of Kimchi features and "user" with limited access To describe how each tab should be displayed for a user, the "mode" attribute should be added. The "mode" attribute values are: - none: do not show the tab; - admin: full instance access; - read-only: read-only access; - byInstance: each resource will have its configuration sent by the backend; The user will only be able to manage the guests he/she is assigned for, because that the guest tab has 'mode' == admin As a user can edit a guest, he/she may need to know which networks and storage pools are configured, so set network and storage tab 'mode' to read-only. And as user should not perform any operation on host or templates, set their 'mode' attributes to 'none'. Signed-off-by: Aline Manera <alinefm@linux.vnet.ibm.com> --- config/ui/tabs.xml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/config/ui/tabs.xml b/config/ui/tabs.xml index b045521..b8e7bd6 100644 --- a/config/ui/tabs.xml +++ b/config/ui/tabs.xml @@ -1,22 +1,22 @@ <?xml version="1.0" encoding="utf-8"?> <tabs> - <tab> + <tab mode="none"> <title>Host</title> <path>tabs/host.html</path> </tab> - <tab> + <tab mode="admin"> <title>Guests</title> <path>tabs/guests.html</path> </tab> - <tab> + <tab mode="none"> <title>Templates</title> <path>tabs/templates.html</path> </tab> - <tab> + <tab mode="read-only"> <title>Storage</title> <path>tabs/storage.html</path> </tab> - <tab> + <tab mode="read-only"> <title>Network</title> <path>tabs/network.html</path> </tab> -- 1.9.3
Thanks Aline, I think there might be some issues by changing the xml file manually. From the *tabs.xml* we get the mode that a user should have but it doesn't change when we change user. I have applied your code and it's something like this: Either using a guest or root we can only get the permitted tabs of the guest. Can we have the kimchi/config/ui/tabs.xml changed automatically according to the logged in user. Role distinguishing can be done in the back-end and add the right mode to this xml file automatically? Or else we might need to find other ways to transfer the user roles. Best regards Wang Wen On 7/11/2014 10:16 AM, alinefm@linux.vnet.ibm.com wrote:
From: Aline Manera <alinefm@linux.vnet.ibm.com>
Kimchi has 2 user roles: "admin" with full control of Kimchi features and "user" with limited access To describe how each tab should be displayed for a user, the "mode" attribute should be added. The "mode" attribute values are:
- none: do not show the tab; - admin: full instance access; - read-only: read-only access; - byInstance: each resource will have its configuration sent by the backend;
The user will only be able to manage the guests he/she is assigned for, because that the guest tab has 'mode' == admin As a user can edit a guest, he/she may need to know which networks and storage pools are configured, so set network and storage tab 'mode' to read-only. And as user should not perform any operation on host or templates, set their 'mode' attributes to 'none'.
Signed-off-by: Aline Manera <alinefm@linux.vnet.ibm.com> --- config/ui/tabs.xml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/config/ui/tabs.xml b/config/ui/tabs.xml index b045521..b8e7bd6 100644 --- a/config/ui/tabs.xml +++ b/config/ui/tabs.xml @@ -1,22 +1,22 @@ <?xml version="1.0" encoding="utf-8"?> <tabs> - <tab> + <tab mode="none"> <title>Host</title> <path>tabs/host.html</path> </tab> - <tab> + <tab mode="admin"> <title>Guests</title> <path>tabs/guests.html</path> </tab> - <tab> + <tab mode="none"> <title>Templates</title> <path>tabs/templates.html</path> </tab> - <tab> + <tab mode="read-only"> <title>Storage</title> <path>tabs/storage.html</path> </tab> - <tab> + <tab mode="read-only"> <title>Network</title> <path>tabs/network.html</path> </tab>
On 07/11/2014 03:31 AM, Wen Wang wrote:
Thanks Aline, I think there might be some issues by changing the xml file manually. From the *tabs.xml* we get the mode that a user should have but it doesn't change when we change user. I have applied your code and it's something like this:
Either using a guest or root we can only get the permitted tabs of the guest. Can we have the kimchi/config/ui/tabs.xml changed automatically according to the logged in user. Role distinguishing can be done in the back-end and add the right mode to this xml file automatically? Or else we might need to find other ways to transfer the user roles.
From what we have discussed in "[Kimchi-devel] RFC: Design of Authorization in Kimchi" I understood the "mode" attribute will only be used for a "user" role and ignored if the user has a "admin" role as he/she has full control on kimchi Example, in JS would have a code like: if "admin" in roles: # upload all tabs elif "user" in roles: # read mode attribute But thinking in the future roles we will have we will need to do what you proposed by changing tabs.xml automatically. I will send a V2 patch with that Thanks for the review.
Best regards Wang Wen
On 7/11/2014 10:16 AM, alinefm@linux.vnet.ibm.com wrote:
From: Aline Manera<alinefm@linux.vnet.ibm.com>
Kimchi has 2 user roles: "admin" with full control of Kimchi features and "user" with limited access To describe how each tab should be displayed for a user, the "mode" attribute should be added. The "mode" attribute values are:
- none: do not show the tab; - admin: full instance access; - read-only: read-only access; - byInstance: each resource will have its configuration sent by the backend;
The user will only be able to manage the guests he/she is assigned for, because that the guest tab has 'mode' == admin As a user can edit a guest, he/she may need to know which networks and storage pools are configured, so set network and storage tab 'mode' to read-only. And as user should not perform any operation on host or templates, set their 'mode' attributes to 'none'.
Signed-off-by: Aline Manera<alinefm@linux.vnet.ibm.com> --- config/ui/tabs.xml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/config/ui/tabs.xml b/config/ui/tabs.xml index b045521..b8e7bd6 100644 --- a/config/ui/tabs.xml +++ b/config/ui/tabs.xml @@ -1,22 +1,22 @@ <?xml version="1.0" encoding="utf-8"?> <tabs> - <tab> + <tab mode="none"> <title>Host</title> <path>tabs/host.html</path> </tab> - <tab> + <tab mode="admin"> <title>Guests</title> <path>tabs/guests.html</path> </tab> - <tab> + <tab mode="none"> <title>Templates</title> <path>tabs/templates.html</path> </tab> - <tab> + <tab mode="read-only"> <title>Storage</title> <path>tabs/storage.html</path> </tab> - <tab> + <tab mode="read-only"> <title>Network</title> <path>tabs/network.html</path> </tab>
_______________________________________________ Kimchi-devel mailing list Kimchi-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/kimchi-devel
On 07/11/2014 08:28 AM, Aline Manera wrote:
On 07/11/2014 03:31 AM, Wen Wang wrote:
Thanks Aline, I think there might be some issues by changing the xml file manually. From the *tabs.xml* we get the mode that a user should have but it doesn't change when we change user. I have applied your code and it's something like this:
Either using a guest or root we can only get the permitted tabs of the guest. Can we have the kimchi/config/ui/tabs.xml changed automatically according to the logged in user. Role distinguishing can be done in the back-end and add the right mode to this xml file automatically? Or else we might need to find other ways to transfer the user roles.
From what we have discussed in "[Kimchi-devel] RFC: Design of Authorization in Kimchi" I understood the "mode" attribute will only be used for a "user" role and ignored if the user has a "admin" role as he/she has full control on kimchi
Example, in JS would have a code like:
if "admin" in roles: # upload all tabs
elif "user" in roles: # read mode attribute
But thinking in the future roles we will have we will need to do what you proposed by changing tabs.xml automatically. I will send a V2 patch with that
It will not work for us! Creating the tabs.xml automatically implies in having multiples tabs.xml file - at least one file per user. So I suggest turn back to my first proposal and list on xml the "mode" per "role" As more roles are added, we just need to update this file to add a new element *access* <tab *id=host*> <*access* role="admin" mode="admin"/> <*access* role="user" mode="none"/> <title>Host</title> <path>tabs/host.html</path> </tab> <tab *id=guests*> <*access* role="admin" mode="admin"/> <*access* role="user" mode="byinstance"/> <title>Guests</title> <path>tabs/guests.html</path> </tab> Then we change /login to return the role per tab: POST /login {username: ..., password: ...} { username: ..., roles: {host: admin, templates: user, ...} } So according to roles we can get the mode each tab is configured. user_access = login.roles for tab in user_access: get mode from xml according to tab and role I will send an RFC patch with that soon. Hope it solves our issues.
Thanks for the review.
Best regards Wang Wen
On 7/11/2014 10:16 AM, alinefm@linux.vnet.ibm.com wrote:
From: Aline Manera<alinefm@linux.vnet.ibm.com>
Kimchi has 2 user roles: "admin" with full control of Kimchi features and "user" with limited access To describe how each tab should be displayed for a user, the "mode" attribute should be added. The "mode" attribute values are:
- none: do not show the tab; - admin: full instance access; - read-only: read-only access; - byInstance: each resource will have its configuration sent by the backend;
The user will only be able to manage the guests he/she is assigned for, because that the guest tab has 'mode' == admin As a user can edit a guest, he/she may need to know which networks and storage pools are configured, so set network and storage tab 'mode' to read-only. And as user should not perform any operation on host or templates, set their 'mode' attributes to 'none'.
Signed-off-by: Aline Manera<alinefm@linux.vnet.ibm.com> --- config/ui/tabs.xml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/config/ui/tabs.xml b/config/ui/tabs.xml index b045521..b8e7bd6 100644 --- a/config/ui/tabs.xml +++ b/config/ui/tabs.xml @@ -1,22 +1,22 @@ <?xml version="1.0" encoding="utf-8"?> <tabs> - <tab> + <tab mode="none"> <title>Host</title> <path>tabs/host.html</path> </tab> - <tab> + <tab mode="admin"> <title>Guests</title> <path>tabs/guests.html</path> </tab> - <tab> + <tab mode="none"> <title>Templates</title> <path>tabs/templates.html</path> </tab> - <tab> + <tab mode="read-only"> <title>Storage</title> <path>tabs/storage.html</path> </tab> - <tab> + <tab mode="read-only"> <title>Network</title> <path>tabs/network.html</path> </tab>
_______________________________________________ Kimchi-devel mailing list Kimchi-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/kimchi-devel
_______________________________________________ Kimchi-devel mailing list Kimchi-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/kimchi-devel
participants (3)
-
Aline Manera -
alinefm@linux.vnet.ibm.com
-
Wen Wang