[Engine-devel] Disk Permissions Feature

Oved Ourfalli ovedo at redhat.com
Sun Mar 18 09:09:54 UTC 2012 


----- Original Message -----
> From: "Itamar Heim" <iheim at redhat.com>
> To: "Omer Frenkel" <ofrenkel at redhat.com>
> Cc: engine-devel at ovirt.org
> Sent: Thursday, March 15, 2012 5:46:07 PM
> Subject: Re: [Engine-devel] Disk Permissions Feature
> 
> On 03/15/2012 05:34 PM, Omer Frenkel wrote:
> >>> >  >  1. "Create disk - requires permissions on the Storage
> >>> >  >  Domain,
> >>> >  >  (can't
> >>> >  >  assume Quota is sufficient to permit user creating the disk
> >>> >  >  on the
> >>> >  >  Storage Domain, as Quota might be disabled)"
> >>> >  >
> >>> >  >  I'd also specify create disk for regular disks is at
> >>> >  >  storage domain
> >>> >  >  level?, while direct lun disks require system level
> >>> >  >  permission of
> >>> >  >  add disk.
> >>> >  >
> >>> >  >  so, if quota is disabled, how important is it to prevent
> >>> >  >  creation
> >>> >  >  of
> >>> >  >  disks (other than direct lun ones, which would require a
> >>> >  >  permission
> >>> >  >  similar to storage domain creation)?
> >>> >  >
> >>> >  >  if this is added, it has to be implicitly added / not
> >>> >  >  needed if
> >>> >  >  user has
> >>> >  >  quota (i.e., having a quota should be similar to having a
> >>> >  >  permission as
> >>> >  >  far as the check goes).
> >>> >  >
> >> >
> >> >  We should look into it, how complicate is it to validate if
> >> >  user has
> >> >  either quota or permission, and allow creating a disk on a SD
> >> >  if
> >> >  either
> >> >  exists.
> > this might be confusing to the user as he can disable the quota,
> > then stuff would stop working.
> >
> 
> we can't require both quota and permissions from user on storage
> domains
> - that's cumbersome.
> question is if we can limit the need for permissions to disks only to
> places where they are needed (shared, direct, floating)?
+1 on that.
I also think it is only relevant on attaching a disk to a VM, as the other use-cases are simpler:
1. Attach disk to VM - would require having permissions on the disk (whether it is shared, direct lun or floating)
2. Add disk to VM - would only require quota (if enforced).
3. Create disk (i.e., floating/shared disk) - would only require quota (if enforced).

> _______________________________________________
> Engine-devel mailing list
> Engine-devel at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/engine-devel
>

More information about the Devel mailing list