[Engine-devel] Managing permissions on network

Itamar Heim iheim at redhat.com
Tue Nov 13 13:39:45 UTC 2012


On 11/13/2012 03:37 PM, Livnat Peer wrote:
> On 13/11/12 15:19, Itamar Heim wrote:
>> On 11/13/2012 12:45 PM, Livnat Peer wrote:
>>> Interesting point, I think that if a user has permission to create a VM
>>> from a specific template we should give him permission to use the
>>> template networks on this VM implicitly upon the VM creation.
>>
>> having a permission to a template does not mean a permission to the
>> default network of that VM, especially as we'll use templates more as
>> instance types.
>
> Another alternative is to require permission on the network as well as
> the template.
> I must say I don't really like it, although I agree with your comment,
> we require too many operations for enabling a user to create a VM from
> template (permission on the template, quota on the storage, permissions
> on the network, next we'll require a PHD ;)).
>
> Anyone has a better idea?

I assume most networks would be given either to 'everyone' or groups of 
users, not per user (and if the network is per user/tenant, then it must 
be done per user.
i may not remember correctly, but i thought when giving quota to user we 
also give some permissions with it (on cluster and storage)?



More information about the Devel mailing list