[Engine-devel] Disk Permissions Feature

Livnat Peer lpeer at redhat.com
Thu Mar 15 07:52:59 UTC 2012 

On 15/03/12 07:25, Itamar Heim wrote:
> On 03/14/2012 02:20 AM, Moti Asayag wrote:
>> Hi all,
>>
>> Disk Permissions feature description Wiki page:
>> http://www.ovirt.org/wiki/Features/DiskPermissions
>>
>> Please share your comments.
> 
> I think you are lacking a paragraph explaining some of the issues around
> this:
> - are disks part of storage domains or VMs wrt permissions inheritance?
> - what about direct luns (are not part of storage domains)?
> - what about shared disks (multiple inheritance if from VM)?
> - what if tomorrow we allow disks to span multiple storage domains?
> - quota's are already a concept of permissions to create disks at
> storage domain level, does user need both (cumbersome)
> - when do we must have this (to filter shared, floating or direct lun
> disks we would show to power users when not attached to VMs) - or these
> won't be available for now via the power user portal, only via admin.
> 
> 1. "Create disk - requires permissions on the Storage Domain, (can't
> assume Quota is sufficient to permit user creating the disk on the
> Storage Domain, as Quota might be disabled)"
> 
> I'd also specify create disk for regular disks is at storage domain
> level?, while direct lun disks require system level permission of add disk.
> 
> so, if quota is disabled, how important is it to prevent creation of
> disks (other than direct lun ones, which would require a permission
> similar to storage domain creation)?
> 
> if this is added, it has to be implicitly added / not needed if user has
> quota (i.e., having a quota should be similar to having a permission as
> far as the check goes).
> 

We should look into it, how complicate is it to validate if user has
either quota or permission, and allow creating a disk on a SD if either
exists.

> 2. "Attach disk to VM - requires permissions on the Disk and on the VM
> (applies for shared disk as well). "
> 
> which permission at disk is required? (disk access?)
> 


The user should have attach_disk permission on the disk and on the VM
(same action on two objects).

> 3. "Detach disk from VM - requires permissions on the VM only. (Unlike
> 
> attach disk that requires permissions on the VM and on the Disk). "
> 
> will detaching a disk copy the permission it so far inherited from the VM?
> 

No, inheritance is never translated into explicit permission on the
objects in the hierarchy .

> 4. UI changes
> an edit permissions button from VM disks subtab seems appropriate (will
> open a dialog i guess)

I think we need permissions subtab in the floating disk main tab.
I'll ask Einav to add the UI part as well to the wiki.



> ________________________
_______________________
> Engine-devel mailing list
> Engine-devel at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/engine-devel

More information about the Engine-devel mailing list