[Engine-devel] Managing permissions on network

Gilad Chaplik gchaplik at redhat.com
Wed Nov 14 08:21:11 UTC 2012


----- Original Message -----
> From: "Itamar Heim" <iheim at redhat.com>
> To: "Livnat Peer" <lpeer at redhat.com>
> Cc: engine-devel at ovirt.org, "Michal Skrivanek" <mskrivan at redhat.com>, "Andrew Cathrow" <acathrow at redhat.com>, "Gilad
> Chaplik" <gchaplik at redhat.com>, "Doron Fediuck" <dfediuck at redhat.com>
> Sent: Tuesday, November 13, 2012 8:19:01 PM
> Subject: Re: [Engine-devel] Managing permissions on network
> 
> On 11/13/2012 07:18 PM, Livnat Peer wrote:
> > On 13/11/12 15:39, Itamar Heim wrote:
> >> On 11/13/2012 03:37 PM, Livnat Peer wrote:
> >>> On 13/11/12 15:19, Itamar Heim wrote:
> >>>> On 11/13/2012 12:45 PM, Livnat Peer wrote:
> >>>>> Interesting point, I think that if a user has permission to
> >>>>> create a VM
> >>>>> from a specific template we should give him permission to use
> >>>>> the
> >>>>> template networks on this VM implicitly upon the VM creation.
> >>>>
> >>>> having a permission to a template does not mean a permission to
> >>>> the
> >>>> default network of that VM, especially as we'll use templates
> >>>> more as
> >>>> instance types.
> >>>
> >>> Another alternative is to require permission on the network as
> >>> well as
> >>> the template.
> >>> I must say I don't really like it, although I agree with your
> >>> comment,
> >>> we require too many operations for enabling a user to create a VM
> >>> from
> >>> template (permission on the template, quota on the storage,
> >>> permissions
> >>> on the network, next we'll require a PHD ;)).
> >>>
> >>> Anyone has a better idea?
> >>
> >> I assume most networks would be given either to 'everyone' or
> >> groups of
> >> users, not per user (and if the network is per user/tenant, then
> >> it must
> >> be done per user.
> >
> > Which reminds that I wanted to propose adding a property on a
> > network
> > which is called public.
> > It's just a UI feature to give a NetworkUser on this network to
> > 'everyone'. It makes making a network public easier for the user.
> >
> > In addition during upgrade we should make all existing networks
> > public
> > networks and not allocate specific permissions for users on
> > networks.
> >
> > In addition it also means a user is given permission on a network
> > and
> > then he can use it for any VM he owns. Isn't that problematic? We
> > can't
> > limit a user to use a network on a specific VM.
> 
> I think that's fine.
> don't let user edit that vm if you don't trust them.
> 
> >
> >> i may not remember correctly, but i thought when giving quota to
> >> user we
> >> also give some permissions with it (on cluster and storage)?
> >
> > I am not sure what is the current implementation as it changed a
> > lot,
> > but last I tracked we checked for either quota or permissions we
> > did not
> > give implicit permissions when creating a quota.
> >
> 
> gilad/doron?

No implicit permissions. IIRC it was never implemented

> 



More information about the Engine-devel mailing list