[Kimchi-devel] [kimchi-devel RFC] REST API for Permission check and fixes

Sheldon shaohef at linux.vnet.ibm.com
Tue Jan 14 10:26:05 UTC 2014 

On 01/14/2014 02:13 PM, Shu Ming wrote:
> 于 2014/1/13 16:14, Royce Lv 写道:
>> User scenarios:
>>
>> Users may create template from ISOs from shallow/deep scan or from a 
>> user specified local path. Because kimchid runs as root and have 
>> access of most ISOs scanned. For qemu, however, the real user to 
>> start a vm, does not always have access of the ISO to install a vm. 
>> Under this circumstance, we need to denote that:
>>
>> 1. On scanning, indicate which ISOs may not be accessible by qemu user.
>> 2. When create a template from an ISO which qemu does not have access 
>> , ask if user want to fix permission, if not, disable the template.
>> 3. If user accept fix permission, change permission of template cdrom.
>>
>> Rest API will look like:
>> 1. scanning and report
>> GET /storagepools/pool-1/storagevolumes/iso-volume
>> {'type': 'raw', 'path': '/home/i-am-an-iso.iso', 'accessible': False}
>>
>> 2. Create template
>> POST /templates
>> {'name': 'template-1'
>> 'cdrom': 'a-b-c'} "a-b-c.iso" not accessible by qemu
>> ---->
>> {'name': 'template-1', 'status': 'disable'}
>> NOTE: template in 'disable' status may because of any of its facility 
>> not active (storagepool, iso, network, etc)
>>
>> 3. Fix permission(Permission fix just open for template, we don't 
>> support fix for single volume/path temporarily)
>> PUT /templates/t-1/cdrom {'accessible': True}
>
> First of all, I don't like to fix the permission of an existing ISO to 
> make it accessable by qemu process. I think it is the system 
> administrator's responsibility to fix the permission instead of 
> Kimchi's. However, we can give a hint in the UI for all the ISOs found 
> which can not be accessed by qemu process and hint the system 
> administrator to do the manual fix.
Do you means we just need:
1. scanning and report
GET /storagepools/pool-1/storagevolumes/iso-volume
{'type': 'raw', 'path': '/home/i-am-an-iso.iso', 'accessible': False}

2. Create template
POST /templates
{'name': 'template-1'
'cdrom': 'a-b-c'} "a-b-c.iso" not accessible by qemu
---->
{'name': 'template-1', 'status': 'disable'}
NOTE: template in 'disable' status may because of any of its facility 
not active (storagepool, iso, network, etc)

do not need
3. Fix permission(Permission fix just open for template, we don't 
support fix for single volume/path temporarily)
PUT /templates/t-1/cdrom {'accessible': True}

?

>
>
>>
>> _______________________________________________
>> Kimchi-devel mailing list
>> Kimchi-devel at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/kimchi-devel
>>
>
> _______________________________________________
> Kimchi-devel mailing list
> Kimchi-devel at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/kimchi-devel


-- 
Thanks and best regards!

Sheldon Feng(冯少合)<shaohef at linux.vnet.ibm.com>
IBM Linux Technology Center

More information about the Kimchi-devel mailing list