[Kimchi-devel] [kimchi-devel RFC] REST API for Permission check and fixes

Shu Ming shuming at linux.vnet.ibm.com
Thu Jan 16 02:35:08 UTC 2014


I don't agree to change the permission in Kimchi even there is a 
permission confirmation warning.   It is the responsibility of the host 
system administrator to change the permission.

2014/1/16 10:04, Aline Manera:
>
> Looks good for me.
>
> And I agree with Sheldon we need to add a change permission 
> confirmation on UI
>
> Just a comment below.
>
> On 01/13/2014 06:14 AM, Royce Lv wrote:
>> User scenarios:
>>
>>     Users may create template from ISOs from shallow/deep scan or 
>> from a user specified local path. Because kimchid runs as root and 
>> have access of most ISOs scanned. For qemu, however, the real user to 
>> start a vm, does not always have access of the ISO to install a vm. 
>> Under this circumstance,  we need to denote that:
>>
>> 1. On scanning, indicate which ISOs may not be accessible by qemu user.
>> 2. When create a template from an ISO which qemu does not have access 
>> , ask if user want to fix permission, if not, disable the template.
>
> Why should we allow a user create a template that will be disabled 
> because the ISO isn't accessible?
>
>> 3. If user accept fix permission, change permission of template cdrom.
>>
>> Rest API will look like:
>> 1. scanning and report
>>     GET /storagepools/pool-1/storagevolumes/iso-volume
>>     {'type': 'raw', 'path': '/home/i-am-an-iso.iso', 'accessible': 
>> False}
>>
>> 2. Create template
>>     POST /templates
>>     {'name': 'template-1'
>>       'cdrom': 'a-b-c'} "a-b-c.iso" not accessible by qemu
>>    ---->
>>     {'name': 'template-1', 'status': 'disable'}
>>     NOTE: template in 'disable' status may because of any of its 
>> facility not active (storagepool, iso, network, etc)
>>
>> 3. Fix permission(Permission fix just open for template, we don't 
>> support fix for single volume/path temporarily)
>>     PUT /templates/t-1/cdrom {'accessible': True}
>
> _______________________________________________
> Kimchi-devel mailing list
> Kimchi-devel at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/kimchi-devel
>




More information about the Kimchi-devel mailing list