[Kimchi-devel] [kimchi-devel RFC] REST API for Permission check and fixes

Shu Ming shuming at linux.vnet.ibm.com
Thu Jan 16 03:26:31 UTC 2014


于 2014/1/16 10:39, Aline Manera 写道:
> On 01/16/2014 12:35 AM, Shu Ming wrote:
>> I don't agree to change the permission in Kimchi even there is a 
>> permission confirmation warning. It is the responsibility of the host 
>> system administrator to change the permission.
>
> And why can't kimchi provide this ability through the UI?
> If admin would like to change the permission it can do it when 
> creating the template, otherwise skip it.

The admin in Kimchi is different from the system administrator in the 
host. All the directories in the host are owned by the system 
administrator in the host. In another word, the "root" account logged in 
the Kimchi is a different account than the "root" account in Linux host. 
We can not assume the account in Kimchi can change the permission of the 
directories in the host.

>
>>
>> 2014/1/16 10:04, Aline Manera:
>>>
>>> Looks good for me.
>>>
>>> And I agree with Sheldon we need to add a change permission 
>>> confirmation on UI
>>>
>>> Just a comment below.
>>>
>>> On 01/13/2014 06:14 AM, Royce Lv wrote:
>>>> User scenarios:
>>>>
>>>> Users may create template from ISOs from shallow/deep scan or from 
>>>> a user specified local path. Because kimchid runs as root and have 
>>>> access of most ISOs scanned. For qemu, however, the real user to 
>>>> start a vm, does not always have access of the ISO to install a vm. 
>>>> Under this circumstance, we need to denote that:
>>>>
>>>> 1. On scanning, indicate which ISOs may not be accessible by qemu 
>>>> user.
>>>> 2. When create a template from an ISO which qemu does not have 
>>>> access , ask if user want to fix permission, if not, disable the 
>>>> template.
>>>
>>> Why should we allow a user create a template that will be disabled 
>>> because the ISO isn't accessible?
>>>
>>>> 3. If user accept fix permission, change permission of template cdrom.
>>>>
>>>> Rest API will look like:
>>>> 1. scanning and report
>>>> GET /storagepools/pool-1/storagevolumes/iso-volume
>>>> {'type': 'raw', 'path': '/home/i-am-an-iso.iso', 'accessible': False}
>>>>
>>>> 2. Create template
>>>> POST /templates
>>>> {'name': 'template-1'
>>>> 'cdrom': 'a-b-c'} "a-b-c.iso" not accessible by qemu
>>>> ---->
>>>> {'name': 'template-1', 'status': 'disable'}
>>>> NOTE: template in 'disable' status may because of any of its 
>>>> facility not active (storagepool, iso, network, etc)
>>>>
>>>> 3. Fix permission(Permission fix just open for template, we don't 
>>>> support fix for single volume/path temporarily)
>>>> PUT /templates/t-1/cdrom {'accessible': True}
>>>
>>> _______________________________________________
>>> Kimchi-devel mailing list
>>> Kimchi-devel at ovirt.org
>>> http://lists.ovirt.org/mailman/listinfo/kimchi-devel
>>>
>>
>




More information about the Kimchi-devel mailing list