[Kimchi-devel] [kimchi-devel RFC] REST API for Permission check and fixes

Royce Lv lvroyce at linux.vnet.ibm.com
Thu Jan 16 03:33:45 UTC 2014


On 2014年01月16日 10:04, Aline Manera wrote:
>
> Looks good for me.
>
> And I agree with Sheldon we need to add a change permission 
> confirmation on UI
Discussed with Sheldon and Mark, got suggestion to only use setfacl to 
fix without change mode.
If guys agree, we will adopt this mean.
>
> Just a comment below.
>
> On 01/13/2014 06:14 AM, Royce Lv wrote:
>> User scenarios:
>>
>> Users may create template from ISOs from shallow/deep scan or from a 
>> user specified local path. Because kimchid runs as root and have 
>> access of most ISOs scanned. For qemu, however, the real user to 
>> start a vm, does not always have access of the ISO to install a vm. 
>> Under this circumstance, we need to denote that:
>>
>> 1. On scanning, indicate which ISOs may not be accessible by qemu user.
>> 2. When create a template from an ISO which qemu does not have access 
>> , ask if user want to fix permission, if not, disable the template.
>
> Why should we allow a user create a template that will be disabled 
> because the ISO isn't accessible?
If we don't allow it, we don't have chance to fix ISO when it is given 
by a full path('/home/royce/i-am-iso'), not a storagepool volume, we can 
only fix it until template is constructed.
>
>> 3. If user accept fix permission, change permission of template cdrom.
>>
>> Rest API will look like:
>> 1. scanning and report
>> GET /storagepools/pool-1/storagevolumes/iso-volume
>> {'type': 'raw', 'path': '/home/i-am-an-iso.iso', 'accessible': False}
>>
>> 2. Create template
>> POST /templates
>> {'name': 'template-1'
>> 'cdrom': 'a-b-c'} "a-b-c.iso" not accessible by qemu
>> ---->
>> {'name': 'template-1', 'status': 'disable'}
>> NOTE: template in 'disable' status may because of any of its facility 
>> not active (storagepool, iso, network, etc)
>>
>> 3. Fix permission(Permission fix just open for template, we don't 
>> support fix for single volume/path temporarily)
>> PUT /templates/t-1/cdrom {'accessible': True}
>




More information about the Kimchi-devel mailing list