[Users] template provisioning permissions

Dead Horse deadhorseconsulting at gmail.com
Wed Mar 27 15:21:12 UTC 2013


Bug 928410 (https://bugzilla.redhat.com/show_bug.cgi?id=928410) opened on
this issue.
Additionally Bug 928399 (https://bugzilla.redhat.com/show_bug.cgi?id=928399)
which is possibly related to this issue opened.

- DHC


On Mon, Mar 18, 2013 at 10:02 PM, Dead Horse
<deadhorseconsulting at gmail.com>wrote:

> Verified this is present in latest engine built from master with latest
> VDSM built from master.
> On the surface this literally seems as simple as a lack of Read-Only
> access to the template image when requesting to clone it from the template
> on the storage domain wherein the user cloning from the template has no
> permissions.
> - DHC
>
>
> On Wed, Mar 13, 2013 at 4:34 PM, Dead Horse <deadhorseconsulting at gmail.com
> > wrote:
>
>> Got an interesting one here as pertaining to template permissions and
>> provisioning.
>>
>> Given the following setup/situation:
>>
>> A cluster with a user A assigned poweruser role permissions on the
>> cluster.
>> - User A is assigned poweruser role permissions to storage domain A
>> - User A is a consumer of quota A which is assigned to specific storage
>> domain A
>>
>> A cluster with a user B assigned poweruser role permissions on the
>> cluster.
>> - User B is assigned poweruser role permissions to storage domain B
>> - User B is a consumer of quota B which is assigned to specific storage
>> domain B
>>
>> User A creates a VM and makes it a template of it with permissions of
>> everyone as UserTemplateBasedVM.
>>
>> User B tries to create a VM based on the template that User A created.
>> While the base VM profile can be created the storage provisioning
>> encounters an issue.
>>
>> Via Template provisioning option with the thin provision option will fail
>> due to the fact that User B does not have proper permissions to User A's
>> storage domain. The symptom of this expected failure is the target storage
>> domain pull-down is empty. (It really should show something or be greyed
>> out rather than just be blank at least some sort of user notification).
>>
>> The real issue here is with the clone provisioning option. The idea here
>> is to be to clone a copy of the template disks into User B's storage domain
>> as a target where User B has poweruser role permissions. The problem here
>> is that this fails just like the above thin provision which should not be
>> the case. The target pulldown still blank it should by default show the
>> target storage domain to which User B has permissions to that being Storage
>> domain B.
>>
>> Further debugging yields that by assigning UserTemplateVM permissions to
>> User A's storage domain allows User B to use either of the options above
>> although the only one really desired is the clone option since we don't
>> want User B creating VM's in User A's storage domain. There still however
>> was an issue upon selecting clone and selecting Storage domain B as the
>> target the VM is  created but the disk is created in Storage domain A
>> instead of storage domain B.
>>
>>
>> Running build of the engine is built from commit:
>> 7354d3283627bdbe30dd9c15ce45eba375280a8c
>>
>> - DHC
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20130327/863dee04/attachment-0001.html>


More information about the Users mailing list