[ovirt-users] Question about power user and public template

plysan plysab at gmail.com
Wed Apr 16 18:15:43 UTC 2014 

2014-04-14 15:18 GMT+08:00 Tomas Jelinek <tjelinek at redhat.com>:

>
>
> ----- Original Message -----
> > From: "plysan" <plysab at gmail.com>
> > To: users at ovirt.org
> > Sent: Sunday, April 13, 2014 3:52:55 AM
> > Subject: [ovirt-users] Question about power user and public template
> >
> > Hi,
> >
> > Currently I have run into a problem about permissions when creating vm
> from
> > template.
> >
> > Say if non admin user A in power user portal want to create vm from
> template
> > C created by non admin user B, I found out that A need to have both power
> > user role and userbasedtemplatevm role to make it work. If i only assign
> > userbasedtemplatevm to C, A can only view the template in power user
> portal
> > but not able to create vm from it.
>
> I'd say the problem is that the template has some disks and as a
> "UserTemplateBasedVm" only you are
> not allowed to "Access Image Storage Domains"?
>
Thanks for pointing that out, I really didn't think the disk has
permissions too :)

Because PowerUserRole has more permissions than UserTemplateBasedVm, so I
think assigning PowerUserRole is enough to see the template in power user
portal.  Based on this thought, I did the following two experiment:

1. I assigned PowerUserRole to user A in Configure -> System Permissions,
but after that I still cannot see template C in power user portal.
The above role assignment result in user A having PowerUserRole inherited
from System Permission, and based on [1], user A should have PowerUserRole
on template C, right ?

2. Now based on 1 if I explicitly add PowerUserRole to user A on template
C, I can see template C and create vms from it.

For my understanding, the above two role assignment should have the same
result.

Any ideas?

[1]:
http://lists.ovirt.org/pipermail/engine-devel/2012-December/003229.html


> For details about specific roles and what can be done by which role you
> can have a look at:
> webadmin -> "Configure" in top right corner -> "Roles" side tab -> pick a
> specific role -> "Edit" button
>
> >
> > So is this the expected behavior? I don't quite understand what
> > userbasedtemplatevm is used for.  I noticed that making template C public
> > have the effect of assign userbasedtemplatevm to everyone, but that seems
> > not enough to let everyone use it.
> >
> > My engine version is 3.3.4.
> >
> > Any ideas? thanks for any help!
> > _______________________________________________
> > Users mailing list
> > Users at ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20140417/97769921/attachment-0001.html>

More information about the Users mailing list