[ovirt-users] Question about power user and public template

Tomas Jelinek tjelinek at redhat.com
Thu Apr 17 13:02:41 UTC 2014



----- Original Message -----
> From: "plysan" <plysab at gmail.com>
> To: "Tomas Jelinek" <tjelinek at redhat.com>
> Cc: "Users at ovirt.org List" <users at ovirt.org>
> Sent: Wednesday, April 16, 2014 8:15:43 PM
> Subject: Re: [ovirt-users] Question about power user and public template
> 
> 2014-04-14 15:18 GMT+08:00 Tomas Jelinek <tjelinek at redhat.com>:
> 
> >
> >
> > ----- Original Message -----
> > > From: "plysan" <plysab at gmail.com>
> > > To: users at ovirt.org
> > > Sent: Sunday, April 13, 2014 3:52:55 AM
> > > Subject: [ovirt-users] Question about power user and public template
> > >
> > > Hi,
> > >
> > > Currently I have run into a problem about permissions when creating vm
> > from
> > > template.
> > >
> > > Say if non admin user A in power user portal want to create vm from
> > template
> > > C created by non admin user B, I found out that A need to have both power
> > > user role and userbasedtemplatevm role to make it work. If i only assign
> > > userbasedtemplatevm to C, A can only view the template in power user
> > portal
> > > but not able to create vm from it.
> >
> > I'd say the problem is that the template has some disks and as a
> > "UserTemplateBasedVm" only you are
> > not allowed to "Access Image Storage Domains"?
> >
> Thanks for pointing that out, I really didn't think the disk has
> permissions too :)
> 
> Because PowerUserRole has more permissions than UserTemplateBasedVm, so I
> think assigning PowerUserRole is enough to see the template in power user
> portal.  Based on this thought, I did the following two experiment:
> 
> 1. I assigned PowerUserRole to user A in Configure -> System Permissions,
> but after that I still cannot see template C in power user portal.
> The above role assignment result in user A having PowerUserRole inherited
> from System Permission, and based on [1], user A should have PowerUserRole
> on template C, right ?

yes, you should be able to verify this in the webadmin->template main tab->permissions subtab

> 
> 2. Now based on 1 if I explicitly add PowerUserRole to user A on template
> C, I can see template C and create vms from it.

but it should already be there. And also, since you have created the template as public "everyone" should have the 
"UserTemplateBasedVm" on it. You could verify this on the same subtab.

> 
> For my understanding, the above two role assignment should have the same
> result.
> 
> Any ideas?

so, if you have a template on which "everyone" has "UserTemplateBasedVm" and a user with "PowerUserRole" and you can not see it in the userportal,
it should be a bug. But for me it seems working on current upstream code... 

> 
> [1]:
> http://lists.ovirt.org/pipermail/engine-devel/2012-December/003229.html
> 
> 
> > For details about specific roles and what can be done by which role you
> > can have a look at:
> > webadmin -> "Configure" in top right corner -> "Roles" side tab -> pick a
> > specific role -> "Edit" button
> >
> > >
> > > So is this the expected behavior? I don't quite understand what
> > > userbasedtemplatevm is used for.  I noticed that making template C public
> > > have the effect of assign userbasedtemplatevm to everyone, but that seems
> > > not enough to let everyone use it.
> > >
> > > My engine version is 3.3.4.
> > >
> > > Any ideas? thanks for any help!
> > > _______________________________________________
> > > Users mailing list
> > > Users at ovirt.org
> > > http://lists.ovirt.org/mailman/listinfo/users
> > >
> >
> 



More information about the Users mailing list