[ovirt-users] User is not authorized, ldap OK, but no user VM

David Smith dsmith at mypchelp.com
Tue Jun 30 22:28:08 UTC 2015


In that link, the referenced permissions don't exist under "configure" when
logged in to the admin portal; I must be missing some finer detail.
Also the system permissions section in "Configure" doesn't allow you to add
the user "everyone"-- and since we're not using LDAP groups, that
complicates things.

Before I switched to our corporate LDAP, I used a group in a private LDAP
server and everything worked great, permissions were fine as I describe--
but since we switched to Corp LDAP, they don't use the concept of groups, I
tried changing to use the "everyone" user to assign permissions, which
works great except this one scenario where they have 0 VMs in their name.


On Tue, Jun 30, 2015 at 3:19 PM, Donny Davis <donny at cloudspin.me> wrote:

> http://lists.ovirt.org/pipermail/users/2015-January/030981.html
> On Jun 30, 2015 6:16 PM, "Donny Davis" <donny at cloudspin.me> wrote:
>
>> Add login permissions only at the data center for the group.  This allows
>> them to login, but not view anything. You have to create custom permission
>> to do what you are looking for.
>> On Jun 30, 2015 6:13 PM, "David Smith" <dsmith at mypchelp.com> wrote:
>>
>>> Correct, each user has their own VMs. Only a few share VMs (those
>>> permissions are assigned manually)
>>>
>>> The issue is that when they have 0 VMs assigned to them, the system
>>> throws the login error that they're not authorized, at least until I add a
>>> placeholder VM so they can log in and set themselves up.
>>>
>>>
>>> On Tue, Jun 30, 2015 at 3:09 PM, Donny Davis <donny at cloudspin.me> wrote:
>>>
>>>> You are looking for this to look like its multi tenant?
>>>>
>>>> I setup CloudSpin to do exactly that. Each user can only see their own
>>>> VMS.
>>>> Do I have your question correct?
>>>>
>>>> Donny D
>>>> On Jun 30, 2015 5:27 PM, "David Smith" <dsmith at mypchelp.com> wrote:
>>>>
>>>>> version 3.5.2-1.el6
>>>>> using ldap authz; this piece is working OK, and verified OK.
>>>>>
>>>>> I use the "Everyone" user to provide default permissions; that
>>>>> includes PowerUserRole for the data center, a bunch of
>>>>> usertemplatebasedVMs, some VnicProfileUser, DiskProfileUser, etc.
>>>>>
>>>>> I add a new user in LDAP; and verify LDAP credentials work (ie, log in
>>>>> to another system that uses the same ldap server)
>>>>> LDAP confirmed working for *other* ovirt users-- not an LDAP issue as
>>>>> far as I can tell.
>>>>>
>>>>> I do *not* specifically add each LDAP user to oVirt, they're added to
>>>>> "groups" in LDAP, so if they have the right group, they should be able to
>>>>> authenticate to oVirt and use the system without me adding each user
>>>>> individually.
>>>>>
>>>>> In any case the narrowed down problem is this:
>>>>> If the user doesn't have permissions (UserRole, etc) for *any* VMs,
>>>>> instead of logging in and getting a blank VM list, they get "User is not
>>>>> authorized to perform this action."
>>>>>
>>>>> If I add that specific user to a test placeholder VM, they can log in.
>>>>> Once they have a VM created, I can erase their user-specific permissions to
>>>>> that initial test VM and everything works as expected. They are able to log
>>>>> in, create VMs, etc.
>>>>>
>>>>> If I remove all permissions for VMs from a user, they get this error.
>>>>>
>>>>> Expected behavior:
>>>>> User without any permissions to any VMs should simply get a blank VM
>>>>> list on login. That way they can create a VM and go from there.
>>>>>
>>>>> Thanks for any help/suggestions,
>>>>> David
>>>>>
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users at ovirt.org
>>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>>
>>>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20150630/4bd231b9/attachment-0001.html>


More information about the Users mailing list