[ovirt-users] User is not authorized, ldap OK, but no user VM
Donny Davis
donny at cloudspin.me
Tue Jun 30 22:42:11 UTC 2015
Can you assign a specific user the power user role that has no VMS assigned
to them? Can that user login?
On Jun 30, 2015 6:32 PM, "David Smith" <dsmith at mypchelp.com> wrote:
> The users are attempting to log in via the user portal when they get the
> error.
>
>
> On Tue, Jun 30, 2015 at 3:28 PM, Donny Davis <donny at cloudspin.me> wrote:
>
>> The power user role covers login, so that is not your problem. Is this
>> on the user portal or webadmin?
>> On Jun 30, 2015 6:20 PM, "David Smith" <dsmith at mypchelp.com> wrote:
>>
>>> I used the "everyone" user at the data center level and added the
>>> permissions/role of "PowerUserRole"
>>>
>>> What other permission/role are you saying I should assign?
>>>
>>> Unfortunately we aren't using an "ldap group" so there's nothing to
>>> assign to an ldap group-- the users are filtered in such a manner that if
>>> they auth and get through the filter they should have access.
>>>
>>> On Tue, Jun 30, 2015 at 3:16 PM, Donny Davis <donny at cloudspin.me> wrote:
>>>
>>>> Add login permissions only at the data center for the group. This
>>>> allows them to login, but not view anything. You have to create custom
>>>> permission to do what you are looking for.
>>>> On Jun 30, 2015 6:13 PM, "David Smith" <dsmith at mypchelp.com> wrote:
>>>>
>>>>> Correct, each user has their own VMs. Only a few share VMs (those
>>>>> permissions are assigned manually)
>>>>>
>>>>> The issue is that when they have 0 VMs assigned to them, the system
>>>>> throws the login error that they're not authorized, at least until I add a
>>>>> placeholder VM so they can log in and set themselves up.
>>>>>
>>>>>
>>>>> On Tue, Jun 30, 2015 at 3:09 PM, Donny Davis <donny at cloudspin.me>
>>>>> wrote:
>>>>>
>>>>>> You are looking for this to look like its multi tenant?
>>>>>>
>>>>>> I setup CloudSpin to do exactly that. Each user can only see their
>>>>>> own VMS.
>>>>>> Do I have your question correct?
>>>>>>
>>>>>> Donny D
>>>>>> On Jun 30, 2015 5:27 PM, "David Smith" <dsmith at mypchelp.com> wrote:
>>>>>>
>>>>>>> version 3.5.2-1.el6
>>>>>>> using ldap authz; this piece is working OK, and verified OK.
>>>>>>>
>>>>>>> I use the "Everyone" user to provide default permissions; that
>>>>>>> includes PowerUserRole for the data center, a bunch of
>>>>>>> usertemplatebasedVMs, some VnicProfileUser, DiskProfileUser, etc.
>>>>>>>
>>>>>>> I add a new user in LDAP; and verify LDAP credentials work (ie, log
>>>>>>> in to another system that uses the same ldap server)
>>>>>>> LDAP confirmed working for *other* ovirt users-- not an LDAP issue
>>>>>>> as far as I can tell.
>>>>>>>
>>>>>>> I do *not* specifically add each LDAP user to oVirt, they're added
>>>>>>> to "groups" in LDAP, so if they have the right group, they should be able
>>>>>>> to authenticate to oVirt and use the system without me adding each user
>>>>>>> individually.
>>>>>>>
>>>>>>> In any case the narrowed down problem is this:
>>>>>>> If the user doesn't have permissions (UserRole, etc) for *any* VMs,
>>>>>>> instead of logging in and getting a blank VM list, they get "User is not
>>>>>>> authorized to perform this action."
>>>>>>>
>>>>>>> If I add that specific user to a test placeholder VM, they can log
>>>>>>> in. Once they have a VM created, I can erase their user-specific
>>>>>>> permissions to that initial test VM and everything works as expected. They
>>>>>>> are able to log in, create VMs, etc.
>>>>>>>
>>>>>>> If I remove all permissions for VMs from a user, they get this error.
>>>>>>>
>>>>>>> Expected behavior:
>>>>>>> User without any permissions to any VMs should simply get a blank VM
>>>>>>> list on login. That way they can create a VM and go from there.
>>>>>>>
>>>>>>> Thanks for any help/suggestions,
>>>>>>> David
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Users mailing list
>>>>>>> Users at ovirt.org
>>>>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>>>>
>>>>>>>
>>>>>
>>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20150630/983caa41/attachment-0001.html>
More information about the Users
mailing list