<div dir="ltr">Hi Tomas,<div><br></div><div>Sorry for the late response :P<br><div class="gmail_extra"><br><br><div class="gmail_quote">2014-04-17 21:02 GMT+08:00 Tomas Jelinek <span dir="ltr"><<a href="mailto:tjelinek@redhat.com" target="_blank">tjelinek@redhat.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div><br>
<br>
----- Original Message -----<br>
> From: "plysan" <<a href="mailto:plysab@gmail.com" target="_blank">plysab@gmail.com</a>><br>
</div><div><div>> To: "Tomas Jelinek" <<a href="mailto:tjelinek@redhat.com" target="_blank">tjelinek@redhat.com</a>><br>
> Cc: "<a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a> List" <<a href="mailto:users@ovirt.org" target="_blank">users@ovirt.org</a>><br>
> Sent: Wednesday, April 16, 2014 8:15:43 PM<br>
> Subject: Re: [ovirt-users] Question about power user and public template<br>
><br>
> 2014-04-14 15:18 GMT+08:00 Tomas Jelinek <<a href="mailto:tjelinek@redhat.com" target="_blank">tjelinek@redhat.com</a>>:<br>
><br>
> ><br>
> ><br>
> > ----- Original Message -----<br>
> > > From: "plysan" <<a href="mailto:plysab@gmail.com" target="_blank">plysab@gmail.com</a>><br>
> > > To: <a href="mailto:users@ovirt.org" target="_blank">users@ovirt.org</a><br>
> > > Sent: Sunday, April 13, 2014 3:52:55 AM<br>
> > > Subject: [ovirt-users] Question about power user and public template<br>
> > ><br>
> > > Hi,<br>
> > ><br>
> > > Currently I have run into a problem about permissions when creating vm<br>
> > from<br>
> > > template.<br>
> > ><br>
> > > Say if non admin user A in power user portal want to create vm from<br>
> > template<br>
> > > C created by non admin user B, I found out that A need to have both power<br>
> > > user role and userbasedtemplatevm role to make it work. If i only assign<br>
> > > userbasedtemplatevm to C, A can only view the template in power user<br>
> > portal<br>
> > > but not able to create vm from it.<br>
> ><br>
> > I'd say the problem is that the template has some disks and as a<br>
> > "UserTemplateBasedVm" only you are<br>
> > not allowed to "Access Image Storage Domains"?<br>
> ><br>
> Thanks for pointing that out, I really didn't think the disk has<br>
> permissions too :)<br>
><br>
> Because PowerUserRole has more permissions than UserTemplateBasedVm, so I<br>
> think assigning PowerUserRole is enough to see the template in power user<br>
> portal. Based on this thought, I did the following two experiment:<br>
><br>
> 1. I assigned PowerUserRole to user A in Configure -> System Permissions,<br>
> but after that I still cannot see template C in power user portal.<br>
> The above role assignment result in user A having PowerUserRole inherited<br>
> from System Permission, and based on [1], user A should have PowerUserRole<br>
> on template C, right ?<br>
<br>
</div></div>yes, you should be able to verify this in the webadmin->template main tab->permissions subtab<br>
<div><br>
><br>
> 2. Now based on 1 if I explicitly add PowerUserRole to user A on template<br>
> C, I can see template C and create vms from it.<br>
<br>
</div>but it should already be there. And also, since you have created the template as public "everyone" should have the<br>
"UserTemplateBasedVm" on it. You could verify this on the same subtab.<br></blockquote><div>I think my experiment above is not clear enough, so I made another one, and found the following behavior:</div><div>1. If user has only PowerUser role which is inherited from system on a template, he cannot see the template on userportal. And base on this if UserTemplateBasedVm role is added to the user, the user can see it in userportal now.</div>
<div>2. If user has only PowerUser role assigned independently (not inherited from system) on a template, he can see the template in userportal.</div><div><br></div><div>IIUC, PowerUser role inherited from system should have the same behavior with PowerUser role assigned independently.</div>
<div><br></div><div>Ideas ?</div><div><br></div><div>---</div><div>Thanks</div><div>plysan</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div><br>
><br>
> For my understanding, the above two role assignment should have the same<br>
> result.<br>
><br>
> Any ideas?<br>
<br>
</div>so, if you have a template on which "everyone" has "UserTemplateBasedVm" and a user with "PowerUserRole" and you can not see it in the userportal,<br>
it should be a bug. But for me it seems working on current upstream code...<br>
<div><div><br>
><br>
> [1]:<br>
> <a href="http://lists.ovirt.org/pipermail/engine-devel/2012-December/003229.html" target="_blank">http://lists.ovirt.org/pipermail/engine-devel/2012-December/003229.html</a><br>
><br>
><br>
> > For details about specific roles and what can be done by which role you<br>
> > can have a look at:<br>
> > webadmin -> "Configure" in top right corner -> "Roles" side tab -> pick a<br>
> > specific role -> "Edit" button<br>
> ><br>
> > ><br>
> > > So is this the expected behavior? I don't quite understand what<br>
> > > userbasedtemplatevm is used for. I noticed that making template C public<br>
> > > have the effect of assign userbasedtemplatevm to everyone, but that seems<br>
> > > not enough to let everyone use it.<br>
> > ><br>
> > > My engine version is 3.3.4.<br>
> > ><br>
> > > Any ideas? thanks for any help!<br>
> > > _______________________________________________<br>
> > > Users mailing list<br>
> > > <a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a><br>
> > > <a href="http://lists.ovirt.org/mailman/listinfo/users" target="_blank">http://lists.ovirt.org/mailman/listinfo/users</a><br>
> > ><br>
> ><br>
><br>
</div></div></blockquote></div><br></div></div></div>