[one-users] OpenNebula and authorization
Lars Kellogg-Stedman
lars at seas.harvard.edu
Tue May 3 08:48:29 PDT 2011
> The functionality you are describing will be available for the next release.
We're looking forward to it!
> Our first idea is to have a main group and many secondary ones for each
> user; the rest of the resources will belong only to one group.
> We'll implement an ACL system to allow fine-tuning of the permissions.
I'm not sure that the primary/secondary distinction is necessary.
> If you need to implement it for 2.2, I'd suggest a workaround in the
> authorization module.
We looked at that, but we're trying not to make too many modifications
to our local installation (because we want to be able to upgrade
smoothly when new releases come out). If the next release is going to
have some enhancements on the authorization side of things, we'll just
wait for that.
> This could be tackled modifying the onevm, oneimage and onevnet commands.
> Since these files are just ruby scripts, you could read your permissions DB
> and add a new column to the resources table showing the group(s) they belong
> to. Or even hide some of the resources.
It would be nice if there was an authorization hook somewhere in this
process such that we could implement access control policies without
having to modify the core tools.
--
Lars Kellogg-Stedman <lars at seas.harvard.edu>
Senior Technologist
Harvard University SEAS
Academic and Research Computing (ARC)
More information about the Users
mailing list