[one-users] ACLs issues

Carlos Martín Sánchez cmartin at opennebula.org
Thu Oct 20 06:05:17 PDT 2011 

Hi Rubén,

The way users list the resources is somewhat limited to the standard use
cases: the onevnet list command accepts 3 options: m (mine), g (group), a
(all).

Although you can grant users in group 108 permissions to list vnets in the
group 1, they cannot request the list of vnets in group 108.
They can only list vnets in their group (g) or all (a) the existing vnets.

The command 'onevnet list' is not showing any vnets because the default
option is 'g'.
'onevnet list a' command fails because it tries to list all the vnets, what
requires the following ACL rule:

@108 NET/* INFO_POOL



If you need to debug the ACL rules, enable de debug level in oned.conf
(enabled by default) and look in oned.log for messages marked as [ACL][D].

You will find messages similar to these ones:

Thu Oct 20 05:48:29 2011 [ReM][D]: VirtualNetworkPoolInfo method invoked
...
Thu Oct 20 05:48:29 2011 [ACL][D]: Request #1 NET/* INFO_POOL
Thu Oct 20 05:48:29 2011 [ACL][D]: > Rule  @1 VM+NET+IMAGE+TEMPLATE/*
CREATE+INFO_POOL_MINE
Thu Oct 20 05:48:29 2011 [ACL][D]: > Rule  @1 HOST/* USE
Thu Oct 20 05:48:29 2011 [ACL][D]: No more rules, permission not granted


You can read more in a similar thread here [1], and the ticket where we will
address this limitations [2].

Regards.

[1] http://www.mail-archive.com/users@lists.opennebula.org/msg04022.html
[2] http://dev.opennebula.org/issues/862

--
Carlos Martín, MSc
Project Engineer
OpenNebula - The Open Source Toolkit for Cloud Computing
www.OpenNebula.org <http://www.opennebula.org/> | cmartin at opennebula.org


On Thu, Oct 20, 2011 at 1:47 PM, Ruben Diez <rdiez at cesga.es> wrote:

> Hi:
>
> We are attempt that OpenNebula users of group XXX (id=108) could view and
> use the NETs and IMAGES of the  group users (id=1)
>
> So we create this ACL rule:
>
> create "@108 NET+IMAGE/@1 USE+INFO+INFO_POOL"
>
> but, contrary to expectations, un an user of the group XXX (id=108) can't
> list the vnets under the group user
>
> user_under_XXX$ onevnet list
>  ID USER     GROUP    NAME                    TYPE BRIDGE PUB  LEASES
>
>
> user_under_XXX$ onevnet list a
> [VirtualNetworkPoolInfo] User [4] : Not authorized to perform INFO_POOL
> NET.
>
>
> Please note that there are vnets under group user:
>
>
> oneadmin$ onevnet list
>  ID USER     GROUP    NAME                    TYPE BRIDGE PUB  LEASES
> 175 oneadmin users    red-192.169.40              R virbrG  No       0
> 171 oneadmin users    red-84.21.173              R virbrC Yes      50
>
>
> Where are the mistake??
>
> Regards
>
>
>
> ______________________________**_________________
> Users mailing list
> Users at lists.opennebula.org
> http://lists.opennebula.org/**listinfo.cgi/users-opennebula.**org<http://lists.opennebula.org/listinfo.cgi/users-opennebula.org>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20111020/66c66b2e/attachment-0003.htm>

More information about the Users mailing list