[one-users] Instanciate cloned templates with restricted attributes

Carlos Martín Sánchez cmartin at opennebula.org
Mon Dec 17 03:26:07 PST 2012 

Hi,

The merging of templates sounds interesting.

I think this could be also done with a custom authorization (authZ) driver
[1] [2]. If I understood correctly, the driver would need to check if it is
a deploy operation, and deny the operation if the cpu/memory are not one of
the allowed fixed amounts.

Regards

[1]
http://opennebula.org/documentation:rel3.8:oned_conf#auth_manager_configuration
[2]
http://dev.opennebula.org/projects/opennebula/repository/revisions/one-3.8/entry/src/authm_mad/one_auth_mad.rb

--
Carlos Martín, MSc
Project Engineer
OpenNebula - The Open-source Solution for Data Center Virtualization
www.OpenNebula.org | cmartin at opennebula.org |
@OpenNebula<http://twitter.com/opennebula><cmartin at opennebula.org>


On Sun, Dec 16, 2012 at 9:18 PM, Simon Boulet <simon at nostalgeek.com> wrote:

> How can a user instantiate a cloned template that contains restricted
> attributes?
>
> My experiments shows that restricted attributes prevent templates owned by
> a group other than the oneadmin group from being instantiated if it
> contains a restricted attribute. A user could successfully Clone a oneadmin
> template that as a restricted attributes, but it wont be able to
> instantiate unless it deletes the restricted attribute from the template
> before instantiating it.
>
> In my use case, say I want to force my users in using uniform VM types
> that have a set amount of MEMORY and CPU, while still allowing them to
> instantiate templates with custom CONTEXT attributes. My first thought was
> to set the MEMORY and CPU attributes as restricted. But, it wont work,
> because my users while being allowed to Clone a template and set the
> CONTEXT attributes they want, won't be able to instantiate their final
> template, because their template also contains the MEMORY and CPU
> attributes from the original source template they cloned.
>
> Any clues how I can achieve that?
>
> I thought one option could be to add a 4th parameter to the
> one.template.instantiate API call to allow users to pass attributes to be
> merged with the template. Those attributes could be matched against the
> list of restricted attribute, and if no restricted attributes are found,
> the attributes would be merged against the source template before being
> instantiated.
>
> Thanks
>
> Simon
>
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20121217/59d6a8ca/attachment-0002.htm>

More information about the Users mailing list