[one-users] Fwd: ACLs and users authentification

Hector Sanjuan hsanjuan at opennebula.org
Thu Sep 6 01:30:44 PDT 2012


Hello,

Which browser and version are you using? The username is missing on the  
Welcome: label on top, which indicates there is a problem with the  
sunstone cookie very possibly. This explains why the chown/chgrp buttons  
are not showing either.

Can you delete cookies and cache and reload? Check that your browser or a  
plugin of it is not blocking cookies etc. Check the browser console for  
any errors, specially javascript-related ones. Thanks!

Hector



En Thu, 06 Sep 2012 09:57:12 +0200, Пярн Артур <dekkart at yandex.ru>  
escribió:

> Hi Carlos,
>
> Thank you very much, I understood. It seems the problem is that there is  
> no
> specific tabs in sunstone they should be - to change owner and group of  
> specific
> resourse (in screenshots). That's what confussed me.
>
> I found how to do it in CLI, but anyway I don't now why Sunstone working  
> not
> correctly not showing some tabs. Also Sunstone doesn't show user name in
> greeting field (i made red circles around it)
>
> I did defualt installation and changed only system settings in  
> sunstone.conf (ports,
> vnc, ip, etc.).
>
> Screenshots and sunstone log in attach (NO ERRORS FOUND).
>
> --------------------------------------
>
> Server configuration
>
> --------------------------------------
>
> {:auth=>"sunstone",
>
> :vnc_proxy_cert=>nil,
>
> :vnc_proxy_path=>"/srv/cloud/one/share/noVNC/utils/websockify",
>
> :vnc_proxy_key=>nil,
>
> :vnc_proxy_support_wss=>false,
>
> :debug_level=>3,
>
> :host=>"0.0.0.0",
>
> :vnc_proxy_base_port=>29876,
>
> :port=>8888,
>
> :one_xmlrpc=>"http://localhost:2633/RPC2",
>
> :core_auth=>"cipher",
>
> :lang=>"en_US"}
>
> == Sinatra/1.3.2 has taken the stage on 8888 for development with backup  
> from
> Thin
>
> Thu Sep 06 03:24:42 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:42] "GET /  
> HTTP/1.1"
> 200 1595 0.0075
>
> Thu Sep 06 03:24:42 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:42] "GET  
> /favicon.ico
> HTTP/1.1" 401 - 0.0010
>
> Thu Sep 06 03:24:49 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:49] "POST  
> /login
> HTTP/1.1" 204 - 0.0691
>
> Thu Sep 06 03:24:49 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:49] "GET /  
> HTTP/1.1"
> 200 4630 0.0067
>
> Thu Sep 06 03:24:49 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:49] "GET  
> /vendor/noVNC/include/plain.css
> HTTP/1.1" 404 466 0.0013
>
> Thu Sep 06 03:24:49 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:49] "GET  
> /host/monitor?title=graph1&monitor_resources=cpu_usage%2Cused_cpu%2Cmax_$
>
> Thu Sep 06 03:24:49 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:49] "GET  
> /host/monitor?title=graph2&monitor_resources=mem_usage%2Cused_mem%2Cmax_$
>
> Thu Sep 06 03:24:49 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:49] "GET  
> /vm/monitor?title=graph3&monitor_resources=total%2Cactive%2Cerror&histor$
>
> Thu Sep 06 03:24:49 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:49] "GET  
> /config
> HTTP/1.1" 200 40 0.0021
>
> Thu Sep 06 03:24:49 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:49] "GET  
> /vm/monitor?title=graph4&monitor_resources=net_tx%2Cnet_rx&history_lengt$
>
> Thu Sep 06 03:24:50 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:50] "GET  
> /user?timeout=false
> HTTP/1.1" 200 1432 0.0054
>
> Thu Sep 06 03:24:50 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:50] "GET  
> /group?timeout=false
> HTTP/1.1" 200 554 0.0042
>
> Thu Sep 06 03:24:50 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:50] "GET  
> /acl?timeout=false
> HTTP/1.1" 200 1057 0.0046
>
> Thu Sep 06 03:24:50 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:50] "GET  
> /vm?timeout=false
> HTTP/1.1" 200 4255 0.0079
>
> Thu Sep 06 03:24:50 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:50] "GET  
> /vmtemplate?timeout=false
> HTTP/1.1" 200 2978 0.0072
>
> Thu Sep 06 03:24:50 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:50] "GET  
> /image?timeout=false
> HTTP/1.1" 200 3632 0.0077
>
> Thu Sep 06 03:24:50 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:50] "GET  
> /cluster?timeout=false
> HTTP/1.1" 200 27 0.0344
>
> Thu Sep 06 03:24:50 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:50] "GET  
> /host?timeout=false
> HTTP/1.1" 200 2498 0.0088
>
> Thu Sep 06 03:24:50 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:50] "GET  
> /datastore?timeout=false
> HTTP/1.1" 200 1580 0.0052
>
> Thu Sep 06 03:24:50 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:50] "GET  
> /vnet?timeout=false
> HTTP/1.1" 200 1406 0.0051
>
> etc.
>
> 05.09.2012, 19:20, "Carlos Martín Sánchez" <cmartin at opennebula.org>:
>
> Hi,
>
> That's not the normal behaviour, you may have changed some configuration  
> during
> your tests.
>
> ACL rules in OpenNebula only add permissions, there is no option to make  
> other
> resources invisible, because by default they are.
>
> Users can only list the resources they have USE permissions over. If  
> your users
> can list VMs from other group, it is because you have an ACL that allows  
> it, or
> because you changed the VM permissions to allow USE to 'others', see [1].
>
> If you need more specific help, please include the output of oneacl list.
>
> Regards,
>
> Carlos
>
> [1] http://opennebula.org/documentation:rel3.6:chmod
>
> --
> Carlos Martín, MSc
> Project Engineer
> OpenNebula - The Open-source Solution for Data Center Virtualization
>
> www.OpenNebula.org | cmartin at opennebula.org | @OpenNebula
>
>
> On Wed, Sep 5, 2012 at 3:37 PM, Пярн Артур <dekkart at yandex.ru> wrote:
>
> Hi
>
> I'm testing opennebula in multi-tenant envirements and found an  
> upsetting issue.
>
> When i put users in groups (for example company A and company B groups),  
> i can't
> find anything in options and in documentation (ACLs, etc.) to make  
> company A VMs
> invisible to company B VMs and opposite.
>
> They just can't do anything with not their own machines, but the still  
> see all
> the pool of virtual machines. This is not good in such case.
>
> I will be pleased to hear any advice.
>
> Thank you in advance.
>


-- 
Hector Sanjuan
OpenNebula Developer



More information about the Users mailing list