[one-users] Fwd: ACLs and users authentification

Hector Sanjuan hsanjuan at opennebula.org
Thu Sep 13 08:17:02 PDT 2012 

Hey,

have a look to http://dev.opennebula.org/issues/1085... this is most  
likely a problem with skewed clocks between the sunstone server and the  
computer from which you are accessing. If the difference is > 10 mins the  
the cookie expires, along with the information in it, so some things do  
not work.

Sorry I realised soo late,

Hector


En Thu, 06 Sep 2012 12:49:43 +0200, Пярн Артур <dekkart at yandex.ru>  
escribió:

> Thank you Hector for your reply. I'm using Chrome (last version), also  
> tryed Firefox - and still the same.
> Deleting cookies haven't changed the situation. JS log without errors. I  
> think I will try reinstall Sunstone later.
> But problem with dissappearing tabs appeared not first time. Some time  
> ago dissapeared some tabs in host management. If there will be another  
> possibilities to check - I will be glad to hear.
>
> 06.09.2012, 12:30, "Hector Sanjuan" <hsanjuan at opennebula.org>:
>> Hello,
>>
>> Which browser and version are you using? The username is missing on the
>> Welcome: label on top, which indicates there is a problem with the
>> sunstone cookie very possibly. This explains why the chown/chgrp buttons
>> are not showing either.
>>
>> Can you delete cookies and cache and reload? Check that your browser or  
>> a
>> plugin of it is not blocking cookies etc. Check the browser console for
>> any errors, specially javascript-related ones. Thanks!
>>
>> Hector
>>
>> En Thu, 06 Sep 2012 09:57:12 +0200, Пярн Артур <dekkart at yandex.ru>
>> escribió:
>>
>>>  Hi Carlos,
>>>
>>>  Thank you very much, I understood. It seems the problem is that there  
>>> is
>>>  no
>>>  specific tabs in sunstone they should be - to change owner and group  
>>> of
>>>  specific
>>>  resourse (in screenshots). That's what confussed me.
>>>
>>>  I found how to do it in CLI, but anyway I don't now why Sunstone  
>>> working
>>>  not
>>>  correctly not showing some tabs. Also Sunstone doesn't show user name  
>>> in
>>>  greeting field (i made red circles around it)
>>>
>>>  I did defualt installation and changed only system settings in
>>>  sunstone.conf (ports,
>>>  vnc, ip, etc.).
>>>
>>>  Screenshots and sunstone log in attach (NO ERRORS FOUND).
>>>
>>>  --------------------------------------
>>>
>>>  Server configuration
>>>
>>>  --------------------------------------
>>>
>>>  {:auth=>"sunstone",
>>>
>>>  :vnc_proxy_cert=>nil,
>>>
>>>  :vnc_proxy_path=>"/srv/cloud/one/share/noVNC/utils/websockify",
>>>
>>>  :vnc_proxy_key=>nil,
>>>
>>>  :vnc_proxy_support_wss=>false,
>>>
>>>  :debug_level=>3,
>>>
>>>  :host=>"0.0.0.0",
>>>
>>>  :vnc_proxy_base_port=>29876,
>>>
>>>  :port=>8888,
>>>
>>>  :one_xmlrpc=>"http://localhost:2633/RPC2",
>>>
>>>  :core_auth=>"cipher",
>>>
>>>  :lang=>"en_US"}
>>>
>>>  == Sinatra/1.3.2 has taken the stage on 8888 for development with  
>>> backup
>>>  from
>>>  Thin
>>>
>>>  Thu Sep 06 03:24:42 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:42]  
>>> "GET /
>>>  HTTP/1.1"
>>>  200 1595 0.0075
>>>
>>>  Thu Sep 06 03:24:42 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:42] "GET
>>>  /favicon.ico
>>>  HTTP/1.1" 401 - 0.0010
>>>
>>>  Thu Sep 06 03:24:49 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:49]  
>>> "POST
>>>  /login
>>>  HTTP/1.1" 204 - 0.0691
>>>
>>>  Thu Sep 06 03:24:49 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:49]  
>>> "GET /
>>>  HTTP/1.1"
>>>  200 4630 0.0067
>>>
>>>  Thu Sep 06 03:24:49 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:49] "GET
>>>  /vendor/noVNC/include/plain.css
>>>  HTTP/1.1" 404 466 0.0013
>>>
>>>  Thu Sep 06 03:24:49 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:49] "GET
>>>  /host/monitor?title=graph1&monitor_resources=cpu_usage%2Cused_cpu%2Cmax_$
>>>
>>>  Thu Sep 06 03:24:49 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:49] "GET
>>>  /host/monitor?title=graph2&monitor_resources=mem_usage%2Cused_mem%2Cmax_$
>>>
>>>  Thu Sep 06 03:24:49 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:49] "GET
>>>  /vm/monitor?title=graph3&monitor_resources=total%2Cactive%2Cerror&histor$
>>>
>>>  Thu Sep 06 03:24:49 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:49] "GET
>>>  /config
>>>  HTTP/1.1" 200 40 0.0021
>>>
>>>  Thu Sep 06 03:24:49 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:49] "GET
>>>  /vm/monitor?title=graph4&monitor_resources=net_tx%2Cnet_rx&history_lengt$
>>>
>>>  Thu Sep 06 03:24:50 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:50] "GET
>>>  /user?timeout=false
>>>  HTTP/1.1" 200 1432 0.0054
>>>
>>>  Thu Sep 06 03:24:50 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:50] "GET
>>>  /group?timeout=false
>>>  HTTP/1.1" 200 554 0.0042
>>>
>>>  Thu Sep 06 03:24:50 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:50] "GET
>>>  /acl?timeout=false
>>>  HTTP/1.1" 200 1057 0.0046
>>>
>>>  Thu Sep 06 03:24:50 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:50] "GET
>>>  /vm?timeout=false
>>>  HTTP/1.1" 200 4255 0.0079
>>>
>>>  Thu Sep 06 03:24:50 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:50] "GET
>>>  /vmtemplate?timeout=false
>>>  HTTP/1.1" 200 2978 0.0072
>>>
>>>  Thu Sep 06 03:24:50 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:50] "GET
>>>  /image?timeout=false
>>>  HTTP/1.1" 200 3632 0.0077
>>>
>>>  Thu Sep 06 03:24:50 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:50] "GET
>>>  /cluster?timeout=false
>>>  HTTP/1.1" 200 27 0.0344
>>>
>>>  Thu Sep 06 03:24:50 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:50] "GET
>>>  /host?timeout=false
>>>  HTTP/1.1" 200 2498 0.0088
>>>
>>>  Thu Sep 06 03:24:50 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:50] "GET
>>>  /datastore?timeout=false
>>>  HTTP/1.1" 200 1580 0.0052
>>>
>>>  Thu Sep 06 03:24:50 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:50] "GET
>>>  /vnet?timeout=false
>>>  HTTP/1.1" 200 1406 0.0051
>>>
>>>  etc.
>>>
>>>  05.09.2012, 19:20, "Carlos Martín Sánchez" <cmartin at opennebula.org>:
>>>
>>>  Hi,
>>>
>>>  That's not the normal behaviour, you may have changed some  
>>> configuration
>>>  during
>>>  your tests.
>>>
>>>  ACL rules in OpenNebula only add permissions, there is no option to  
>>> make
>>>  other
>>>  resources invisible, because by default they are.
>>>
>>>  Users can only list the resources they have USE permissions over. If
>>>  your users
>>>  can list VMs from other group, it is because you have an ACL that  
>>> allows
>>>  it, or
>>>  because you changed the VM permissions to allow USE to 'others', see  
>>> [1].
>>>
>>>  If you need more specific help, please include the output of oneacl  
>>> list.
>>>
>>>  Regards,
>>>
>>>  Carlos
>>>
>>>  [1] http://opennebula.org/documentation:rel3.6:chmod
>>>
>>>  --
>>>  Carlos Martín, MSc
>>>  Project Engineer
>>>  OpenNebula - The Open-source Solution for Data Center Virtualization
>>>
>>>  www.OpenNebula.org | cmartin at opennebula.org | @OpenNebula
>>>
>>>  On Wed, Sep 5, 2012 at 3:37 PM, Пярн Артур <dekkart at yandex.ru> wrote:
>>>
>>>  Hi
>>>
>>>  I'm testing opennebula in multi-tenant envirements and found an
>>>  upsetting issue.
>>>
>>>  When i put users in groups (for example company A and company B  
>>> groups),
>>>  i can't
>>>  find anything in options and in documentation (ACLs, etc.) to make
>>>  company A VMs
>>>  invisible to company B VMs and opposite.
>>>
>>>  They just can't do anything with not their own machines, but the still
>>>  see all
>>>  the pool of virtual machines. This is not good in such case.
>>>
>>>  I will be pleased to hear any advice.
>>>
>>>  Thank you in advance.
>>
>> --
>> Hector Sanjuan
>> OpenNebula Developer
>


-- 
Hector Sanjuan
OpenNebula Developer

More information about the Users mailing list