[one-users] about ACL
Carlos Martín Sánchez
cmartin at opennebula.org
Thu Jun 13 02:35:26 PDT 2013
Hi,
I don't know what might be failing here. I just tested it, with these acl
rules:
$ oneacl list
ID USER RES_VHNIUTGDCO RID OPE_UMAC
0 @1 V-NI-T---- * ---c
1 @1 -H-------- * -m--
2 * ---------O * ---c
3 @1 V--------- * u---
And when a user tries to perform any manage operation on another user's VM,
from the CLI or from sunstone, this error is returned:
[VirtualMachineAction] User [2] : Not authorized to perform MANAGE VM [2].
Let's confirm some things first:
- Users and VMs are in the 'users' (1) group.
- VMs do not have MANAGE permissions set with chmod (onevm show gives this
information)
- oned.conf does not have an AUTH_MAD/authz defined [1]. Note the Z.
- Can you paste the output of 'oneacl list -x'?
- Just to be sure, check that the operation is actually requested as the
user logged in. In /var/log/one/oned.log, you should see the UID of each
request, like
Req:1792 UID:2 VirtualMachineAction invoked, "delete", 4
Regards
[1]
http://opennebula.org/documentation:rel4.0:oned_conf#auth_manager_configuration
--
Join us at OpenNebulaConf2013 <http://opennebulaconf.com> in Berlin, 24-26
September, 2013
--
Carlos Martín, MSc
Project Engineer
OpenNebula - The Open-source Solution for Data Center Virtualization
www.OpenNebula.org | cmartin at opennebula.org |
@OpenNebula<http://twitter.com/opennebula><cmartin at opennebula.org>
On Thu, Jun 13, 2013 at 10:16 AM, Valerio Schiavoni <
valerio.schiavoni at gmail.com> wrote:
> Hello,
> i'm running OpenNebula 4.0.1, freshly installed, and I'd like to implement
> the following use-case ACL-wise: when users login through the sunstone
> interface, they should see if other VMs are currently running and on which
> hosts. Clearly, on VMs owned by other users (even if in the same group), no
> managing actions should be allowed.
>
> This is the current set of ACL rules installed ( i believe these are the
> default ones):
>
> ID USER RES_VHNIUTGDCO RID OPE_UMAC
> 0 @1 V-NI-T---- * ---c
> 11 @1 -H-------- * um--
> 16 * ---------O * ---c
>
>
> If I add this: "@1 VM/* USE" , all users can see all other users' VMs but
> all actions seem to be available (at least through the web interface).
>
> Is this scenario supported somehow?
>
> Thanks,
> Valerio
>
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20130613/da16555e/attachment-0002.htm>
More information about the Users
mailing list