[one-users] about ACL

Carlos Martín Sánchez cmartin at opennebula.org
Thu Jun 13 02:35:26 PDT 2013 

Hi,

I don't know what might be failing here. I just tested it, with these acl
rules:

$ oneacl list
   ID     USER RES_VHNIUTGDCO   RID OPE_UMAC
    0       @1     V-NI-T----     *     ---c
    1       @1     -H--------     *     -m--
    2        *     ---------O     *     ---c
    3       @1     V---------     *     u---

And when a user tries to perform any manage operation on another user's VM,
from the CLI or from sunstone, this error is returned:
[VirtualMachineAction] User [2] : Not authorized to perform MANAGE VM [2].

Let's confirm some things first:
- Users and VMs are in the 'users' (1) group.
- VMs do not have MANAGE permissions set with chmod (onevm show gives this
information)
- oned.conf does not have an AUTH_MAD/authz defined [1]. Note the Z.
- Can you paste the output of 'oneacl list -x'?
- Just to be sure, check that the operation is actually requested as the
user logged in. In /var/log/one/oned.log, you should see the UID of each
request, like
Req:1792 UID:2 VirtualMachineAction invoked, "delete", 4

Regards

[1]
http://opennebula.org/documentation:rel4.0:oned_conf#auth_manager_configuration


--
Join us at OpenNebulaConf2013 <http://opennebulaconf.com> in Berlin, 24-26
September, 2013
--
Carlos Martín, MSc
Project Engineer
OpenNebula - The Open-source Solution for Data Center Virtualization
www.OpenNebula.org | cmartin at opennebula.org |
@OpenNebula<http://twitter.com/opennebula><cmartin at opennebula.org>


On Thu, Jun 13, 2013 at 10:16 AM, Valerio Schiavoni <
valerio.schiavoni at gmail.com> wrote:

> Hello,
> i'm running OpenNebula 4.0.1, freshly installed, and I'd like to implement
> the following  use-case ACL-wise: when users login through the sunstone
> interface, they should see if other VMs are currently running and on which
> hosts. Clearly, on VMs owned by other users (even if in the same group), no
> managing actions should be allowed.
>
> This is the current set of ACL rules installed ( i believe these are the
> default ones):
>
>    ID     USER RES_VHNIUTGDCO   RID OPE_UMAC
>     0       @1     V-NI-T----     *     ---c
>    11       @1     -H--------     *     um--
>    16        *     ---------O     *     ---c
>
>
> If I add this: "@1 VM/* USE" , all users can see all other users' VMs but
> all actions seem to be available (at least through the web interface).
>
> Is this scenario supported somehow?
>
> Thanks,
> Valerio
>
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20130613/da16555e/attachment-0002.htm>

More information about the Users mailing list