[one-users] about ACL

Valerio Schiavoni valerio.schiavoni at gmail.com
Thu Jun 13 06:21:06 PDT 2013


Hello Carlos,
thanks for your support.


On Thu, Jun 13, 2013 at 11:35 AM, Carlos Martín Sánchez <
cmartin at opennebula.org> wrote:

>
>     3       @1     V---------     *     u---
>

This now works correctly !

The problem was due to a misunderstanding from my side. I was relaying on
the web interface, and I was somehow expecting the buttons of the GUI not
be clickable if the corresponding actions are not authorized!
As a matter of fact, when the user clicks on such actions for not-owned
VMs, the alerts pop out and the action is correctly blocked.

Thank you very much for the help.

best,
valerio


>
> And when a user tries to perform any manage operation on another user's
> VM, from the CLI or from sunstone, this error is returned:
> [VirtualMachineAction] User [2] : Not authorized to perform MANAGE VM [2].
>
> Let's confirm some things first:
> - Users and VMs are in the 'users' (1) group.
> - VMs do not have MANAGE permissions set with chmod (onevm show gives this
> information)
> - oned.conf does not have an AUTH_MAD/authz defined [1]. Note the Z.
> - Can you paste the output of 'oneacl list -x'?
> - Just to be sure, check that the operation is actually requested as the
> user logged in. In /var/log/one/oned.log, you should see the UID of each
> request, like
> Req:1792 UID:2 VirtualMachineAction invoked, "delete", 4
>
> Regards
>
> [1]
> http://opennebula.org/documentation:rel4.0:oned_conf#auth_manager_configuration
>
>
> --
> Join us at OpenNebulaConf2013 <http://opennebulaconf.com> in Berlin,
> 24-26 September, 2013
> --
> Carlos Martín, MSc
> Project Engineer
> OpenNebula - The Open-source Solution for Data Center Virtualization
> www.OpenNebula.org | cmartin at opennebula.org | @OpenNebula<http://twitter.com/opennebula><cmartin at opennebula.org>
>
>
> On Thu, Jun 13, 2013 at 10:16 AM, Valerio Schiavoni <
> valerio.schiavoni at gmail.com> wrote:
>
>> Hello,
>> i'm running OpenNebula 4.0.1, freshly installed, and I'd like to
>> implement the following  use-case ACL-wise: when users login through the
>> sunstone interface, they should see if other VMs are currently running and
>> on which hosts. Clearly, on VMs owned by other users (even if in the same
>> group), no managing actions should be allowed.
>>
>> This is the current set of ACL rules installed ( i believe these are the
>> default ones):
>>
>>    ID     USER RES_VHNIUTGDCO   RID OPE_UMAC
>>     0       @1     V-NI-T----     *     ---c
>>    11       @1     -H--------     *     um--
>>    16        *     ---------O     *     ---c
>>
>>
>> If I add this: "@1 VM/* USE" , all users can see all other users' VMs but
>> all actions seem to be available (at least through the web interface).
>>
>> Is this scenario supported somehow?
>>
>> Thanks,
>> Valerio
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opennebula.org
>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20130613/2fd74a7a/attachment-0002.htm>


More information about the Users mailing list