[one-users] Assigning limited admin rights
Wilma Hermann
wilma.hermann at gmail.com
Mon Apr 7 04:35:45 PDT 2014
Hi,
Thanks for the info, it was very useful. I'm still having two issues:
1. The default group of a new user is the same as the creating user's
one. I would like to have new users in the "users" group by default. Is
there a way to change this behavior?
2. In Sunstone, the user doing the user management does not see the
existing groups even though he ought to. I created an ACL "#<user_id>
GROUP/* USE+MANAGE+ADMIN", but still the list of groups I can assign to a
user through Sunstone is empty (Even the string "Please select" does not
appear). On the command line, a "oneuser chgrp" works flawlessly using this
account, so I guess it's a bug in Sunstone.
Greetings
Wilma
2014-04-04 10:34 GMT+02:00 Carlos Martín Sánchez <cmartin at opennebula.org>:
> Hi,
>
> Adding to what Rubén said, the acl modification is only allowed for users
in
> the oneadmin group.
>
> Make sure you use the reference command-auth tables in the xml-rpc doc [1]
> to create your rules.
>
> For example, oneuser passwd requires USER:MANAGE. The rule "#<user_id>
> USER/* USE+MANAGE+ADMIN" will allow your user to change oneadmin's
password.
> In this case, you will want to create a rule targeting each group
(excluding
> oneadmin).
>
> Regards
>
> [1]
>
http://docs.opennebula.org/4.4/integration/system_interfaces/api.html#authorization-requests-reference
> --
> Carlos Martín, MSc
> Project Engineer
> OpenNebula - Flexible Enterprise Cloud Made Simple
> www.OpenNebula.org | cmartin at opennebula.org | @OpenNebula
>
>
> On Thu, Apr 3, 2014 at 2:19 PM, Ruben S. Montero <rsmontero at opennebula.org
>
> wrote:
>>
>> Hi
>>
>> Probably, the following may work...
>>
>> oneacl create "#<user_id> USER/* CREATE"
>> oneacl create "#<user_id> USER/* USE+MANAGE+ADMIN"
>>
>> Take a look to the ACL guide for more info:
>>
>>
>>
http://docs.opennebula.org/4.4/administration/users_and_groups/manage_acl.html
>>
>> Cheers
>>
>> Ruben
>>
>>
>>
>> On Thu, Apr 3, 2014 at 12:08 PM, Wilma Hermann <wilma.hermann at gmail.com>
>> wrote:
>>>
>>> Hi,
>>>
>>> Is it possible to assign limited admin rights to certain accounts? I
>>> would like to have a user that is allowed to do all the user
>>> management (creating users, adding users to existing groups, etc.)
>>> without adding this user to the oneadmin-group. In particular, I would
>>> like to deny this user access to all other users' VMs, templates,
>>> images, etc. The user also shouldn't have write-access to the ACLs
>>> (otherwise limits would make no sense obviously).
>>>
>>> Greetings
>>> Wilma
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.opennebula.org
>>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>
>>
>>
>>
>> --
>> --
>> Ruben S. Montero, PhD
>> Project co-Lead and Chief Architect
>> OpenNebula - Flexible Enterprise Cloud Made Simple
>> www.OpenNebula.org | rsmontero at opennebula.org | @OpenNebula
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opennebula.org
>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20140407/dc30a213/attachment-0002.htm>
More information about the Users
mailing list