[one-users] Assigning limited admin rights
Wilma Hermann
wilma.hermann at gmail.com
Wed Apr 9 08:27:04 PDT 2014
Hi,
To answer my own mail, I could resolve both problems. For the sake of
completeness, here's how:
1. I'm using a hook to change a new user's group after creation using
the approach from this thread:
http://lists.opennebula.org/pipermail/users-opennebula.org/2013-September/024648.html
2. The problem here was that I used the vdcadmin view in Sunstone for
the user. By debugging I found out that the list of groups in Sunstone is
populated by some javascript loaded by the groups panel. In the vdcadmin
view, the groups panel is disabled by default, therefore the list of groups
is empty. It's arguably either a bug or a strict permission management
thing, I can't justice on that. However, if I enable the groups panel and
prevent the user from doing changes to the groups, I have everything I
wanted to build.
Greetings
Wilma
2014-04-07 13:35 GMT+02:00 Wilma Hermann <wilma.hermann at gmail.com>:
> Hi,
>
> Thanks for the info, it was very useful. I'm still having two issues:
>
>
> 1. The default group of a new user is the same as the creating user's
> one. I would like to have new users in the "users" group by default. Is
> there a way to change this behavior?
> 2. In Sunstone, the user doing the user management does not see the
> existing groups even though he ought to. I created an ACL "#<user_id>
> GROUP/* USE+MANAGE+ADMIN", but still the list of groups I can assign to a
> user through Sunstone is empty (Even the string "Please select" does not
> appear). On the command line, a "oneuser chgrp" works flawlessly using this
> account, so I guess it's a bug in Sunstone.
>
> Greetings
> Wilma
> 2014-04-04 10:34 GMT+02:00 Carlos Martín Sánchez <cmartin at opennebula.org>:
>
> > Hi,
> >
> > Adding to what Rubén said, the acl modification is only allowed for
> users in
> > the oneadmin group.
> >
> > Make sure you use the reference command-auth tables in the xml-rpc doc
> [1]
> > to create your rules.
> >
> > For example, oneuser passwd requires USER:MANAGE. The rule "#<user_id>
> > USER/* USE+MANAGE+ADMIN" will allow your user to change oneadmin's
> password.
> > In this case, you will want to create a rule targeting each group
> (excluding
> > oneadmin).
> >
> > Regards
> >
> > [1]
> >
> http://docs.opennebula.org/4.4/integration/system_interfaces/api.html#authorization-requests-reference
> > --
> > Carlos Martín, MSc
> > Project Engineer
> > OpenNebula - Flexible Enterprise Cloud Made Simple
> > www.OpenNebula.org | cmartin at opennebula.org | @OpenNebula
> >
> >
> > On Thu, Apr 3, 2014 at 2:19 PM, Ruben S. Montero <
> rsmontero at opennebula.org>
> > wrote:
> >>
> >> Hi
> >>
> >> Probably, the following may work...
> >>
> >> oneacl create "#<user_id> USER/* CREATE"
> >> oneacl create "#<user_id> USER/* USE+MANAGE+ADMIN"
> >>
> >> Take a look to the ACL guide for more info:
> >>
> >>
> >>
> http://docs.opennebula.org/4.4/administration/users_and_groups/manage_acl.html
> >>
> >> Cheers
> >>
> >> Ruben
> >>
> >>
> >>
> >> On Thu, Apr 3, 2014 at 12:08 PM, Wilma Hermann <wilma.hermann at gmail.com
> >
> >> wrote:
> >>>
> >>> Hi,
> >>>
> >>> Is it possible to assign limited admin rights to certain accounts? I
> >>> would like to have a user that is allowed to do all the user
> >>> management (creating users, adding users to existing groups, etc.)
> >>> without adding this user to the oneadmin-group. In particular, I would
> >>> like to deny this user access to all other users' VMs, templates,
> >>> images, etc. The user also shouldn't have write-access to the ACLs
> >>> (otherwise limits would make no sense obviously).
> >>>
> >>> Greetings
> >>> Wilma
> >>> _______________________________________________
> >>> Users mailing list
> >>> Users at lists.opennebula.org
> >>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
> >>
> >>
> >>
> >>
> >> --
> >> --
> >> Ruben S. Montero, PhD
> >> Project co-Lead and Chief Architect
> >> OpenNebula - Flexible Enterprise Cloud Made Simple
> >> www.OpenNebula.org | rsmontero at opennebula.org | @OpenNebula
> >>
> >> _______________________________________________
> >> Users mailing list
> >> Users at lists.opennebula.org
> >> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
> >>
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20140409/23552661/attachment-0002.htm>
More information about the Users
mailing list