[one-users] Assigning limited admin rights

Carlos Martín Sánchez cmartin at opennebula.org
Thu Apr 10 07:48:52 PDT 2014 

Hi,

On Wed, Apr 9, 2014 at 5:27 PM, Wilma Hermann <wilma.hermann at gmail.com>wrote:

> Hi,
>
> To answer my own mail, I could resolve both problems. For the sake of
> completeness, here's how:
>
>    1. I'm using a hook to change a new user's group after creation using
>    the approach from this thread:
>    http://lists.opennebula.org/pipermail/users-opennebula.org/2013-September/024648.html
>
>
You could also put your admin user in the users group as the primary group,
and add the admin group as a secondary group. This way it all new users
will belong to the 'users' group.

Regards
--
Carlos Martín, MSc
Project Engineer
OpenNebula - Flexible Enterprise Cloud Made Simple
www.OpenNebula.org <http://www.opennebula.org/> | cmartin at opennebula.org |
@OpenNebula <http://twitter.com/opennebula> <cmartin at opennebula.org>



>
>    1.
>    2. The problem here was that I used the vdcadmin view in Sunstone for
>    the user. By debugging I found out that the list of groups in Sunstone is
>    populated by some javascript loaded by the groups panel. In the vdcadmin
>    view, the groups panel is disabled by default, therefore the list of groups
>    is empty. It's arguably either a bug or a strict permission management
>    thing, I can't justice on that. However, if I enable the groups panel and
>    prevent the user from doing changes to the groups, I have everything I
>    wanted to build.
>
> Greetings
> Wilma
>
>
> 2014-04-07 13:35 GMT+02:00 Wilma Hermann <wilma.hermann at gmail.com>:
>
> Hi,
>>
>> Thanks for the info, it was very useful. I'm still having two issues:
>>
>>
>>    1. The default group of a new user is the same as the creating user's
>>    one. I would like to have new users in the "users" group by default. Is
>>    there a way to change this behavior?
>>    2. In Sunstone, the user doing the user management does not see the
>>    existing groups even though he ought to. I created an ACL "#<user_id>
>>    GROUP/* USE+MANAGE+ADMIN", but still the list of groups I can assign to a
>>    user through Sunstone is empty (Even the string "Please select" does not
>>    appear). On the command line, a "oneuser chgrp" works flawlessly using this
>>    account, so I guess it's a bug in Sunstone.
>>
>> Greetings
>> Wilma
>> 2014-04-04 10:34 GMT+02:00 Carlos Martín Sánchez <cmartin at opennebula.org
>> >:
>>
>> > Hi,
>> >
>> > Adding to what Rubén said, the acl modification is only allowed for
>> users in
>> > the oneadmin group.
>> >
>> > Make sure you use the reference command-auth tables in the xml-rpc doc
>> [1]
>> > to create your rules.
>> >
>> > For example, oneuser passwd requires USER:MANAGE. The rule "#<user_id>
>> > USER/* USE+MANAGE+ADMIN" will allow your user to change oneadmin's
>> password.
>> > In this case, you will want to create a rule targeting each group
>> (excluding
>> > oneadmin).
>> >
>> > Regards
>> >
>> > [1]
>> >
>> http://docs.opennebula.org/4.4/integration/system_interfaces/api.html#authorization-requests-reference
>> > --
>> > Carlos Martín, MSc
>> > Project Engineer
>> > OpenNebula - Flexible Enterprise Cloud Made Simple
>> > www.OpenNebula.org | cmartin at opennebula.org | @OpenNebula
>> >
>> >
>> > On Thu, Apr 3, 2014 at 2:19 PM, Ruben S. Montero <
>> rsmontero at opennebula.org>
>> > wrote:
>> >>
>> >> Hi
>> >>
>> >> Probably, the following may work...
>> >>
>> >> oneacl create "#<user_id> USER/* CREATE"
>> >> oneacl create "#<user_id> USER/* USE+MANAGE+ADMIN"
>> >>
>> >> Take a look to the ACL guide for more info:
>> >>
>> >>
>> >>
>> http://docs.opennebula.org/4.4/administration/users_and_groups/manage_acl.html
>> >>
>> >> Cheers
>> >>
>> >> Ruben
>> >>
>> >>
>> >>
>> >> On Thu, Apr 3, 2014 at 12:08 PM, Wilma Hermann <
>> wilma.hermann at gmail.com>
>> >> wrote:
>> >>>
>> >>> Hi,
>> >>>
>> >>> Is it possible to assign limited admin rights to certain accounts? I
>> >>> would like to have a user that is allowed to do all the user
>> >>> management (creating users, adding users to existing groups, etc.)
>> >>> without adding this user to the oneadmin-group. In particular, I would
>> >>> like to deny this user access to all other users' VMs, templates,
>> >>> images, etc. The user also shouldn't have write-access to the ACLs
>> >>> (otherwise limits would make no sense obviously).
>> >>>
>> >>> Greetings
>> >>> Wilma
>> >>> _______________________________________________
>> >>> Users mailing list
>> >>> Users at lists.opennebula.org
>> >>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>> >>
>> >>
>> >>
>> >>
>> >> --
>> >> --
>> >> Ruben S. Montero, PhD
>> >> Project co-Lead and Chief Architect
>> >> OpenNebula - Flexible Enterprise Cloud Made Simple
>> >> www.OpenNebula.org | rsmontero at opennebula.org | @OpenNebula
>> >>
>> >> _______________________________________________
>> >> Users mailing list
>> >> Users at lists.opennebula.org
>> >> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>> >>
>> >
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20140410/4db77c8c/attachment-0002.htm>

More information about the Users mailing list