[one-users] Virtual Network's permission not being enforced

Carlos Martín Sánchez cmartin at opennebula.org
Tue Jun 10 02:33:27 PDT 2014


Hi,

On Tue, Jun 10, 2014 at 10:48 AM, Yudai Yamagishi <yummy at yumnet.jp> wrote:

> Hi,
>
> I’m having a problem where the virtual network’s permissions aren’t being
> enforced.
> I have a Virtual Network with the following configuration:
> --
> $ onevnet show 10
> VIRTUAL NETWORK 10 INFORMATION
> ID             : 10
> NAME           : usernet-v3001
> USER           : oneadmin
> GROUP          : oneadmin
> CLUSTER        : -
> TYPE           : RANGED
> BRIDGE         : br3001
> VLAN           : No
> USED LEASES    : 0
>
> PERMISSIONS
> OWNER          : um-
> GROUP          : ---
> OTHER          : —
>
> VIRTUAL NETWORK TEMPLATE
> BRIDGE="br3001"
> NETWORK_ADDRESS="10.0.0.0"
> NETWORK_MASK="255.0.0.0"
> PHYDEV=""
> VLAN="NO"
> VLAN_ID=""
>
> RANGE
> IP_START       : 10.0.0.1
> IP_END         : 10.255.255.254
>
> VIRTUAL MACHINES
>>
> What I am expecting is, the users except for oneadmin user shouldn’t be
> able to see nor use this virtual network.
> However, in Sunstone, when I click “Attach Nic” in one of the VMs, I can
> see the VNETs which I should not have
> permission to. Also, I can select the VNET and a NIC is attached to the
> VNET I don’t have USE permission to.
> Everything else like VMs and Templates work as expected, only VNET that
> doesn’t seem to enforce permissions properly.
>
> Is this a bug or is it something I missed in the documentation?
>

You may have an ACL rule that grants the USE permission. Read [1] for more
information.
That ACL rule probably comes from the vDC resource provider [2]
configuration, the bootstrap assigns the resources provider "All" to the
users group.


> I’m currently using OpenNebula from git which was latest as of Mar 31.
> (last commit is c191cee306c23f0d5c030cf24b7dadfc0d375088)
>
>
I would strongly advice against that... If you are going to install from
git, at least checkout the release-4.6.1 tag.


> Thanks!
> Yudai Yamagishi
>

Regards

[1]
http://docs.opennebula.org/4.6/administration/users_and_groups/manage_acl.html#how-permission-is-granted-or-denied
[2]
http://docs.opennebula.org/4.6/administration/users_and_groups/manage_groups.html#managing-vdc-and-resource-providers

--
Carlos Martín, MSc
Project Engineer
OpenNebula - Flexible Enterprise Cloud Made Simple
www.OpenNebula.org <http://www.opennebula.org/> | cmartin at opennebula.org |
@OpenNebula <http://twitter.com/opennebula> <cmartin at opennebula.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20140610/c08a605f/attachment.htm>


More information about the Users mailing list