[one-users] Virtual Network's permission not being enforced

Yudai Yamagishi yummy at yumnet.jp
Tue Jun 10 02:48:10 PDT 2014 

Hi,

> You may have an ACL rule that grants the USE permission. Read [1] for more information.
> That ACL rule probably comes from the vDC resource provider [2] configuration, the bootstrap assigns the resources provider "All" to the users group.
Thanks! I found the ACL that was granting the USE permission.
I was able to fix this by deleting this ACL.

> I would strongly advice against that... If you are going to install from git, at least checkout the release-4.6.1 tag.
I will be upgrading in near future :)

Best Regards,
Yudai Yamagishi

2014/06/10 18:33、Carlos Martín Sánchez <cmartin at opennebula.org> のメール:

> Hi,
> 
> On Tue, Jun 10, 2014 at 10:48 AM, Yudai Yamagishi <yummy at yumnet.jp> wrote:
> Hi,
> 
> I’m having a problem where the virtual network’s permissions aren’t being enforced.
> I have a Virtual Network with the following configuration:
> --
> $ onevnet show 10
> VIRTUAL NETWORK 10 INFORMATION
> ID             : 10
> NAME           : usernet-v3001
> USER           : oneadmin
> GROUP          : oneadmin
> CLUSTER        : -
> TYPE           : RANGED
> BRIDGE         : br3001
> VLAN           : No
> USED LEASES    : 0
> 
> PERMISSIONS
> OWNER          : um-
> GROUP          : ---
> OTHER          : —
> 
> VIRTUAL NETWORK TEMPLATE
> BRIDGE="br3001"
> NETWORK_ADDRESS="10.0.0.0"
> NETWORK_MASK="255.0.0.0"
> PHYDEV=""
> VLAN="NO"
> VLAN_ID=""
> 
> RANGE
> IP_START       : 10.0.0.1
> IP_END         : 10.255.255.254
> 
> VIRTUAL MACHINES
>> 
> What I am expecting is, the users except for oneadmin user shouldn’t be able to see nor use this virtual network.
> However, in Sunstone, when I click “Attach Nic” in one of the VMs, I can see the VNETs which I should not have
> permission to. Also, I can select the VNET and a NIC is attached to the VNET I don’t have USE permission to.
> Everything else like VMs and Templates work as expected, only VNET that doesn’t seem to enforce permissions properly.
> 
> Is this a bug or is it something I missed in the documentation?
> 
> You may have an ACL rule that grants the USE permission. Read [1] for more information.
> That ACL rule probably comes from the vDC resource provider [2] configuration, the bootstrap assigns the resources provider "All" to the users group.
>  
> I’m currently using OpenNebula from git which was latest as of Mar 31.
> (last commit is c191cee306c23f0d5c030cf24b7dadfc0d375088)
> 
> 
> I would strongly advice against that... If you are going to install from git, at least checkout the release-4.6.1 tag.
>  
> Thanks!
> Yudai Yamagishi
> 
> Regards
> 
> [1] http://docs.opennebula.org/4.6/administration/users_and_groups/manage_acl.html#how-permission-is-granted-or-denied
> [2] http://docs.opennebula.org/4.6/administration/users_and_groups/manage_groups.html#managing-vdc-and-resource-providers
> 
> --
> Carlos Martín, MSc
> Project Engineer
> OpenNebula - Flexible Enterprise Cloud Made Simple
> www.OpenNebula.org | cmartin at opennebula.org | @OpenNebula
>

More information about the Users mailing list