Hi Lars,<br><br>The functionality you are describing will be available for the next release.<br><br>Our first idea is to have a main group and many secondary ones for each user; the rest of the resources will belong only to one group.<br>
We'll implement an ACL system to allow fine-tuning of the permissions.<br><br><br>If you need to implement it for 2.2, I'd suggest a workaround in the authorization module.<br><br>The VNET, Image and VM templates can contain arbitrary data to store group information, but new data cannot be added once the resource is created (with the exception of Images). So the resource-group association will be better managed in an external DB, which shouldn't be problematic since all OpenNebula resources are identified by a unique ID.<br>
<br>About the creation and management of groups, it could be done totally independent from OpenNebula, as long as the data is stored in a DB accesible from the authorization driver. If the driver is written in ruby, the sequel gem can take care of both sqlite and mysql connections.<br>
<br>The main problem with this workaround is that users will be able to list and see all resources, without a way to identify which ones are available for them.<br>This could be tackled modifying the onevm, oneimage and onevnet commands. Since these files are just ruby scripts, you could read your permissions DB and add a new column to the resources table showing the group(s) they belong to. Or even hide some of the resources.<br>
<br>For the external DB, sqlite should do just fine. I believe you can even protect it setting the file to be read-only for the users executing the onevm/oneimage commands, and writable for oneadmin.<br><br><br>Best regards,<br>
Carlos.<br><br clear="all"><span style="border-collapse:collapse;color:rgb(136, 136, 136);font-family:arial, sans-serif;font-size:13px">--<br>Carlos Martín, MSc<br>Project Major Contributor<br><span style="background-color:rgb(255, 255, 204);color:rgb(34, 34, 34);background-repeat:initial initial">OpenNebula</span> - The Open Source Toolkit for Cloud Computing<br>
<a href="http://www.opennebula.org/" style="color:rgb(42, 93, 176)" target="_blank">www.<span style="background-color:rgb(255, 255, 204);color:rgb(34, 34, 34);background-repeat:initial initial">OpenNebula</span>.org</a> | <a href="mailto:cmartin@opennebula.org" style="color:rgb(42, 93, 176)" target="_blank">cmartin@<span style="background-color:rgb(255, 255, 204);color:rgb(34, 34, 34);background-repeat:initial initial">opennebula</span>.org</a></span><br>
<br><br><div class="gmail_quote">On Thu, Apr 28, 2011 at 6:13 PM, Lars Kellogg-Stedman <span dir="ltr"><<a href="mailto:lars@seas.harvard.edu" target="_blank">lars@seas.harvard.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
We're looking at using OpenNebula to support courses in our CS area.<br>
This will ultimately require some form of group-based authorization,<br>
so that we can restrict control over vm instances to specific groups<br>
of students, and so that we can restrict access to disk images to<br>
particular classes. There's no support for this out of the box, and<br>
more importantly there's no support in the API [that I have been able<br>
to find] for associating arbitrary metadata with objects in<br>
OpenNebula. Before we start down the road of trying to implement<br>
something that meets our needs, I'm curious if anyone else has<br>
implemented something that we could either use or at least use as a<br>
model.<br>
<br>
Ideally, we want to associate objects (networks, disk images, vm<br>
instances) with one or more groups, and then use the same backend used<br>
for authentication to make authorization decisions. In this case,<br>
that means we'd be pulling group information out of LDAP.<br>
<br>
Cheers,<br>
<br>
--<br>
<font color="#888888">Lars Kellogg-Stedman <<a href="mailto:lars@seas.harvard.edu" target="_blank">lars@seas.harvard.edu</a>><br>
Senior Technologist<br>
Harvard University SEAS<br>
Academic and Research Computing (ARC)<br>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opennebula.org" target="_blank">Users@lists.opennebula.org</a><br>
<a href="http://lists.opennebula.org/listinfo.cgi/users-opennebula.org" target="_blank">http://lists.opennebula.org/listinfo.cgi/users-opennebula.org</a><br>
</font></blockquote></div><br>