Hi,<div><br></div><div>Please find my comments inline</div><div><br></div><div>On Thu, Oct 4, 2012 at 10:28 PM, Gandalf Corvotempesta <span dir="ltr"><<a href="mailto:gandalf.corvotempesta@gmail.com" target="_blank">gandalf.corvotempesta@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Let's assume a single OpenNebula installation with 5 nodes managed.<br>
In a dedicated VM (outside Opennebula) i'll install oZones.<br></blockquote><div><br></div><div>Since you are only going to manage one OpenNebula zone, you can install the oZones server in the same front-end machine. But of course a dedicated machine is completely fine.</div>
<div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">With this VM i'll be able to manage the original opennebula installation.<br>
If I create a VDC, can the vdc admin user instantiate virtual machines<br>from ozone resources by reading public images from the datastore?<br></blockquote><div><br></div><div>The permissions in opennebula are very fine-grained and flexible.</div>
<div><br></div><div>You have two mechanisms: permissions for each resource [1] and ACL Rules [2].</div><div>The permissions are easier to manage (users can also manage them) and understand, as they are very similar to the unix file-system permissions. The ACL Rules have to be set by oneadmin, and allow more advanced resource usage control. </div>
<div><br></div><div>A "public image" can be shared with permissions, giving USE privileges to OTHER users. This can be done with the command 'oneimage chmod <id> 604'</div><div><br></div><div>If you need to make it available only to a set of specific users or groups, you can use ACL Rules similar to this one:</div>
<div>oneacl create "#<user_id> @<group_id_for_images>/IMAGE USE"</div><div><br></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
What happens if I create multiple VDCs from the same oZone, managed by<br>multipele vdc admins? For example, if VDCAdmin1 creates VM snapshot,<br>that snapshot, will also be available to VDCAdmin2?<br></blockquote></div>
<div>
<br></div><div>No. By default, resources (Images in this case) are created with permissions 600 (only the owner can USE & MANAGE it). The owner can decide to share it with his group (640 or 660), but the permissions to OTHER users can only be set if you allow it. See ENABLE_OTHER_PERMISSIONS in oned.conf [3]</div>
<div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
I would like to create multiple VDC, with multiple VDC admins but non<br>related with each other. Also, these VDC admin should not be able to<br>customize our image templates or network definitions. Is this<br>possibile?<br>
</blockquote></div><div><br></div><div>By default VDCs are isolated from each other.</div><div>The shared Image and VNets can't be edited unless the user has MANAGE rights, see the Authorization Requests Reference section in the API reference (oneimage/onevnet update) [4]. So you only need to make sure you give USE rights to your VDC users.</div>
<div><br></div><div>Regards</div><div><br></div><div>[1] <a href="http://opennebula.org/documentation:rel3.6:chmod" target="_blank">http://opennebula.org/documentation:rel3.6:chmod</a></div><div>[2] <a href="http://opennebula.org/documentation:rel3.6:manage_acl" target="_blank">http://opennebula.org/documentation:rel3.6:manage_acl</a></div>
<div>[3] <a href="http://opennebula.org/documentation:rel3.6:oned_conf#auth_manager_configuration">http://opennebula.org/documentation:rel3.6:oned_conf#auth_manager_configuration</a></div><div>[4] <a href="http://opennebula.org/documentation:rel3.6:api">http://opennebula.org/documentation:rel3.6:api</a></div>
<div><br clear="all">--<br>Carlos Martín, MSc<br>Project Engineer<br>
OpenNebula - The Open-source Solution for Data Center Virtualization<div><span style="border-collapse:collapse;color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px"><a href="http://www.OpenNebula.org" target="_blank">www.OpenNebula.org</a> | <a href="mailto:cmartin@opennebula.org" target="_blank">cmartin@opennebula.org</a> | <a href="http://twitter.com/opennebula" target="_blank">@OpenNebula</a></span><span style="border-collapse:collapse;color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px"><a href="mailto:cmartin@opennebula.org" style="color:rgb(42,93,176)" target="_blank"></a></span></div>
<br>
<br><br><div class="gmail_quote">On Thu, Oct 4, 2012 at 10:28 PM, Gandalf Corvotempesta <span dir="ltr"><<a href="mailto:gandalf.corvotempesta@gmail.com" target="_blank">gandalf.corvotempesta@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Let's assume a single OpenNebula installation with 5 nodes managed.<br>
In a dedicated VM (outside Opennebula) i'll install oZones.<br>
<br>
With this VM i'll be able to manage the original opennebula installation.<br>
If I create a VDC, can the vdc admin user instantiate virtual machines<br>
from ozone resources by reading public images from the datastore? What<br>
happens if I create multiple VDCs from the same oZone, managed by<br>
multipele vdc admins? For example, if VDCAdmin1 creates VM snapshot,<br>
that snapshot, will also be available to VDCAdmin2?<br>
<br>
I would like to create multiple VDC, with multiple VDC admins but non<br>
related with each other. Also, these VDC admin should not be able to<br>
customize our image templates or network definitions. Is this<br>
possibile?<br>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opennebula.org" target="_blank">Users@lists.opennebula.org</a><br>
<a href="http://lists.opennebula.org/listinfo.cgi/users-opennebula.org" target="_blank">http://lists.opennebula.org/listinfo.cgi/users-opennebula.org</a><br>
</blockquote></div><br></div>