<div dir="ltr">Hello Carlos,<div>thanks for your support.</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Jun 13, 2013 at 11:35 AM, Carlos Martín Sánchez <span dir="ltr"><<a href="mailto:cmartin@opennebula.org" target="_blank">cmartin@opennebula.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><br><div><div><font face="courier new, monospace"> 3 @1 V--------- * u---</font></div>
</div></div></blockquote><div><br></div><div style>This now works correctly !</div><div style><br></div><div style>The problem was due to a misunderstanding from my side. I was relaying on the web interface, and I was somehow expecting the buttons of the GUI not be clickable if the corresponding actions are not authorized!</div>
<div style>As a matter of fact, when the user clicks on such actions for not-owned VMs, the alerts pop out and the action is correctly blocked.</div><div style><br></div><div style>Thank you very much for the help.</div>
<div style>
<br></div><div style>best,</div><div style>valerio</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><br></div><div>
And when a user tries to perform any manage operation on another user's VM, from the CLI or from sunstone, this error is returned:</div><div><div>[VirtualMachineAction] User [2] : Not authorized to perform MANAGE VM [2].<br>
</div><div><br></div><div>Let's confirm some things first:</div><div>- Users and VMs are in the 'users' (1) group.</div><div>- VMs do not have MANAGE permissions set with chmod (onevm show gives this information)</div>
<div>- oned.conf does not have an AUTH_MAD/authz defined [1]. Note the Z.</div><div>- Can you paste the output of 'oneacl list -x'?</div><div>- Just to be sure, check that the operation is actually requested as the user logged in. In /var/log/one/oned.log, you should see the UID of each request, like</div>
<div>Req:1792 UID:2 VirtualMachineAction invoked, "delete", 4<br></div><div><br></div><div>Regards</div><div><br></div><div>[1] <a href="http://opennebula.org/documentation:rel4.0:oned_conf#auth_manager_configuration" target="_blank">http://opennebula.org/documentation:rel4.0:oned_conf#auth_manager_configuration</a><br>
</div><div><br></div></div></div></div><div class="gmail_extra"><br clear="all"><div><div dir="ltr">--<br>Join us at <a href="http://opennebulaconf.com" target="_blank">OpenNebulaConf2013</a> in Berlin, 24-26 September, 2013<br>
--<div>Carlos Martín, MSc<br>Project Engineer<br>OpenNebula - The Open-source Solution for Data Center Virtualization<div><span style="border-collapse:collapse;color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px"><a href="http://www.OpenNebula.org" target="_blank">www.OpenNebula.org</a> | <a href="mailto:cmartin@opennebula.org" target="_blank">cmartin@opennebula.org</a> | <a href="http://twitter.com/opennebula" target="_blank">@OpenNebula</a></span><span style="border-collapse:collapse;color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px"><a href="mailto:cmartin@opennebula.org" style="color:rgb(42,93,176)" target="_blank"></a></span></div>
</div></div></div>
<br><br><div class="gmail_quote"><div><div class="h5">On Thu, Jun 13, 2013 at 10:16 AM, Valerio Schiavoni <span dir="ltr"><<a href="mailto:valerio.schiavoni@gmail.com" target="_blank">valerio.schiavoni@gmail.com</a>></span> wrote:<br>
</div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5">
<div dir="ltr">Hello,<div>i'm running OpenNebula 4.0.1, freshly installed, and I'd like to implement the following use-case ACL-wise: when users login through the sunstone interface, they should see if other VMs are currently running and on which hosts. Clearly, on VMs owned by other users (even if in the same group), no managing actions should be allowed. </div>
<div><br></div><div>This is the current set of ACL rules installed ( i believe these are the default ones):<br></div><div><br></div><div><div> ID USER RES_VHNIUTGDCO RID OPE_UMAC</div><div>
0 @1 V-NI-T---- * ---c</div><div> 11 @1 -H-------- * um--</div><div> 16 * ---------O * ---c</div><div><br></div><div><br></div><div>If I add this: "@1 VM/* USE" , all users can see all other users' VMs but all actions seem to be available (at least through the web interface).</div>
<div><br></div><div>Is this scenario supported somehow? </div><div><br></div><div>Thanks,<br>Valerio</div></div></div>
<br></div></div>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opennebula.org" target="_blank">Users@lists.opennebula.org</a><br>
<a href="http://lists.opennebula.org/listinfo.cgi/users-opennebula.org" target="_blank">http://lists.opennebula.org/listinfo.cgi/users-opennebula.org</a><br>
<br></blockquote></div><br></div>
</blockquote></div><br></div></div>