<div dir="ltr">Hi,<div><br></div><div style>I don't know what might be failing here. I just tested it, with these acl rules:</div><div style><br></div><div style><div><font face="courier new, monospace">$ oneacl list</font></div>
<div><font face="courier new, monospace"> ID USER RES_VHNIUTGDCO RID OPE_UMAC</font></div><div><font face="courier new, monospace"> 0 @1 V-NI-T---- * ---c</font></div><div><font face="courier new, monospace"> 1 @1 -H-------- * -m--</font></div>
<div><font face="courier new, monospace"> 2 * ---------O * ---c</font></div><div><font face="courier new, monospace"> 3 @1 V--------- * u---</font></div><div><br></div><div style>
And when a user tries to perform any manage operation on another user's VM, from the CLI or from sunstone, this error is returned:</div><div style><div>[VirtualMachineAction] User [2] : Not authorized to perform MANAGE VM [2].<br>
</div><div><br></div><div style>Let's confirm some things first:</div><div style>- Users and VMs are in the 'users' (1) group.</div><div style>- VMs do not have MANAGE permissions set with chmod (onevm show gives this information)</div>
<div style>- oned.conf does not have an AUTH_MAD/authz defined [1]. Note the Z.</div><div style>- Can you paste the output of 'oneacl list -x'?</div><div style>- Just to be sure, check that the operation is actually requested as the user logged in. In /var/log/one/oned.log, you should see the UID of each request, like</div>
<div style>Req:1792 UID:2 VirtualMachineAction invoked, "delete", 4<br></div><div style><br></div><div style>Regards</div><div style><br></div><div style>[1] <a href="http://opennebula.org/documentation:rel4.0:oned_conf#auth_manager_configuration">http://opennebula.org/documentation:rel4.0:oned_conf#auth_manager_configuration</a><br>
</div><div style><br></div></div></div></div><div class="gmail_extra"><br clear="all"><div><div dir="ltr">--<br>Join us at <a href="http://opennebulaconf.com" target="_blank">OpenNebulaConf2013</a> in Berlin, 24-26 September, 2013<br>
--<div>Carlos Martín, MSc<br>Project Engineer<br>OpenNebula - The Open-source Solution for Data Center Virtualization<div><span style="border-collapse:collapse;color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px"><a href="http://www.OpenNebula.org" target="_blank">www.OpenNebula.org</a> | <a href="mailto:cmartin@opennebula.org" target="_blank">cmartin@opennebula.org</a> | <a href="http://twitter.com/opennebula" target="_blank">@OpenNebula</a></span><span style="border-collapse:collapse;color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px"><a href="mailto:cmartin@opennebula.org" style="color:rgb(42,93,176)" target="_blank"></a></span></div>
</div></div></div>
<br><br><div class="gmail_quote">On Thu, Jun 13, 2013 at 10:16 AM, Valerio Schiavoni <span dir="ltr"><<a href="mailto:valerio.schiavoni@gmail.com" target="_blank">valerio.schiavoni@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Hello,<div>i'm running OpenNebula 4.0.1, freshly installed, and I'd like to implement the following use-case ACL-wise: when users login through the sunstone interface, they should see if other VMs are currently running and on which hosts. Clearly, on VMs owned by other users (even if in the same group), no managing actions should be allowed. </div>
<div><br></div><div>This is the current set of ACL rules installed ( i believe these are the default ones):<br></div><div><br></div><div><div> ID USER RES_VHNIUTGDCO RID OPE_UMAC</div><div>
0 @1 V-NI-T---- * ---c</div><div> 11 @1 -H-------- * um--</div><div> 16 * ---------O * ---c</div><div><br></div><div><br></div><div>If I add this: "@1 VM/* USE" , all users can see all other users' VMs but all actions seem to be available (at least through the web interface).</div>
<div><br></div><div>Is this scenario supported somehow? </div><div><br></div><div>Thanks,<br>Valerio</div></div></div>
<br>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opennebula.org">Users@lists.opennebula.org</a><br>
<a href="http://lists.opennebula.org/listinfo.cgi/users-opennebula.org" target="_blank">http://lists.opennebula.org/listinfo.cgi/users-opennebula.org</a><br>
<br></blockquote></div><br></div>