
<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">


<div style="font-size:14px;font-family:Calibri,sans-serif;word-wrap:break-word"><div>Let me ask one last question regarding IMAGE_RESTRICTED_ATTR.</div>

<div>In ON3.2, we know the following code</div>

<div>

<div>less src/image/ImageTemplate.cc</div>

<div>const string ImageTemplate::RESTRICTED_ATTRIBUTES[] = {</div>

<div>    "SOURCE"</div>

<div>};</div>

</div>

<div>disallows non-oneadmin-group users to use the command onevm saveas</div>

<div>because internally this involves SOURCE attribute,</div></div></blockquote><div><br></div><div>I've gone through the code, and the behavior should be the same, take a look at:</div><div><br></div><div><br></div>


<div><a href="https://github.com/OpenNebula/one/blob/one-3.2/src/rm/RequestManagerVirtualMachine.cc#L440">https://github.com/OpenNebula/one/blob/one-3.2/src/rm/RequestManagerVirtualMachine.cc#L440</a><br></div><div> </div>


<div><br></div><div>So, in both 3.2 and 4.4 a regular user should be able to save the disk of a running VM no matter if SOURCE is restricted or not...</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">


<div style="font-size:14px;font-family:Calibri,sans-serif;word-wrap:break-word">

<div><br>

</div>

<div>but in newer version e.g. ON4.4, this seems to be gone</div>

<div>even when we have IMAGE_RESTRICTED_ATTR=SOURCE in oned.conf.</div>

<div>This is what I learned from my testings.</div>

<div><br>

</div>

<div>Could you confirm this?</div>

<div>Thank you!</div>

<div><br>

</div>

<div>Hyunwoo</div>

<div>FermiCloud</div>

<div><br>

</div>

<div><br>

</div>

<span>

<div style="border-width:1pt medium medium;border-style:solid none none;padding:3pt 0in 0in;text-align:left;font-size:11pt;font-family:Calibri;border-top-color:rgb(181,196,223)">

<span style="font-weight:bold">From: </span>"Ruben S. Montero" <<a href="mailto:rsmontero@opennebula.org" target="_blank">rsmontero@opennebula.org</a>><br>

<span style="font-weight:bold">Date: </span>Thursday, April 17, 2014 4:37 PM<br>

<span style="font-weight:bold">To: </span>Hyunwoo Kim <<a href="mailto:hyunwoo@fnal.gov" target="_blank">hyunwoo@fnal.gov</a>><br>

<span style="font-weight:bold">Cc: </span>Carlos Martín Sánchez <<a href="mailto:cmartin@opennebula.org" target="_blank">cmartin@opennebula.org</a>>, users <<a href="mailto:users@lists.opennebula.org" target="_blank">users@lists.opennebula.org</a>>, Steven C Timm <<a href="mailto:timm@fnal.gov" target="_blank">timm@fnal.gov</a>><br>


<span style="font-weight:bold">Subject: </span>Re: [one-users] restricted_attr in oned.conf of ON44<br>

</div>

<div><br>

</div>

<div>

<div>

<div dir="ltr"><br>

<div class="gmail_extra"><br>

<br>

<div class="gmail_quote">On Wed, Apr 16, 2014 at 5:15 PM, Hyun Woo Kim <span dir="ltr">

<<a href="mailto:hyunwoo@fnal.gov" target="_blank">hyunwoo@fnal.gov</a>></span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">

<div style="font-size:14px;font-family:Calibri,sans-serif;word-wrap:break-word">

<div>Hi Ruben,</div>

<div><br>

</div>

<div>Thanks for the message. (It's still confusing to me though.)</div>

<div><br>

</div>

<div>Let me see if I understand this right.</div>

<div><br>

</div>

<div>In "Merge Use Case" section of <a href="http://docs.opennebula.org/4.4/user/virtual_resource_management/vm_guide.html" target="_blank">http://docs.opennebula.org/4.4/user/virtual_resource_management/vm_guide.html</a> </div>


<div>suppose there is VM_RESTRICTED_ATTR="CPU" in oned.conf.</div>

<div>This only prevents non-oneadmin-group users from </div>

<div>using —cpu option to onetemplate instantiate command</div>

<div>but it (VM_RESTRICTED_ATTR="CPU" in oned.conf) does NOT prevent users from using</div>

<div>CPU attribute in their VM templates. Is this right?</div>

</div>

</blockquote>

<div><br>

</div>

<div>Right (although they won't be able to instantiate them)</div>

<div> </div>

<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">

<div style="font-size:14px;font-family:Calibri,sans-serif;word-wrap:break-word">

<div><br>

</div>

<div>In ON3.2, src/vm/VirtualMachineTemplate.cc has the following code</div>

<div>[A] =</div>

<div>const string VirtualMachineTemplate::RESTRICTED_ATTRIBUTES[] = {</div>

<div>       "CONTEXT/FILES",</div>

<div><span style="white-space:pre-wrap"></span>"DISK/SOURCE",</div>

<div>        "NIC/MAC",</div>

<div>        "NIC/VLAN_ID",</div>

<div>        "RANK"</div>

<div>};</div>

<div><br>

</div>

<div>We know that this prevents non-oneadmin-users from using for example CONTEXT/FILES attribute in their template</div>

<div>so we had to modify the above to comment out CONTEXT/FILES and RANK.</div>

<div><br>

</div>

<div>But it looks like this array is gone now but the new entries in oned.cof (VM_RESTRICTED_ATTR) has NOT inherited the functionality.</div>

</div>

</blockquote>

<div><br>

</div>

<div>You are right, we've restructured the code, and probably move the checks to onetemplate instantiate / onevm create.</div>

<div><br>

</div>

<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">

<div style="font-size:14px;font-family:Calibri,sans-serif;word-wrap:break-word">

<div><br>

</div>

<div>So, in summary, looks like there is restriction that prevents normal users from using</div>

<div>those attributes [A] in their templates.<span style="font-family:arial;font-size:small"> </span></div>

</div>

</blockquote>

<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">

<div style="font-size:14px;font-family:Calibri,sans-serif;word-wrap:break-word">

<div><br>

</div>

<div>Do I understand right?</div>

</div>

</blockquote>

<div><br>

</div>

<div>In summary, template checks for restricted attributes are made:</div>

<div><br>

</div>

<div>1.- on VM template instantiate (onetemplate instantiate)</div>

<div>2.- on VM create (onevm create)</div>

<div>3.- on VM attach nic (onevm attachnic) (for example to not allow users to use NIC/MAC)</div>

<div> </div>

<div><br>

</div>

<div>Hope it is clearer now,</div>

<div><br>

</div>

<div>Cheers</div>

<div><br>

</div>

<div>Ruben</div>

<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">

<div style="font-size:14px;font-family:Calibri,sans-serif;word-wrap:break-word">

<div><br>

</div>

<div>Thanks again,</div>

<div>Hyunwoo</div>

<div>FermiCloud</div>

<div><br>

</div>

<div><br>

</div>

<span>

<div style="border-width:1pt medium medium;border-style:solid none none;padding:3pt 0in 0in;text-align:left;font-size:11pt;font-family:Calibri;border-top-color:rgb(181,196,223)">

<span style="font-weight:bold">From: </span>"Ruben S. Montero" <<a href="mailto:rsmontero@opennebula.org" target="_blank">rsmontero@opennebula.org</a>><br>

<span style="font-weight:bold">Date: </span>Wednesday, April 16, 2014 9:37 AM<br>

<span style="font-weight:bold">To: </span>Carlos Martín Sánchez <<a href="mailto:cmartin@opennebula.org" target="_blank">cmartin@opennebula.org</a>><br>

<span style="font-weight:bold">Cc: </span>Hyunwoo Kim <<a href="mailto:hyunwoo@fnal.gov" target="_blank">hyunwoo@fnal.gov</a>>, users <<a href="mailto:users@lists.opennebula.org" target="_blank">users@lists.opennebula.org</a>><br>


<span style="font-weight:bold">Subject: </span>Re: [one-users] restricted_attr in oned.conf of ON44<br>

</div>

<div><br>

</div>

<div>

<div>

<div dir="ltr">Hi Hyun

<div><br>

</div>

<div>We've taken a look into it and it seems to be working. A couple of notes:</div>

<div><br>

</div>

<div>1.- VM Template is checked for restricted attributes if the owner is not oneadmin (or in oneadmin group). The rationale behind it is that oneadmin can prepare templates with "unsafe" attributes but let the user instantiate them (but not set or modify the

 attributes). We'll make it clearer in the doc.</div>

<div><br>

</div>

<div>2. Disk snapshot operation may use the SOURCE attribute but internally, the user cannot modify or set the SOURCE attribute.</div>

<div><br>

</div>

<div>Hope it makes it clearer.</div>

<div><br>

</div>

<div>Cheers</div>

<div><br>

</div>

<div>Ruben</div>

</div>

<div class="gmail_extra"><br>

<br>

<div class="gmail_quote">On Wed, Apr 16, 2014 at 3:22 PM, Carlos Martín Sánchez <span dir="ltr">

<<a href="mailto:cmartin@opennebula.org" target="_blank">cmartin@opennebula.org</a>></span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">

<div dir="ltr">Hi,

<div><br>

</div>

<div>There is not much to it, it should be working as you describe. We'll try to reproduce it and fix it for 4.6 if it's broken.</div>

<div><a href="http://dev.opennebula.org/issues/2838" target="_blank">http://dev.opennebula.org/issues/2838</a></div>

<div><br>

</div>

<div>Regards.</div>

</div>

<div class="gmail_extra"><br clear="all">

<div>

<div dir="ltr">--<br>

<div>Carlos Martín, MSc<br>

Project Engineer</div>

<div>OpenNebula - Flexible Enterprise Cloud Made Simple<br>

<div><span style="border-collapse:collapse;color:rgb(136,136,136);font-size:13px;font-family:arial,sans-serif"><a href="http://www.OpenNebula.org" target="_blank">www.OpenNebula.org</a> |

<a href="mailto:cmartin@opennebula.org" target="_blank">cmartin@opennebula.org</a> |

<a href="http://twitter.com/opennebula" target="_blank">@OpenNebula</a></span><span style="border-collapse:collapse;color:rgb(136,136,136);font-size:13px;font-family:arial,sans-serif"><a href="mailto:cmartin@opennebula.org" style="color:rgb(42,93,176)" target="_blank"></a></span></div>


</div>

</div>

</div>

<br>

<br>

<div class="gmail_quote">

<div>

<div>On Tue, Apr 15, 2014 at 5:50 PM, Hyun Woo Kim <span dir="ltr"><<a href="mailto:hyunwoo@fnal.gov" target="_blank">hyunwoo@fnal.gov</a>></span> wrote:<br>

</div>

</div>

<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">

<div>

<div>

<div style="word-wrap:break-word">

<div style="font-size:14px;font-family:Calibri,sans-serif">Hello,</div>

<div style="font-size:14px;font-family:Calibri,sans-serif"><br>

</div>

<div style="font-size:14px;font-family:Calibri,sans-serif"><a href="http://docs.opennebula.org/4.4/administration/references/oned_conf.html#oned-conf-restricted-attributes-configuration" target="_blank">http://docs.opennebula.org/4.4/administration/references/oned_conf.html#oned-conf-restricted-attributes-configuration</a></div>


<div style="font-size:14px;font-family:Calibri,sans-serif">says we can use {VM,IMAGE}_RESTRICTED_ATTR </div>

<div style="font-size:14px;font-family:Calibri,sans-serif">to <span style="text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:left;font-style:normal;font-weight:normal;float:none;line-height:19px;color:rgb(53,55,53);text-transform:none;font-size:13px;white-space:normal;word-spacing:0px;font-family:Verdana,Geneva,sans-serif;display:inline!important">restrict

 users outside the oneadmin group</span></div>

<div style="font-size:14px;font-family:Calibri,sans-serif"><span style="text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:left;font-style:normal;font-weight:normal;float:none;line-height:19px;color:rgb(53,55,53);text-transform:none;font-size:13px;white-space:normal;word-spacing:0px;font-family:Verdana,Geneva,sans-serif;display:inline!important"><br>


</span></div>

<div style="font-size:14px;font-family:Calibri,sans-serif"><span style="color:rgb(53,55,53);font-size:13px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:19px;text-align:left;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;background-color:rgb(254,255,254);font-family:Verdana,Geneva,sans-serif;display:inline!important">but

 I experiment as a user whose group is users, not oneadmin</span></div>

<div style="font-size:14px;font-family:Calibri,sans-serif"><span style="color:rgb(53,55,53);font-size:13px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:19px;text-align:left;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;background-color:rgb(254,255,254);font-family:Verdana,Geneva,sans-serif;display:inline!important">to

 launch a VM from a vm.template with CONTEXT/FILES</span></div>

<div style="font-size:14px;font-family:Calibri,sans-serif"><span style="color:rgb(53,55,53);font-size:13px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:19px;text-align:left;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;background-color:rgb(253,255,253);font-family:Verdana,Geneva,sans-serif;display:inline!important">and

 onevm disk-snapshot command which must use SOURCE attribute,</span></div>

<div style="font-size:14px;font-family:Calibri,sans-serif"><span style="color:rgb(53,55,53);font-size:13px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:19px;text-align:left;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;background-color:rgb(252,255,252);font-family:Verdana,Geneva,sans-serif;display:inline!important">both

 work, i.e. restricted_attr do not seem to work..</span></div>

<div style="font-size:14px;font-family:Calibri,sans-serif"><span style="color:rgb(53,55,53);font-size:13px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:19px;text-align:left;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;background-color:rgb(252,255,252);font-family:Verdana,Geneva,sans-serif;display:inline!important"><br>


</span></div>

<div style="font-size:14px;font-family:Calibri,sans-serif"><span style="color:rgb(53,55,53);font-size:13px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:19px;text-align:left;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;background-color:rgb(251,255,250);font-family:Verdana,Geneva,sans-serif;display:inline!important">Am

 I missing something?</span></div>

<div style="text-align:left"><font color="#353735" face="Verdana,Geneva,sans-serif"><span style="font-size:13px;line-height:19px"><br>

</span></font></div>

<div style="text-align:left"><font color="#353735" face="Verdana,Geneva,sans-serif"><span style="font-size:13px;line-height:19px">Thanks,</span></font></div>

<div style="font-size:14px;font-family:Calibri,sans-serif"><span style="color:rgb(53,55,53);font-size:13px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:19px;text-align:left;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;background-color:rgb(250,255,248);font-family:Verdana,Geneva,sans-serif;display:inline!important">Hyunwoo

 KIM</span></div>

<div style="text-align:left"><font color="#353735" face="Verdana,Geneva,sans-serif"><span style="font-size:13px;line-height:19px">FermiCloud</span></font></div>

<div style="text-align:left"><font color="#353735" face="Verdana,Geneva,sans-serif"><span style="font-size:13px;line-height:19px"><br>

</span></font></div>

<div style="font-size:14px;font-family:Calibri,sans-serif"><br>

</div>

</div>

<br>

</div>

</div>

_______________________________________________<br>

Users mailing list<br>

<a href="mailto:Users@lists.opennebula.org" target="_blank">Users@lists.opennebula.org</a><br>

<a href="http://lists.opennebula.org/listinfo.cgi/users-opennebula.org" target="_blank">http://lists.opennebula.org/listinfo.cgi/users-opennebula.org</a><br>

<br>

</blockquote>

</div>

<br>

</div>

<br>

_______________________________________________<br>

Users mailing list<br>

<a href="mailto:Users@lists.opennebula.org" target="_blank">Users@lists.opennebula.org</a><br>

<a href="http://lists.opennebula.org/listinfo.cgi/users-opennebula.org" target="_blank">http://lists.opennebula.org/listinfo.cgi/users-opennebula.org</a><br>

<br>

<span><font color="#888888"></font></span></blockquote>

<span><font color="#888888"></font></span></div>

<span><font color="#888888"><br>

<br clear="all">

<div><br>

</div>

-- <br>

<div dir="ltr">

<div>

<div>-- <br>

</div>

</div>

Ruben S. Montero, PhD<br>

Project co-Lead and Chief Architect

<div>OpenNebula - Flexible Enterprise Cloud Made Simple<br>

<a href="http://www.OpenNebula.org" target="_blank">www.OpenNebula.org</a> | <a href="mailto:rsmontero@opennebula.org" target="_blank">

rsmontero@opennebula.org</a> | @OpenNebula</div><span class=""><font color="#888888">

</font></span></div><span class=""><font color="#888888">

</font></span></font></span></div><span class=""><font color="#888888">

</font></span></div><span class=""><font color="#888888">

</font></span></div><span class=""><font color="#888888">

</font></span></span></div><span class=""><font color="#888888">

</font></span></blockquote><span class=""><font color="#888888">

</font></span></div><span class=""><font color="#888888">

<br>

<br clear="all">

<div><br>

</div>

-- <br>

<div dir="ltr">

<div>

<div>-- <br>

</div>

</div>

Ruben S. Montero, PhD<br>

Project co-Lead and Chief Architect

<div>OpenNebula - Flexible Enterprise Cloud Made Simple<br>

<a href="http://www.OpenNebula.org" target="_blank">www.OpenNebula.org</a> | <a href="mailto:rsmontero@opennebula.org" target="_blank">

rsmontero@opennebula.org</a> | @OpenNebula</div>

</div>

</font></span></div>

</div>

</div>

</div>

</span>

</div>


</blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr"><div><div>-- <br></div></div>Ruben S. Montero, PhD<br>Project co-Lead and Chief Architect<div>OpenNebula - Flexible Enterprise Cloud Made Simple<br>


<a href="http://www.OpenNebula.org" target="_blank">www.OpenNebula.org</a> | <a href="mailto:rsmontero@opennebula.org" target="_blank">rsmontero@opennebula.org</a> | @OpenNebula</div></div>

</div></div>