cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alena Prokharchyk <>
Subject Re: Construct / change role permissions
Date Fri, 15 Jun 2012 17:09:57 GMT
On 6/15/12 9:49 AM, "Clayton Weise" <> wrote:

>With regard to the subject of roles.  I've noticed that domain admins do
>not have limits enforced.  So if a domain is limited to 10 snapshots, a
>domain admin can create 11.  And because limits cannot be imposed, as far
>as we're concerned, this type of user is pretty much useless because we
>have no way to control what it can do.  Is this by design?

It was designed that way from the beginning. But you are right - domain
admin should respect the limits as he doesn't own the system, and there
should be a way to control his resources.
Can you please file a CS bug on this regard.


>And if so, why and is there a way it can be changed so that domain admins
>can have limits enforced?
>>-----Original Message-----
>>From: Will Chan []
>>Sent: Friday, June 15, 2012 9:32 AM
>>Subject: RE: Construct / change role permissions
>>You are correct that Cloudstack has created essentially three static
>>roles today.  The most you can do today is to allow/disallow API
>>commands to each role via the file.
>>It has been something that has been requested many times before,
>>however, most production systems that go live on CloudStack typically
>>are fronted by some type of "portal."  These portals are the ones that
>>decide permissions for each user type.  Essentially, it's the user role
>>that require a bit more flexibility as the other two roles are pretty
>>I do know that Citrix is working on contributing back some refactoring
>>work on the domain and user ACL checklist so you might want to wait for
>>that first.
>>> -----Original Message-----
>>> From: Olga Smola []
>>> Sent: Friday, June 15, 2012 1:02 AM
>>> To:; cloudstack-
>>> Subject: Construct / change role permissions
>>> Hi,
>>> I would like to discuss CloudStack roles capabilities. As far as I
>>>understand, there
>>> are 3 distinct roles and there is no possibility to change any role
>>> Sometimes it's not so comfortable for situation when it is needed to
>>>allow some
>>> action from one role to another one. For example, if you would like to
>>> USER new action "Add account", you can't. Because there is no API
>>> for USER. What about new roles?
>>> Have you got any ideas how to extend the CloudStack mechanism of roles
>>> creation? It will be more convenient if there is something that allow
>>>to create
>>> custom roles with needed permissions. For example, give basic role
>>>ADMIN or
>>> USER and then create new role based on it, change permissions(remove,
>>> Something like Role's constructor.
>>> Also I would like to know if somebody else needs similar extension?
>>> Fill free to write any ideas.
>>> Thanks a lot,
>>> Olga

View raw message