cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Clayton Weise <cwe...@iswest.net>
Subject RE: Construct / change role permissions
Date Fri, 15 Jun 2012 16:49:39 GMT
With regard to the subject of roles.  I've noticed that domain admins do not have limits enforced.
 So if a domain is limited to 10 snapshots, a domain admin can create 11.  And because limits
cannot be imposed, as far as we're concerned, this type of user is pretty much useless because
we have no way to control what it can do.  Is this by design?  And if so, why and is there
a way it can be changed so that domain admins can have limits enforced?

Thanks,
Clayton

>-----Original Message-----
>From: Will Chan [mailto:will.chan@citrix.com]
>Sent: Friday, June 15, 2012 9:32 AM
>To: cloudstack-dev@incubator.apache.org; cloudstack-users@incubator.apache.org
>Subject: RE: Construct / change role permissions
>
>You are correct that Cloudstack has created essentially three static roles today.  The
most you can do today is to allow/disallow API commands to each role via the commands.properties
file. 
>
>It has been something that has been requested many times before, however, most production
systems that go live on CloudStack typically are fronted by some type of "portal."  These
portals are the ones that decide permissions for each user type.  Essentially, it's the user
role that require a bit more flexibility as the other two roles are pretty standard.
>
>I do know that Citrix is working on contributing back some refactoring work on the domain
and user ACL checklist so you might want to wait for that first.
>
>Will
>
>> -----Original Message-----
>> From: Olga Smola [mailto:olya.smola@gmail.com]
>> Sent: Friday, June 15, 2012 1:02 AM
>> To: cloudstack-dev@incubator.apache.org; cloudstack-
>> users@incubator.apache.org
>> Subject: Construct / change role permissions
>>
>> Hi,
>>
>> I would like to discuss CloudStack roles capabilities. As far as I understand, there
>> are 3 distinct roles and there is no possibility to change any role permissions.
>> Sometimes it's not so comfortable for situation when it is needed to allow some
>> action from one role to another one. For example, if you would like to allow
>> USER new action "Add account", you can't. Because there is no API command
>> for USER. What about new roles?
>> Have you got any ideas how to extend the CloudStack mechanism of roles
>> creation? It will be more convenient if there is something that allow to create
>> custom roles with needed permissions. For example, give basic role ADMIN or
>> USER and then create new role based on it, change permissions(remove, add).
>> Something like Role's constructor.
>> Also I would like to know if somebody else needs similar extension?
>>
>> Fill free to write any ideas.
>>
>> Thanks a lot,
>> Olga

Mime
View raw message