cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sx chen <cloudchen0...@gmail.com>
Subject Re: How to make Domain Admin having the right adding account?
Date Tue, 18 Sep 2012 14:58:10 GMT
"You then might have to go into CreateAccountCmd implementation and check
if there is some ACL for restricting domain admin in using this api as
well."

    public void execute(){
        UserContext.current().setEventDetails("Account Name:
"+getAccountName()+", Domain Id:"+getDomainId());
        UserAccount userAccount =
_accountService.createUserAccount(getUsername(), getPassword(),
getFirstName(), getLastName(), getEmail(), getTimeZone(), getAccountName(),
getAccountType(), getDomainId(), getNetworkDomain(), getDetails());
        if (userAccount != null) {
            AccountResponse response =
_responseGenerator.createUserAccountResponse(userAccount);
            response.setResponseName(getCommandName());
            this.setResponseObject(response);
        } else {
            throw new ServerApiException(BaseCmd.INTERNAL_ERROR, "Failed to
create a user account");
        }
    }

I don't see any acl for restricting domain admin in using this api.
I will modify commands.properties.in and test it later.

"domain admin to execute this api (change 3 to 7)."
and what is 3 and 7 stand for?

"I think there was discussion/work planned to make ACL more fine grained in
the future releases as well"
you mean the CloudStack will have a UI to set the ACL for user and admin?
my use case is quite simple,admin customize some templates and
serviceoffings, user can create a vm via these templates and serviceoffings,
user has to apply disk,and admin create disk and attach disk for user.
thanks a lot.


2012/9/18 Nitin Mehta <Nitin.Mehta@citrix.com>

> I am not sure if there is any documentation around for this but I think
> you will need to proceed in a similar fashion as I suggested for
> createAccount api.
> Or you can use another account type RESOURCE_DOMAIN_ADMIN which has
> permissions to do this. More info @
> http://confluence.cloudstack.org/display/gen/Resource+Domain+Admin
>
> Also, FYI I think there was discussion/work planned to make ACL more fine
> grained in the future releases as well, but I suggest you to state your use
> case so that it could be kept in mind while designing it.
>
> Thanks,
> -Nitin
>
> -----Original Message-----
> From: sx chen [mailto:cloudchen0620@gmail.com]
> Sent: Tuesday, September 18, 2012 2:56 PM
> To: cloudstack-dev@incubator.apache.org
> Subject: Re: How to make Domain Admin having the right adding account?
>
> Centainly I want to authorize domain admin to use the api:createAccount
> deleteAccount, updateAccount, createUser, deleteUser and updateUser within
> its domain as well .I also want to disable the user attach storage and let
> the domain admin do this.
>
> so, is there a document about this?or any suggestion?
>
>
>
> 2012/9/18 Nitin Mehta <Nitin.Mehta@citrix.com>
>
> > Change the bitmap in the file commands.properties.in to 7 to allow
> > domain admin to execute this api (change 3 to 7).
> > createAccount=com.cloud.api.commands.CreateAccountCmd;3
> >
> > You then might have to go into CreateAccountCmd implementation and
> > check if there is some ACL for restricting domain admin in using this
> api as well.
> >
> > But, do you want to authorize domain admin only to use this api or
> > other account/user apis like deleteAccount, updateAccount, createUser,
> > deleteUser and updateUser as well ?
> >
> > Thanks,
> > -Nitin
> >
> > -----Original Message-----
> > From: sx chen [mailto:cloudchen0620@gmail.com]
> > Sent: Tuesday, September 18, 2012 12:58 PM
> > To: cloudstack-users@incubator.apache.org
> > Subject: How to make Domain Admin having the right adding account?
> >
> > hi,all
> >      I'm a CloudStack API developer,I want to know How to make Domain
> > Admin having the right adding account?
> > We know that only root user has the right to excute createAccount
> > API,So what should I do?
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message