cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ryan Lei <>
Subject Re: [Discuss] - Domain admin not having the flexibility to create sub-domains/sub-child domains/accounts
Date Mon, 20 May 2013 03:08:23 GMT
Dear all,

I have recently trying the functionality of CloudStack 4.0.2, and
encountered the exact same problem:

A domain admin has NOT MUCH MORE POWER than a regular user. They can not
create the user accounts or sub-domain under their domain. Nor can they
"manage" such accounts by disabling/deleting/resource limiting them. A
domain admin does have the power of fully-accessing the "resources"
(instances, volumes, security groups, etc.) of the whole domain, and
nothing else.

In my understanding, currently a domain admin's privilege is just the UNION
of all the USER'S privileges under the same domain, but without any ADMIN
POWER. This is inconsistent with the documentation, Internet articles, or
common sense. And will be a major issue in a real production environment!
Most of the admin jobs still require the power of "root" admin.

I searched JIRA, but only found this related issue: CLOUDSTACK-1915: Domain
Administrator's Guide.

On Tue, Apr 23, 2013 at 2:05 AM, Alena Prokharchyk <> wrote:

> On 4/22/13 10:47 AM, "Chip Childers" <> wrote:
> >On Mon, Apr 22, 2013 at 11:22:16AM +0000, Pranav Saxena wrote:
> >> Hi,
> >>
> >> Currently only the ROOT-admin has the power to create any
> >>domains/sub-domains/sub-child domains for himself or the domain-admin .
> >>But there are certain situations ( like updating resource limit for a
> >>sub-child domain under a domain admin ) for which the ROOT-admin has to
> >>create a sub-child domain for a domain admin to allow him to update the
> >>resource limits for that particular sub-child domain.
> >>
> >> With this in mind , why hasn't the domain -admin been given the
> >>privilege of creating sub-child domains himself ? Are there any
> >>concerns/threats because of which the current architecture doesn't serve
> >>this purpose ?
> >>
> >> Also , a domain-admin cannot create an account on his own using an API
> >>as well ( UI can be overlooked for now) . He has to go through the
> >>ROOT-admin to have this functionality enabled . So doesn't that conclude
> >>that domain-admin is almost a USELESS guy with *No powers*  . To be able
> >>to navigate from step 1 - > step  2 , you have to go through step 3
> >>which seems to be unconvincing at times .
> >>
> >> Could someone explain about why such a functionality is not supported
> >>in the current architecture ? Please let me know in case I am missing
> >>something here.
> >>
> >> Thanks,
> >> Pranav
> >
> >This never made much sense to me.
> >
> I remember seeing a feature request for this functionality somewhere on CS
> Jira, you might try to locate it and check the status/targeted release.

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message