Return-Path: X-Original-To: apmail-cloudstack-dev-archive@www.apache.org Delivered-To: apmail-cloudstack-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 39022D232 for ; Mon, 20 May 2013 03:08:50 +0000 (UTC) Received: (qmail 79688 invoked by uid 500); 20 May 2013 03:08:50 -0000 Delivered-To: apmail-cloudstack-dev-archive@cloudstack.apache.org Received: (qmail 79131 invoked by uid 500); 20 May 2013 03:08:49 -0000 Mailing-List: contact dev-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cloudstack.apache.org Delivered-To: mailing list dev@cloudstack.apache.org Received: (qmail 79104 invoked by uid 99); 20 May 2013 03:08:48 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 20 May 2013 03:08:48 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of ryanleicloudstack@gmail.com designates 209.85.210.169 as permitted sender) Received: from [209.85.210.169] (HELO mail-ia0-f169.google.com) (209.85.210.169) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 20 May 2013 03:08:44 +0000 Received: by mail-ia0-f169.google.com with SMTP id k38so7254058iah.28 for ; Sun, 19 May 2013 20:08:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:x-google-sender-delegation:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to :content-type; bh=b5Ksg/N4ojEYzeFICDSwDtfxQrFK19Na2J34fXOGxf8=; b=oH/h8KLuHkQ+x1v3+twkJmTEtZmbNAyVJj46HIpTunSXLy5QVB+ePxlu4j9DtHlV3R eoS1ocn8x5xC9x+BTKBacRAWkONx+zHWq/+1mLZRPgxO0RgRpVLp1Cqm8Vd+ks19BcvY 5qdhHEC5dhVy2SpBOHB/eqxfmt9D5fAFdKPrb7UbGjstf+YK2jTgKzMW5Ppsm0U9rXPs VqRC2e8M4qU0H3dmnH2aMjOGvbBCjxffU7ebm1Hk6/PdhDMKlgzJyob6/FG0730UNt+u NeS8oCOKf2xmsH/B3aeHwLLWF+0/agzBI+BAJirdKWPU2wGzb+gIl+uw91uO402s1nen PQPg== MIME-Version: 1.0 X-Received: by 10.50.33.109 with SMTP id q13mr4188920igi.83.1369019303313; Sun, 19 May 2013 20:08:23 -0700 (PDT) Sender: ryanlei750328@gmail.com X-Google-Sender-Delegation: ryanlei750328@gmail.com Received: by 10.231.250.12 with HTTP; Sun, 19 May 2013 20:08:23 -0700 (PDT) In-Reply-To: References: <20130422174701.GF4888@USLT-205755.sungardas.corp> Date: Mon, 20 May 2013 11:08:23 +0800 X-Google-Sender-Auth: h8x8DCTa_W8uwy92ZPwNVkoS62I Message-ID: Subject: Re: [Discuss] - Domain admin not having the flexibility to create sub-domains/sub-child domains/accounts From: Ryan Lei To: dev@cloudstack.apache.org Content-Type: multipart/alternative; boundary=089e01538bda43d0bc04dd1da50f X-Virus-Checked: Checked by ClamAV on apache.org --089e01538bda43d0bc04dd1da50f Content-Type: text/plain; charset=UTF-8 Dear all, I have recently trying the functionality of CloudStack 4.0.2, and encountered the exact same problem: A domain admin has NOT MUCH MORE POWER than a regular user. They can not create the user accounts or sub-domain under their domain. Nor can they "manage" such accounts by disabling/deleting/resource limiting them. A domain admin does have the power of fully-accessing the "resources" (instances, volumes, security groups, etc.) of the whole domain, and nothing else. In my understanding, currently a domain admin's privilege is just the UNION of all the USER'S privileges under the same domain, but without any ADMIN POWER. This is inconsistent with the documentation, Internet articles, or common sense. And will be a major issue in a real production environment! Most of the admin jobs still require the power of "root" admin. I searched JIRA, but only found this related issue: CLOUDSTACK-1915: Domain Administrator's Guide. https://issues.apache.org/jira/browse/CLOUDSTACK-1915 On Tue, Apr 23, 2013 at 2:05 AM, Alena Prokharchyk < Alena.Prokharchyk@citrix.com> wrote: > On 4/22/13 10:47 AM, "Chip Childers" wrote: > > >On Mon, Apr 22, 2013 at 11:22:16AM +0000, Pranav Saxena wrote: > >> Hi, > >> > >> Currently only the ROOT-admin has the power to create any > >>domains/sub-domains/sub-child domains for himself or the domain-admin . > >>But there are certain situations ( like updating resource limit for a > >>sub-child domain under a domain admin ) for which the ROOT-admin has to > >>create a sub-child domain for a domain admin to allow him to update the > >>resource limits for that particular sub-child domain. > >> > >> With this in mind , why hasn't the domain -admin been given the > >>privilege of creating sub-child domains himself ? Are there any > >>concerns/threats because of which the current architecture doesn't serve > >>this purpose ? > >> > >> Also , a domain-admin cannot create an account on his own using an API > >>as well ( UI can be overlooked for now) . He has to go through the > >>ROOT-admin to have this functionality enabled . So doesn't that conclude > >>that domain-admin is almost a USELESS guy with *No powers* . To be able > >>to navigate from step 1 - > step 2 , you have to go through step 3 > >>which seems to be unconvincing at times . > >> > >> Could someone explain about why such a functionality is not supported > >>in the current architecture ? Please let me know in case I am missing > >>something here. > >> > >> Thanks, > >> Pranav > > > >This never made much sense to me. > > > > > I remember seeing a feature request for this functionality somewhere on CS > Jira, you might try to locate it and check the status/targeted release. > > --089e01538bda43d0bc04dd1da50f--