cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Tutkowski <mike.tutkow...@solidfire.com>
Subject Re: [DISCUSS] Major business logic refactoring: Move from Account to UserAccount
Date Fri, 14 Nov 2014 19:19:03 GMT
Yeah, I think the idea is not to change ownership of the resource but to be
better able to 'assign blame' for action x or y.

On Fri, Nov 14, 2014 at 12:17 PM, Prachi Damle <Prachi.Damle@citrix.com>
wrote:

> Rohit,
>
> Just on note on:
> >>>Min, you’re right I don’t propose to change the IAM model just some
> additional data that notes who *actually* owns the resource (VM, volume,
> etc.) in an account which can be useful for sysadmins to list resource by
> userid etc.
>
> Adding 'user_id' column but not changing IAM model should be a small
> change and not causing any IAM side effects.
>
> But, it still won't really mean that that 'userid' 'owns' the resource.
> The ownership will still stay with the account - and so all other users in
> that account will still be able to access that resource, as per CS IAM.
> The userid will just provide an insight on which user in the account
> created the resource.
>
> Thanks,
> Prachi
>
> -----Original Message-----
> From: Rohit Yadav [mailto:rohit.yadav@shapeblue.com]
> Sent: Friday, November 14, 2014 11:04 AM
> To: dev@cloudstack.apache.org
> Subject: Re: [DISCUSS] Major business logic refactoring: Move from Account
> to UserAccount
>
> Min, you’re right I don’t propose to change the IAM model just some
> additional data that notes who *actually* owns the resource (VM, volume,
> etc.) in an account which can be useful for sysadmins to list resource by
> userid etc.
>
> I can understand the hesitation and the side effects such a refactoring
> can produce, so I think the best would be to add user_id (uuid) columns and
> change only the API/query layer.
>
> Mike: I don’t propose to use user name but uuids so they are unique. My
> concern was adding user_id column to say vm_instance table denormalizes
> data as that table already has domain_id and account_id in it and as Rajani
> suggested earlier those two are not needed as using user_id one can find
> account_id and domain_id. I guess, the easiest way would be to just add an
> additional user_id column.
>
> Cheers.
>
> > On 15-Nov-2014, at 12:14 am, Min Chen <min.chen@citrix.com> wrote:
> >
> > Rohit, If I understood you correctly, the user_id column is only used
> > for listing resources to indicate which user is the real owner/creator
> > of the resource, but you don't want to change CloudStack account-level
> > permission model to user-level permission model, right? If so, the
> > change will be smaller, maybe some Response classes, which should not
> > involve too many business layer change. I will hesitate to really
> > change CloudStack IAM model though.
> >
> > Thanks
> > -min
> >
> > On 11/14/14 10:35 AM, "Rohit Yadav" <rohit.yadav@shapeblue.com> wrote:
> >
> >> Hi Min,
> >>
> >> Good to know. What do you propose we do moving forward. Do a
> >> refactoring run to fix it or leave it as it is and perhaps add
> >> user_id columns to few resources that are more useful for sysadmins
> such as vm_instance table.
> >>
> >>> On 14-Nov-2014, at 11:49 pm, Min Chen <min.chen@citrix.com> wrote:
> >>>
> >>> Rohit,
> >>>
> >>> I think that the historic reason for this is that CloudStack is only
> >>> doing IAM access permission check on account level, user is only
> >>> login authentication purpose. That is why we will see that all our
> >>> CloudStack resource owner field is an account, since that is the
> >>> only information used for controlling whether you have some
> permissions to the resource.
> >>> Thanks
> >>> -min
> >>>
> >>> On 11/14/14 12:53 AM, "Rohit Yadav" <rohit.yadav@shapeblue.com> wrote:
> >>>
> >>>> Hi,
> >>>>
> >>>> All CloudStack DB entities (VM, storage, network etc.) have an
> >>>> owner field which is mostly the account. An account can have
> >>>> multiple users so just by looking at the resource (say VM) it¹s not
> >>>> possible to make out which user in the account (owner or account_id
> >>>> field in the db row of the
> >>>> entity) created it. CloudStack users may want to know this
> >>>> information for at least entities such as VMs and Volumes.
> >>>>
> >>>> Historically, why is the account owner of an entity and not a user?
> >>>> If user were the owner, we could easily get the account Id using
> >>>> the user Id.
> >>>>
> >>>> One solution to fix this problem is to refactor and replace Account
> >>>> (interface) usage with UserAccount (interface) usage, fix the DAO
> >>>> and resource layer, and add columns in the schema. This gets us all
> >>>> the information we need to determine domainId, AccountId and Id
> >>>> (the user ID). Should we do it for all entities or just keep status
> >>>> quo (use account as owners), or just fix it on-demand basis for
> >>>> specific entities such as for user VMs [1].
> >>>>
> >>>> [1] https://issues.apache.org/jira/browse/CLOUDSTACK-7908
> >>>>
> >>>> Regards,
> >>>> Rohit Yadav
> >>>> Software Architect, ShapeBlue
> >>>> M. +91 88 262 30892 | rohit.yadav@shapeblue.com
> >>>> Blog: bhaisaab.org | Twitter: @_bhaisaab
> >>>>
> >>>>
> >>>>
> >>>> Find out more about ShapeBlue and our range of CloudStack related
> >>>> services
> >>>>
> >>>> IaaS Cloud Design &
> >>>> Build<http://shapeblue.com/iaas-cloud-design-and-build//>
> >>>> CSForge ­ rapid IaaS deployment
> >>>> framework<http://shapeblue.com/csforge/>
> >>>> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
> >>>> CloudStack Software
> >>>> Engineering<http://shapeblue.com/cloudstack-software-engineering/>
> >>>> CloudStack Infrastructure
> >>>> Support<http://shapeblue.com/cloudstack-infrastructure-support/>
> >>>> CloudStack Bootcamp Training
> >>>> Courses<http://shapeblue.com/cloudstack-training/>
> >>>>
> >>>> This email and any attachments to it may be confidential and are
> >>>> intended solely for the use of the individual to whom it is
> >>>> addressed. Any views or opinions expressed are solely those of the
> >>>> author and do not necessarily represent those of Shape Blue Ltd or
> >>>> related companies. If you are not the intended recipient of this
> >>>> email, you must neither take any action based upon its contents,
> >>>> nor copy or show it to anyone.
> >>>> Please
> >>>> contact the sender if you believe you have received this email in
> >>>> error.
> >>>> Shape Blue Ltd is a company incorporated in England & Wales.
> >>>> ShapeBlue Services India LLP is a company incorporated in India and
> >>>> is operated under license from Shape Blue Ltd. Shape Blue Brasil
> >>>> Consultoria Ltda is a company incorporated in Brasil and is
> >>>> operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is
> >>>> a company registered by The Republic of South Africa and is traded
> >>>> under license from Shape Blue Ltd. ShapeBlue is a registered
> >>>> trademark.
> >>>
> >>
> >> Regards,
> >> Rohit Yadav
> >> Software Architect, ShapeBlue
> >> M. +91 88 262 30892 | rohit.yadav@shapeblue.com
> >> Blog: bhaisaab.org | Twitter: @_bhaisaab
> >>
> >>
> >>
> >> Find out more about ShapeBlue and our range of CloudStack related
> >> services
> >>
> >> IaaS Cloud Design &
> >> Build<http://shapeblue.com/iaas-cloud-design-and-build//>
> >> CSForge ­ rapid IaaS deployment
> >> framework<http://shapeblue.com/csforge/>
> >> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
> >> CloudStack Software
> >> Engineering<http://shapeblue.com/cloudstack-software-engineering/>
> >> CloudStack Infrastructure
> >> Support<http://shapeblue.com/cloudstack-infrastructure-support/>
> >> CloudStack Bootcamp Training
> >> Courses<http://shapeblue.com/cloudstack-training/>
> >>
> >> This email and any attachments to it may be confidential and are
> >> intended solely for the use of the individual to whom it is
> >> addressed. Any views or opinions expressed are solely those of the
> >> author and do not necessarily represent those of Shape Blue Ltd or
> >> related companies. If you are not the intended recipient of this
> >> email, you must neither take any action based upon its contents, nor
> >> copy or show it to anyone. Please contact the sender if you believe you
> have received this email in error.
> >> Shape Blue Ltd is a company incorporated in England & Wales.
> >> ShapeBlue Services India LLP is a company incorporated in India and
> >> is operated under license from Shape Blue Ltd. Shape Blue Brasil
> >> Consultoria Ltda is a company incorporated in Brasil and is operated
> >> under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company
> >> registered by The Republic of South Africa and is traded under
> >> license from Shape Blue Ltd. ShapeBlue is a registered trademark.
> >
>
> Regards,
> Rohit Yadav
> Software Architect, ShapeBlue
> M. +91 88 262 30892 | rohit.yadav@shapeblue.com
> Blog: bhaisaab.org | Twitter: @_bhaisaab
>
>
>
> Find out more about ShapeBlue and our range of CloudStack related services
>
> IaaS Cloud Design & Build<
> http://shapeblue.com/iaas-cloud-design-and-build//>
> CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
> CloudStack Software Engineering<
> http://shapeblue.com/cloudstack-software-engineering/>
> CloudStack Infrastructure Support<
> http://shapeblue.com/cloudstack-infrastructure-support/>
> CloudStack Bootcamp Training Courses<
> http://shapeblue.com/cloudstack-training/>
>
> This email and any attachments to it may be confidential and are intended
> solely for the use of the individual to whom it is addressed. Any views or
> opinions expressed are solely those of the author and do not necessarily
> represent those of Shape Blue Ltd or related companies. If you are not the
> intended recipient of this email, you must neither take any action based
> upon its contents, nor copy or show it to anyone. Please contact the sender
> if you believe you have received this email in error. Shape Blue Ltd is a
> company incorporated in England & Wales. ShapeBlue Services India LLP is a
> company incorporated in India and is operated under license from Shape Blue
> Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil
> and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is
> a company registered by The Republic of South Africa and is traded under
> license from Shape Blue Ltd. ShapeBlue is a registered trademark.
>



-- 
*Mike Tutkowski*
*Senior CloudStack Developer, SolidFire Inc.*
e: mike.tutkowski@solidfire.com
o: 303.746.7302
Advancing the way the world uses the cloud
<http://solidfire.com/solution/overview/?video=play>*™*

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message