Mailing-List: contact cloudstack-users-help@incubator.apache.org; run by ezmlm
Precedence: bulk
Reply-To: cloudstack-users@incubator.apache.org
Received-SPF: pass (athena.apache.org: domain of Nitin.Mehta@citrix.com
 designates 203.166.19.134 as permitted sender)
From: Nitin Mehta <Nitin.Mehta@citrix.com>
To: Deepti Dohare <deepti.dohare@citrix.com>,
	"cloudstack-users@incubator.apache.org"
	<cloudstack-users@incubator.apache.org>
CC: "dan@soleks.com" <dan@soleks.com>, Hariharan Sankaranarayanan
	<hariharan.sankaranarayanan@citrix.com>, Ewan Mellor
	<Ewan.Mellor@eu.citrix.com>
Date: Wed, 16 May 2012 13:59:48 +0530
Subject: RE: Template access control, just "food to think"
Thread-Topic: Template access control, just "food to think"
Thread-Index: Ac0w0Rgw19l1sGdtSQ6+55bm/gjujgCXUKrAAAO3pTA=
Message-ID: 
 <CE52B3BAA8221C4A91FA40D3C8194ED2E8F4E3A6F0@BANPMAILBOX01.citrite.net>
References: <20120511233328.57315i4lemyfmjs4@webmail.soleks.com>
 <CE52B3BAA8221C4A91FA40D3C8194ED2E8F4E3A2BA@BANPMAILBOX01.citrite.net>
 <20120513000047.26287j1w2x0q6i8s@webmail.soleks.com>
 <F903CD64D5FE5B47878921870531C180FB61879698@BANPMAILBOX01.citrite.net>
In-Reply-To: 
 <F903CD64D5FE5B47878921870531C180FB61879698@BANPMAILBOX01.citrite.net>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0

Deepti - This is a good try but I guess there is a mistake in understanding=
 the operations here.
If there is a public template and if you want to limit the visibility to a =
few accounts then you should use op as "remove" rather than add.
If there is a private template and if you want to increase the visibility t=
o a few accounts then you should use op as "add".

Please give it another try and see if there is really an issue and file bug=
s if any and let us know.
=20

Thanks,
-Nitin
-----Original Message-----
From: Deepti Dohare=20
Sent: Wednesday, May 16, 2012 12:27 PM
To: cloudstack-users@incubator.apache.org
Cc: Nitin Mehta; dan@soleks.com; Hariharan Sankaranarayanan; Ewan Mellor
Subject: RE: Template access control, just "food to think"

Hi,

I used updateTemplatePermissions api to change the permission of template v=
isibility wrt accounts:=20

Initial setup:
Domain D1 has=20
	accounts: ad1, ad11, ad12
	users: ad1, ad11, ad12, u1
	public templates : p1 (created by ad1),pu1 (created by user u1)

Domain D2 has
	account: ad2=20
	users: ad2 and u2

pu1 id: 39fb450f-414c-4a57-a61b-21aaf72479fe

p1, pu1 are public--> ad2, u2 can use them.

API commands:
1. url: http://localhost:8080/client/api?command=3DupdateTemplatePermission=
s&id=3D39fb450f-414c-4a57-a61b-21aaf72479fe&isPublic=3Dtrue&apiKey=3DNxzhaX=
w7VpX-ulmWmRPAv0f8gdf0z1eH5KCVRSWPN0JYReY_R7C2OkgfKz8La9SnjCg9t1lNvX4ASbpUG=
80X-Q&signature=3DP9zXHJ8kBqfI8K%2BhBsSrKxoKVsM%3d
  =20
method: get

Response:=20
<updatetemplatepermissionsresponse cloud-stack-version=3D"3.0.3.2012-05-16T=
05:08:38Z">
<success>true</success>
</updatetemplatepermissionsresponse>

The template pu1, is visible to all domains.

2. url : http://localhost:8080/client/api?command=3DupdateTemplatePermissio=
ns&id=3D39fb450f-414c-4a57-a61b-21aaf72479fe&isPublic=3Dfalse&accounts=3Dad=
1&op=3Dadd&apiKey=3DNxzhaXw7VpX-ulmWmRPAv0f8gdf0z1eH5KCVRSWPN0JYReY_R7C2Okg=
fKz8La9SnjCg9t1lNvX4ASbpUG80X-Q&signature=3D%2BM35%2BTRgq5S/p13KuUlB8l%2Bbr=
dY%3d
=20
method:GET

Response:=20
<updatetemplatepermissionsresponse cloud-stack-version=3D"3.0.3.2012-05-16T=
05:08:38Z">
<success>true</success>
</updatetemplatepermissionsresponse>

Users ad1, u1 can see the template pu1. ad11, ad2 cant.

3. I want to restrict the visibilty to account ad1, ad11 only I used the co=
mmand given in http://cloud01.managed.contegix.com/kb/updatetemplatepermiss=
ions-8

url : http://localhost:8080/client/api?command=3DupdateTemplatePermissions&=
id=3D39fb450f-414c-4a57-a61b-21aaf72479fe&isPublic=3Dfalse&accounts=3Dad1,a=
d11&op=3Dadd&apiKey=3DNxzhaXw7VpX-ulmWmRPAv0f8gdf0z1eH5KCVRSWPN0JYReY_R7C2O=
kgfKz8La9SnjCg9t1lNvX4ASbpUG80X-Q&signature=3Dq2NSKMzvpz7l//SrgvIo257CJGc%3=
d

Response:
<updatetemplatepermissionsresponse cloud-stack-version=3D"3.0.3.2012-05-16T=
05:08:38Z">
<success>true</success>
</updatetemplatepermissionsresponse>

Does not work.
ad1, u1 can see the template, but ad11 can't.

4.=20
url: http://localhost:8080/client/api?command=3DupdateTemplatePermissions&i=
d=3D39fb450f-414c-4a57-a61b-21aaf72479fe&isPublic=3Dtrue&accounts=3Dad1,ad1=
1&op=3Dadd&apiKey=3DNxzhaXw7VpX-ulmWmRPAv0f8gdf0z1eH5KCVRSWPN0JYReY_R7C2Okg=
fKz8La9SnjCg9t1lNvX4ASbpUG80X-Q&signature=3D6TjPox%2BXxocYRmGOBHYqU9Vwxrk%3=
d

Method: GET

Response:=20
<updatetemplatepermissionsresponse cloud-stack-version=3D"3.0.3.2012-05-16T=
05:08:38Z">
<success>true</success>
</updatetemplatepermissionsresponse>

template pu1 is visible to ad1, ad11, ad12, ad2...all.=20

I am not able to restrict the visibilty of template pu1 to ad1 and ad11 onl=
y.=20

Issue:
The updateTemplatePermissions api can be used to restrict the visiblity to =
owners account only. We cannot use this api to restrict visiblity of templa=
tes to specific accounts that we want.

Thanks
Deepti Dohare


-----Original Message-----
From: dan@soleks.com [mailto:dan@soleks.com]
Sent: Sunday, May 13, 2012 12:31 PM
To: cloudstack-users@incubator.apache.org; Nitin Mehta
Cc: cloudstack-users@incubator.apache.org
Subject: RE: Template access control, just "food to think"


 Hi Nitin,=20

Thanks for suggestion about updateTemplatePermissions, i did try and it did=
n't work, and honestly saying i don't understand why it should work. CS doe=
sn't do domain based template isolation. However based on the API docs ther=
e should be privileged type template, but i don't see how to use it. If you=
 could point me to example it would be great.

Dan/borei. > Hi Dan,
> I agree with your suggestion. There is already an enhancement request=20
> filed for this kind of requirement. Please refer to
> http://bugs.cloudstack.org/browse/CS-6398
> I would encourage you to vote for this. In case you want to add=20
> something to it please do so.
>
> On a side note in the existing software you can use=20
> updateTemplatePermissions API to give template launch permissions to a=20
> set of accounts. Why don't you give it a try and see if it suits your=20
> use case.
>
> Thanks,
> -Nitin
>
> -----Original Message-----
> From: dan@soleks.com [mailto:dan@soleks.com]
> Sent: Saturday, May 12, 2012 12:03 PM
> To: cloudstack-users@incubator.apache.org
> Subject: Template access control, just "food to think"
>
> Hi All,
> Just "food to think" about access control to templates in the=20
> CloudStack. Couple words about system i'm working on. It's=20
> 3-components mail environment - SMTP, POP/IMAP, Webmail. So in general=20
> i need three type of templates to build entire system.
> Templates need to be isolated, because there is some authentication=20
> information that can't go public, so make them public (in the public
> zone) is not very bright idea. Making them private will block an=20
> access to them for other users in the same domain. As workaround It's=20
> possible to create private zone, but it's not an option for small=20
> installations (10-20 hosts). Also it's possible to create several=20
> users under domain - say user-smtp, user-imap, user-webmail and create=20
> templates under them, but seems like that approach is too=20
> "artificial". Ideal solution for that problem would be public template=20
> with-in domain. That template should-not be visible for other domains,=20
> so domain will be level of isolation. Private templates will be like=20
> they now - only owner has to them.
> What is the community opinion about it.
>
> Dan/borei
>
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>


----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.