cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Will Chan <will.c...@citrix.com>
Subject RE: Construct / change role permissions
Date Fri, 15 Jun 2012 17:00:00 GMT
That could be a bug.  As far as I know domain-admins should be limited as well.  

Will

> -----Original Message-----
> From: Clayton Weise [mailto:cweise@iswest.net]
> Sent: Friday, June 15, 2012 9:50 AM
> To: 'cloudstack-dev@incubator.apache.org'; 'cloudstack-
> users@incubator.apache.org'
> Subject: RE: Construct / change role permissions
> 
> With regard to the subject of roles.  I've noticed that domain admins do not
> have limits enforced.  So if a domain is limited to 10 snapshots, a domain admin
> can create 11.  And because limits cannot be imposed, as far as we're
> concerned, this type of user is pretty much useless because we have no way to
> control what it can do.  Is this by design?  And if so, why and is there a way it can
> be changed so that domain admins can have limits enforced?
> 
> Thanks,
> Clayton
> 
> >-----Original Message-----
> >From: Will Chan [mailto:will.chan@citrix.com]
> >Sent: Friday, June 15, 2012 9:32 AM
> >To: cloudstack-dev@incubator.apache.org;
> >cloudstack-users@incubator.apache.org
> >Subject: RE: Construct / change role permissions
> >
> >You are correct that Cloudstack has created essentially three static roles today.
> The most you can do today is to allow/disallow API commands to each role via
> the commands.properties file.
> >
> >It has been something that has been requested many times before, however,
> most production systems that go live on CloudStack typically are fronted by
> some type of "portal."  These portals are the ones that decide permissions for
> each user type.  Essentially, it's the user role that require a bit more flexibility
as
> the other two roles are pretty standard.
> >
> >I do know that Citrix is working on contributing back some refactoring work on
> the domain and user ACL checklist so you might want to wait for that first.
> >
> >Will
> >
> >> -----Original Message-----
> >> From: Olga Smola [mailto:olya.smola@gmail.com]
> >> Sent: Friday, June 15, 2012 1:02 AM
> >> To: cloudstack-dev@incubator.apache.org; cloudstack-
> >> users@incubator.apache.org
> >> Subject: Construct / change role permissions
> >>
> >> Hi,
> >>
> >> I would like to discuss CloudStack roles capabilities. As far as I
> >> understand, there are 3 distinct roles and there is no possibility to change
any
> role permissions.
> >> Sometimes it's not so comfortable for situation when it is needed to
> >> allow some action from one role to another one. For example, if you
> >> would like to allow USER new action "Add account", you can't. Because
> >> there is no API command for USER. What about new roles?
> >> Have you got any ideas how to extend the CloudStack mechanism of
> >> roles creation? It will be more convenient if there is something that
> >> allow to create custom roles with needed permissions. For example,
> >> give basic role ADMIN or USER and then create new role based on it, change
> permissions(remove, add).
> >> Something like Role's constructor.
> >> Also I would like to know if somebody else needs similar extension?
> >>
> >> Fill free to write any ideas.
> >>
> >> Thanks a lot,
> >> Olga

Mime
View raw message