cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Deepti Dohare <deepti.doh...@citrix.com>
Subject RE: Construct / change role permissions
Date Tue, 26 Jun 2012 19:45:04 GMT
I have added a patch (https://reviews.apache.org/r/5573/diff/#index_header) for CS-15300. It
enables a domain admin account  to respect the limits. 

This bug also state that  domain admin shouldn't have the right to create infinite resources.
 In this case what should be the maximum limit of the resources, a domain admin account can
have? 

Thanks
Deepti 
-----Original Message-----
From: Kelven Yang [mailto:kelven.yang@citrix.com] 
Sent: Saturday, June 16, 2012 2:49 AM
To: cloudstack-users@incubator.apache.org; 'cloudstack-dev@incubator.apache.org'
Subject: RE: Construct / change role permissions

This might be a separate topic, we just happened to have an internal discussion this morning
on how we can improve role based access control in CloudStack, here is a link to part of the
presentation I did. Any feedback would be very welcome

http://wiki.cloudstack.org/pages/viewpageattachments.action?pageId=1344392&highlight=acl.pptx#Home-attachment-acl.pptx

Kelven


> -----Original Message-----
> From: Clayton Weise [mailto:cweise@iswest.net]
> Sent: Friday, June 15, 2012 10:18 AM
> To: 'cloudstack-users@incubator.apache.org'; 'cloudstack- 
> dev@incubator.apache.org'
> Subject: RE: Construct / change role permissions
> 
> Thanks Alena, it's filed as bug 15300.
> 
> -----Original Message-----
> From: Alena Prokharchyk [mailto:Alena.Prokharchyk@citrix.com]
> Sent: Friday, June 15, 2012 10:10 AM
> To: cloudstack-users@incubator.apache.org; 'cloudstack- 
> dev@incubator.apache.org'
> Subject: Re: Construct / change role permissions
> 
> On 6/15/12 9:49 AM, "Clayton Weise" <cweise@iswest.net> wrote:
> 
> >With regard to the subject of roles.  I've noticed that domain admins 
> >do not have limits enforced.  So if a domain is limited to 10 
> >snapshots, a domain admin can create 11.  And because limits cannot 
> >be imposed, as
> far
> >as we're concerned, this type of user is pretty much useless because 
> >we have no way to control what it can do.  Is this by design?
> 
> 
> It was designed that way from the beginning. But you are right - 
> domain admin should respect the limits as he doesn't own the system, 
> and there should be a way to control his resources.
> Can you please file a CS bug on this regard.
> 
> 
> Thanks,
> -Alena.
> 
> 
> 
> >And if so, why and is there a way it can be changed so that domain
> admins
> >can have limits enforced?
> >
> >Thanks,
> >Clayton
> >
> >>-----Original Message-----
> >>From: Will Chan [mailto:will.chan@citrix.com]
> >>Sent: Friday, June 15, 2012 9:32 AM
> >>To: cloudstack-dev@incubator.apache.org;
> >>cloudstack-users@incubator.apache.org
> >>Subject: RE: Construct / change role permissions
> >>
> >>You are correct that Cloudstack has created essentially three static 
> >>roles today.  The most you can do today is to allow/disallow API 
> >>commands to each role via the commands.properties file.
> >>
> >>It has been something that has been requested many times before, 
> >>however, most production systems that go live on CloudStack 
> >>typically are fronted by some type of "portal."  These portals are 
> >>the ones that decide permissions for each user type.  Essentially, 
> >>it's the user role that require a bit more flexibility as the other 
> >>two roles are pretty standard.
> >>
> >>I do know that Citrix is working on contributing back some 
> >>refactoring work on the domain and user ACL checklist so you might 
> >>want to wait for that first.
> >>
> >>Will
> >>
> >>> -----Original Message-----
> >>> From: Olga Smola [mailto:olya.smola@gmail.com]
> >>> Sent: Friday, June 15, 2012 1:02 AM
> >>> To: cloudstack-dev@incubator.apache.org; cloudstack- 
> >>> users@incubator.apache.org
> >>> Subject: Construct / change role permissions
> >>>
> >>> Hi,
> >>>
> >>> I would like to discuss CloudStack roles capabilities. As far as I 
> >>>understand, there  are 3 distinct roles and there is no possibility 
> >>>to change any role permissions.
> >>> Sometimes it's not so comfortable for situation when it is needed 
> >>>to allow some  action from one role to another one. For example, if 
> >>>you would like
> to
> >>>allow
> >>> USER new action "Add account", you can't. Because there is no API 
> >>>command  for USER. What about new roles?
> >>> Have you got any ideas how to extend the CloudStack mechanism of
> roles
> >>> creation? It will be more convenient if there is something that 
> >>>allow to create  custom roles with needed permissions. For example, 
> >>>give basic role ADMIN or  USER and then create new role based on 
> >>>it, change permissions(remove, add).
> >>> Something like Role's constructor.
> >>> Also I would like to know if somebody else needs similar extension?
> >>>
> >>> Fill free to write any ideas.
> >>>
> >>> Thanks a lot,
> >>> Olga
> >
> 


Mime
View raw message