cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Clayton Weise <cwe...@iswest.net>
Subject RE: Construct / change role permissions
Date Fri, 15 Jun 2012 17:17:37 GMT
Thanks Alena, it's filed as bug 15300.

-----Original Message-----
From: Alena Prokharchyk [mailto:Alena.Prokharchyk@citrix.com] 
Sent: Friday, June 15, 2012 10:10 AM
To: cloudstack-users@incubator.apache.org; 'cloudstack-dev@incubator.apache.org'
Subject: Re: Construct / change role permissions

On 6/15/12 9:49 AM, "Clayton Weise" <cweise@iswest.net> wrote:

>With regard to the subject of roles.  I've noticed that domain admins do
>not have limits enforced.  So if a domain is limited to 10 snapshots, a
>domain admin can create 11.  And because limits cannot be imposed, as far
>as we're concerned, this type of user is pretty much useless because we
>have no way to control what it can do.  Is this by design?


It was designed that way from the beginning. But you are right - domain
admin should respect the limits as he doesn't own the system, and there
should be a way to control his resources.
Can you please file a CS bug on this regard.


Thanks,
-Alena.



>And if so, why and is there a way it can be changed so that domain admins
>can have limits enforced?
>
>Thanks,
>Clayton
>
>>-----Original Message-----
>>From: Will Chan [mailto:will.chan@citrix.com]
>>Sent: Friday, June 15, 2012 9:32 AM
>>To: cloudstack-dev@incubator.apache.org;
>>cloudstack-users@incubator.apache.org
>>Subject: RE: Construct / change role permissions
>>
>>You are correct that Cloudstack has created essentially three static
>>roles today.  The most you can do today is to allow/disallow API
>>commands to each role via the commands.properties file.
>>
>>It has been something that has been requested many times before,
>>however, most production systems that go live on CloudStack typically
>>are fronted by some type of "portal."  These portals are the ones that
>>decide permissions for each user type.  Essentially, it's the user role
>>that require a bit more flexibility as the other two roles are pretty
>>standard.
>>
>>I do know that Citrix is working on contributing back some refactoring
>>work on the domain and user ACL checklist so you might want to wait for
>>that first.
>>
>>Will
>>
>>> -----Original Message-----
>>> From: Olga Smola [mailto:olya.smola@gmail.com]
>>> Sent: Friday, June 15, 2012 1:02 AM
>>> To: cloudstack-dev@incubator.apache.org; cloudstack-
>>> users@incubator.apache.org
>>> Subject: Construct / change role permissions
>>>
>>> Hi,
>>>
>>> I would like to discuss CloudStack roles capabilities. As far as I
>>>understand, there
>>> are 3 distinct roles and there is no possibility to change any role
>>>permissions.
>>> Sometimes it's not so comfortable for situation when it is needed to
>>>allow some
>>> action from one role to another one. For example, if you would like to
>>>allow
>>> USER new action "Add account", you can't. Because there is no API
>>>command
>>> for USER. What about new roles?
>>> Have you got any ideas how to extend the CloudStack mechanism of roles
>>> creation? It will be more convenient if there is something that allow
>>>to create
>>> custom roles with needed permissions. For example, give basic role
>>>ADMIN or
>>> USER and then create new role based on it, change permissions(remove,
>>>add).
>>> Something like Role's constructor.
>>> Also I would like to know if somebody else needs similar extension?
>>>
>>> Fill free to write any ideas.
>>>
>>> Thanks a lot,
>>> Olga
>



Mime
View raw message