incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kelven Yang <kelven.y...@citrix.com>
Subject RE: Construct / change role permissions
Date Fri, 15 Jun 2012 21:18:53 GMT
This might be a separate topic, we just happened to have an internal discussion this morning
on how we can improve role based access control in CloudStack, here is a link to part of the
presentation I did. Any feedback would be very welcome

http://wiki.cloudstack.org/pages/viewpageattachments.action?pageId=1344392&highlight=acl.pptx#Home-attachment-acl.pptx

Kelven


> -----Original Message-----
> From: Clayton Weise [mailto:cweise@iswest.net]
> Sent: Friday, June 15, 2012 10:18 AM
> To: 'cloudstack-users@incubator.apache.org'; 'cloudstack-
> dev@incubator.apache.org'
> Subject: RE: Construct / change role permissions
> 
> Thanks Alena, it's filed as bug 15300.
> 
> -----Original Message-----
> From: Alena Prokharchyk [mailto:Alena.Prokharchyk@citrix.com]
> Sent: Friday, June 15, 2012 10:10 AM
> To: cloudstack-users@incubator.apache.org; 'cloudstack-
> dev@incubator.apache.org'
> Subject: Re: Construct / change role permissions
> 
> On 6/15/12 9:49 AM, "Clayton Weise" <cweise@iswest.net> wrote:
> 
> >With regard to the subject of roles.  I've noticed that domain admins do
> >not have limits enforced.  So if a domain is limited to 10 snapshots, a
> >domain admin can create 11.  And because limits cannot be imposed, as
> far
> >as we're concerned, this type of user is pretty much useless because we
> >have no way to control what it can do.  Is this by design?
> 
> 
> It was designed that way from the beginning. But you are right - domain
> admin should respect the limits as he doesn't own the system, and there
> should be a way to control his resources.
> Can you please file a CS bug on this regard.
> 
> 
> Thanks,
> -Alena.
> 
> 
> 
> >And if so, why and is there a way it can be changed so that domain
> admins
> >can have limits enforced?
> >
> >Thanks,
> >Clayton
> >
> >>-----Original Message-----
> >>From: Will Chan [mailto:will.chan@citrix.com]
> >>Sent: Friday, June 15, 2012 9:32 AM
> >>To: cloudstack-dev@incubator.apache.org;
> >>cloudstack-users@incubator.apache.org
> >>Subject: RE: Construct / change role permissions
> >>
> >>You are correct that Cloudstack has created essentially three static
> >>roles today.  The most you can do today is to allow/disallow API
> >>commands to each role via the commands.properties file.
> >>
> >>It has been something that has been requested many times before,
> >>however, most production systems that go live on CloudStack typically
> >>are fronted by some type of "portal."  These portals are the ones that
> >>decide permissions for each user type.  Essentially, it's the user role
> >>that require a bit more flexibility as the other two roles are pretty
> >>standard.
> >>
> >>I do know that Citrix is working on contributing back some refactoring
> >>work on the domain and user ACL checklist so you might want to wait for
> >>that first.
> >>
> >>Will
> >>
> >>> -----Original Message-----
> >>> From: Olga Smola [mailto:olya.smola@gmail.com]
> >>> Sent: Friday, June 15, 2012 1:02 AM
> >>> To: cloudstack-dev@incubator.apache.org; cloudstack-
> >>> users@incubator.apache.org
> >>> Subject: Construct / change role permissions
> >>>
> >>> Hi,
> >>>
> >>> I would like to discuss CloudStack roles capabilities. As far as I
> >>>understand, there
> >>> are 3 distinct roles and there is no possibility to change any role
> >>>permissions.
> >>> Sometimes it's not so comfortable for situation when it is needed to
> >>>allow some
> >>> action from one role to another one. For example, if you would like
> to
> >>>allow
> >>> USER new action "Add account", you can't. Because there is no API
> >>>command
> >>> for USER. What about new roles?
> >>> Have you got any ideas how to extend the CloudStack mechanism of
> roles
> >>> creation? It will be more convenient if there is something that allow
> >>>to create
> >>> custom roles with needed permissions. For example, give basic role
> >>>ADMIN or
> >>> USER and then create new role based on it, change permissions(remove,
> >>>add).
> >>> Something like Role's constructor.
> >>> Also I would like to know if somebody else needs similar extension?
> >>>
> >>> Fill free to write any ideas.
> >>>
> >>> Thanks a lot,
> >>> Olga
> >
> 


Mime
View raw message