incubator-cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nitin Mehta <Nitin.Me...@citrix.com>
Subject RE: Template access control, just "food to think"
Date Wed, 16 May 2012 08:29:48 GMT
Deepti - This is a good try but I guess there is a mistake in understanding the operations
here.
If there is a public template and if you want to limit the visibility to a few accounts then
you should use op as "remove" rather than add.
If there is a private template and if you want to increase the visibility to a few accounts
then you should use op as "add".

Please give it another try and see if there is really an issue and file bugs if any and let
us know.
 

Thanks,
-Nitin
-----Original Message-----
From: Deepti Dohare 
Sent: Wednesday, May 16, 2012 12:27 PM
To: cloudstack-users@incubator.apache.org
Cc: Nitin Mehta; dan@soleks.com; Hariharan Sankaranarayanan; Ewan Mellor
Subject: RE: Template access control, just "food to think"

Hi,

I used updateTemplatePermissions api to change the permission of template visibility wrt accounts:


Initial setup:
Domain D1 has 
	accounts: ad1, ad11, ad12
	users: ad1, ad11, ad12, u1
	public templates : p1 (created by ad1),pu1 (created by user u1)

Domain D2 has
	account: ad2 
	users: ad2 and u2

pu1 id: 39fb450f-414c-4a57-a61b-21aaf72479fe

p1, pu1 are public--> ad2, u2 can use them.

API commands:
1. url: http://localhost:8080/client/api?command=updateTemplatePermissions&id=39fb450f-414c-4a57-a61b-21aaf72479fe&isPublic=true&apiKey=NxzhaXw7VpX-ulmWmRPAv0f8gdf0z1eH5KCVRSWPN0JYReY_R7C2OkgfKz8La9SnjCg9t1lNvX4ASbpUG80X-Q&signature=P9zXHJ8kBqfI8K%2BhBsSrKxoKVsM%3d
   
method: get

Response: 
<updatetemplatepermissionsresponse cloud-stack-version="3.0.3.2012-05-16T05:08:38Z">
<success>true</success>
</updatetemplatepermissionsresponse>

The template pu1, is visible to all domains.

2. url : http://localhost:8080/client/api?command=updateTemplatePermissions&id=39fb450f-414c-4a57-a61b-21aaf72479fe&isPublic=false&accounts=ad1&op=add&apiKey=NxzhaXw7VpX-ulmWmRPAv0f8gdf0z1eH5KCVRSWPN0JYReY_R7C2OkgfKz8La9SnjCg9t1lNvX4ASbpUG80X-Q&signature=%2BM35%2BTRgq5S/p13KuUlB8l%2BbrdY%3d
 
method:GET

Response: 
<updatetemplatepermissionsresponse cloud-stack-version="3.0.3.2012-05-16T05:08:38Z">
<success>true</success>
</updatetemplatepermissionsresponse>

Users ad1, u1 can see the template pu1. ad11, ad2 cant.

3. I want to restrict the visibilty to account ad1, ad11 only I used the command given in
http://cloud01.managed.contegix.com/kb/updatetemplatepermissions-8

url : http://localhost:8080/client/api?command=updateTemplatePermissions&id=39fb450f-414c-4a57-a61b-21aaf72479fe&isPublic=false&accounts=ad1,ad11&op=add&apiKey=NxzhaXw7VpX-ulmWmRPAv0f8gdf0z1eH5KCVRSWPN0JYReY_R7C2OkgfKz8La9SnjCg9t1lNvX4ASbpUG80X-Q&signature=q2NSKMzvpz7l//SrgvIo257CJGc%3d

Response:
<updatetemplatepermissionsresponse cloud-stack-version="3.0.3.2012-05-16T05:08:38Z">
<success>true</success>
</updatetemplatepermissionsresponse>

Does not work.
ad1, u1 can see the template, but ad11 can't.

4. 
url: http://localhost:8080/client/api?command=updateTemplatePermissions&id=39fb450f-414c-4a57-a61b-21aaf72479fe&isPublic=true&accounts=ad1,ad11&op=add&apiKey=NxzhaXw7VpX-ulmWmRPAv0f8gdf0z1eH5KCVRSWPN0JYReY_R7C2OkgfKz8La9SnjCg9t1lNvX4ASbpUG80X-Q&signature=6TjPox%2BXxocYRmGOBHYqU9Vwxrk%3d

Method: GET

Response: 
<updatetemplatepermissionsresponse cloud-stack-version="3.0.3.2012-05-16T05:08:38Z">
<success>true</success>
</updatetemplatepermissionsresponse>

template pu1 is visible to ad1, ad11, ad12, ad2...all. 

I am not able to restrict the visibilty of template pu1 to ad1 and ad11 only. 

Issue:
The updateTemplatePermissions api can be used to restrict the visiblity to owners account
only. We cannot use this api to restrict visiblity of templates to specific accounts that
we want.

Thanks
Deepti Dohare


-----Original Message-----
From: dan@soleks.com [mailto:dan@soleks.com]
Sent: Sunday, May 13, 2012 12:31 PM
To: cloudstack-users@incubator.apache.org; Nitin Mehta
Cc: cloudstack-users@incubator.apache.org
Subject: RE: Template access control, just "food to think"



 Hi Nitin, 

Thanks for suggestion about updateTemplatePermissions, i did try and it didn't work, and honestly
saying i don't understand why it should work. CS doesn't do domain based template isolation.
However based on the API docs there should be privileged type template, but i don't see how
to use it. If you could point me to example it would be great.

Dan/borei. > Hi Dan,
> I agree with your suggestion. There is already an enhancement request 
> filed for this kind of requirement. Please refer to
> http://bugs.cloudstack.org/browse/CS-6398
> I would encourage you to vote for this. In case you want to add 
> something to it please do so.
>
> On a side note in the existing software you can use 
> updateTemplatePermissions API to give template launch permissions to a 
> set of accounts. Why don't you give it a try and see if it suits your 
> use case.
>
> Thanks,
> -Nitin
>
> -----Original Message-----
> From: dan@soleks.com [mailto:dan@soleks.com]
> Sent: Saturday, May 12, 2012 12:03 PM
> To: cloudstack-users@incubator.apache.org
> Subject: Template access control, just "food to think"
>
> Hi All,
> Just "food to think" about access control to templates in the 
> CloudStack. Couple words about system i'm working on. It's 
> 3-components mail environment - SMTP, POP/IMAP, Webmail. So in general 
> i need three type of templates to build entire system.
> Templates need to be isolated, because there is some authentication 
> information that can't go public, so make them public (in the public
> zone) is not very bright idea. Making them private will block an 
> access to them for other users in the same domain. As workaround It's 
> possible to create private zone, but it's not an option for small 
> installations (10-20 hosts). Also it's possible to create several 
> users under domain - say user-smtp, user-imap, user-webmail and create 
> templates under them, but seems like that approach is too 
> "artificial". Ideal solution for that problem would be public template 
> with-in domain. That template should-not be visible for other domains, 
> so domain will be level of isolation. Private templates will be like 
> they now - only owner has to them.
> What is the community opinion about it.
>
> Dan/borei
>
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>


----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

Mime
View raw message