This might be a separate topic, we just happened to have an internal discussion this morning on how we can improve role based access control in CloudStack, here is a link to part of the presentation I did. Any feedback would be very welcome
http://wiki.cloudstack.org/pages/viewpageattachments.action?pageId=1344392&highlight=acl.pptx#Home-attachment-acl.pptx Kelven > -----Original Message----- > From: Clayton Weise [mailto:[email protected]] > Sent: Friday, June 15, 2012 10:18 AM > To: '[email protected]'; 'cloudstack- > [email protected]' > Subject: RE: Construct / change role permissions > > Thanks Alena, it's filed as bug 15300. > > -----Original Message----- > From: Alena Prokharchyk [mailto:[email protected]] > Sent: Friday, June 15, 2012 10:10 AM > To: [email protected]; 'cloudstack- > [email protected]' > Subject: Re: Construct / change role permissions > > On 6/15/12 9:49 AM, "Clayton Weise" <[email protected]> wrote: > > >With regard to the subject of roles. I've noticed that domain admins do > >not have limits enforced. So if a domain is limited to 10 snapshots, a > >domain admin can create 11. And because limits cannot be imposed, as > far > >as we're concerned, this type of user is pretty much useless because we > >have no way to control what it can do. Is this by design? > > > It was designed that way from the beginning. But you are right - domain > admin should respect the limits as he doesn't own the system, and there > should be a way to control his resources. > Can you please file a CS bug on this regard. > > > Thanks, > -Alena. > > > > >And if so, why and is there a way it can be changed so that domain > admins > >can have limits enforced? > > > >Thanks, > >Clayton > > > >>-----Original Message----- > >>From: Will Chan [mailto:[email protected]] > >>Sent: Friday, June 15, 2012 9:32 AM > >>To: [email protected]; > >>[email protected] > >>Subject: RE: Construct / change role permissions > >> > >>You are correct that Cloudstack has created essentially three static > >>roles today. The most you can do today is to allow/disallow API > >>commands to each role via the commands.properties file. > >> > >>It has been something that has been requested many times before, > >>however, most production systems that go live on CloudStack typically > >>are fronted by some type of "portal." These portals are the ones that > >>decide permissions for each user type. Essentially, it's the user role > >>that require a bit more flexibility as the other two roles are pretty > >>standard. > >> > >>I do know that Citrix is working on contributing back some refactoring > >>work on the domain and user ACL checklist so you might want to wait for > >>that first. > >> > >>Will > >> > >>> -----Original Message----- > >>> From: Olga Smola [mailto:[email protected]] > >>> Sent: Friday, June 15, 2012 1:02 AM > >>> To: [email protected]; cloudstack- > >>> [email protected] > >>> Subject: Construct / change role permissions > >>> > >>> Hi, > >>> > >>> I would like to discuss CloudStack roles capabilities. As far as I > >>>understand, there > >>> are 3 distinct roles and there is no possibility to change any role > >>>permissions. > >>> Sometimes it's not so comfortable for situation when it is needed to > >>>allow some > >>> action from one role to another one. For example, if you would like > to > >>>allow > >>> USER new action "Add account", you can't. Because there is no API > >>>command > >>> for USER. What about new roles? > >>> Have you got any ideas how to extend the CloudStack mechanism of > roles > >>> creation? It will be more convenient if there is something that allow > >>>to create > >>> custom roles with needed permissions. For example, give basic role > >>>ADMIN or > >>> USER and then create new role based on it, change permissions(remove, > >>>add). > >>> Something like Role's constructor. > >>> Also I would like to know if somebody else needs similar extension? > >>> > >>> Fill free to write any ideas. > >>> > >>> Thanks a lot, > >>> Olga > > >
