Yeah, I think the idea is not to change ownership of the resource but to be better able to 'assign blame' for action x or y.
On Fri, Nov 14, 2014 at 12:17 PM, Prachi Damle <prachi.da...@citrix.com> wrote: > Rohit, > > Just on note on: > >>>Min, you’re right I don’t propose to change the IAM model just some > additional data that notes who *actually* owns the resource (VM, volume, > etc.) in an account which can be useful for sysadmins to list resource by > userid etc. > > Adding 'user_id' column but not changing IAM model should be a small > change and not causing any IAM side effects. > > But, it still won't really mean that that 'userid' 'owns' the resource. > The ownership will still stay with the account - and so all other users in > that account will still be able to access that resource, as per CS IAM. > The userid will just provide an insight on which user in the account > created the resource. > > Thanks, > Prachi > > -----Original Message----- > From: Rohit Yadav [mailto:rohit.ya...@shapeblue.com] > Sent: Friday, November 14, 2014 11:04 AM > To: dev@cloudstack.apache.org > Subject: Re: [DISCUSS] Major business logic refactoring: Move from Account > to UserAccount > > Min, you’re right I don’t propose to change the IAM model just some > additional data that notes who *actually* owns the resource (VM, volume, > etc.) in an account which can be useful for sysadmins to list resource by > userid etc. > > I can understand the hesitation and the side effects such a refactoring > can produce, so I think the best would be to add user_id (uuid) columns and > change only the API/query layer. > > Mike: I don’t propose to use user name but uuids so they are unique. My > concern was adding user_id column to say vm_instance table denormalizes > data as that table already has domain_id and account_id in it and as Rajani > suggested earlier those two are not needed as using user_id one can find > account_id and domain_id. I guess, the easiest way would be to just add an > additional user_id column. > > Cheers. > > > On 15-Nov-2014, at 12:14 am, Min Chen <min.c...@citrix.com> wrote: > > > > Rohit, If I understood you correctly, the user_id column is only used > > for listing resources to indicate which user is the real owner/creator > > of the resource, but you don't want to change CloudStack account-level > > permission model to user-level permission model, right? If so, the > > change will be smaller, maybe some Response classes, which should not > > involve too many business layer change. I will hesitate to really > > change CloudStack IAM model though. > > > > Thanks > > -min > > > > On 11/14/14 10:35 AM, "Rohit Yadav" <rohit.ya...@shapeblue.com> wrote: > > > >> Hi Min, > >> > >> Good to know. What do you propose we do moving forward. Do a > >> refactoring run to fix it or leave it as it is and perhaps add > >> user_id columns to few resources that are more useful for sysadmins > such as vm_instance table. > >> > >>> On 14-Nov-2014, at 11:49 pm, Min Chen <min.c...@citrix.com> wrote: > >>> > >>> Rohit, > >>> > >>> I think that the historic reason for this is that CloudStack is only > >>> doing IAM access permission check on account level, user is only > >>> login authentication purpose. That is why we will see that all our > >>> CloudStack resource owner field is an account, since that is the > >>> only information used for controlling whether you have some > permissions to the resource. > >>> Thanks > >>> -min > >>> > >>> On 11/14/14 12:53 AM, "Rohit Yadav" <rohit.ya...@shapeblue.com> wrote: > >>> > >>>> Hi, > >>>> > >>>> All CloudStack DB entities (VM, storage, network etc.) have an > >>>> owner field which is mostly the account. An account can have > >>>> multiple users so just by looking at the resource (say VM) it¹s not > >>>> possible to make out which user in the account (owner or account_id > >>>> field in the db row of the > >>>> entity) created it. CloudStack users may want to know this > >>>> information for at least entities such as VMs and Volumes. > >>>> > >>>> Historically, why is the account owner of an entity and not a user? > >>>> If user were the owner, we could easily get the account Id using > >>>> the user Id. > >>>> > >>>> One solution to fix this problem is to refactor and replace Account > >>>> (interface) usage with UserAccount (interface) usage, fix the DAO > >>>> and resource layer, and add columns in the schema. This gets us all > >>>> the information we need to determine domainId, AccountId and Id > >>>> (the user ID). Should we do it for all entities or just keep status > >>>> quo (use account as owners), or just fix it on-demand basis for > >>>> specific entities such as for user VMs [1]. > >>>> > >>>> [1] https://issues.apache.org/jira/browse/CLOUDSTACK-7908 > >>>> > >>>> Regards, > >>>> Rohit Yadav > >>>> Software Architect, ShapeBlue > >>>> M. +91 88 262 30892 | rohit.ya...@shapeblue.com > >>>> Blog: bhaisaab.org | Twitter: @_bhaisaab > >>>> > >>>> > >>>> > >>>> Find out more about ShapeBlue and our range of CloudStack related > >>>> services > >>>> > >>>> IaaS Cloud Design & > >>>> Build<http://shapeblue.com/iaas-cloud-design-and-build//> > >>>> CSForge rapid IaaS deployment > >>>> framework<http://shapeblue.com/csforge/> > >>>> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/> > >>>> CloudStack Software > >>>> Engineering<http://shapeblue.com/cloudstack-software-engineering/> > >>>> CloudStack Infrastructure > >>>> Support<http://shapeblue.com/cloudstack-infrastructure-support/> > >>>> CloudStack Bootcamp Training > >>>> Courses<http://shapeblue.com/cloudstack-training/> > >>>> > >>>> This email and any attachments to it may be confidential and are > >>>> intended solely for the use of the individual to whom it is > >>>> addressed. Any views or opinions expressed are solely those of the > >>>> author and do not necessarily represent those of Shape Blue Ltd or > >>>> related companies. If you are not the intended recipient of this > >>>> email, you must neither take any action based upon its contents, > >>>> nor copy or show it to anyone. > >>>> Please > >>>> contact the sender if you believe you have received this email in > >>>> error. > >>>> Shape Blue Ltd is a company incorporated in England & Wales. > >>>> ShapeBlue Services India LLP is a company incorporated in India and > >>>> is operated under license from Shape Blue Ltd. Shape Blue Brasil > >>>> Consultoria Ltda is a company incorporated in Brasil and is > >>>> operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is > >>>> a company registered by The Republic of South Africa and is traded > >>>> under license from Shape Blue Ltd. ShapeBlue is a registered > >>>> trademark. > >>> > >> > >> Regards, > >> Rohit Yadav > >> Software Architect, ShapeBlue > >> M. +91 88 262 30892 | rohit.ya...@shapeblue.com > >> Blog: bhaisaab.org | Twitter: @_bhaisaab > >> > >> > >> > >> Find out more about ShapeBlue and our range of CloudStack related > >> services > >> > >> IaaS Cloud Design & > >> Build<http://shapeblue.com/iaas-cloud-design-and-build//> > >> CSForge rapid IaaS deployment > >> framework<http://shapeblue.com/csforge/> > >> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/> > >> CloudStack Software > >> Engineering<http://shapeblue.com/cloudstack-software-engineering/> > >> CloudStack Infrastructure > >> Support<http://shapeblue.com/cloudstack-infrastructure-support/> > >> CloudStack Bootcamp Training > >> Courses<http://shapeblue.com/cloudstack-training/> > >> > >> This email and any attachments to it may be confidential and are > >> intended solely for the use of the individual to whom it is > >> addressed. Any views or opinions expressed are solely those of the > >> author and do not necessarily represent those of Shape Blue Ltd or > >> related companies. If you are not the intended recipient of this > >> email, you must neither take any action based upon its contents, nor > >> copy or show it to anyone. Please contact the sender if you believe you > have received this email in error. > >> Shape Blue Ltd is a company incorporated in England & Wales. > >> ShapeBlue Services India LLP is a company incorporated in India and > >> is operated under license from Shape Blue Ltd. Shape Blue Brasil > >> Consultoria Ltda is a company incorporated in Brasil and is operated > >> under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company > >> registered by The Republic of South Africa and is traded under > >> license from Shape Blue Ltd. ShapeBlue is a registered trademark. > > > > Regards, > Rohit Yadav > Software Architect, ShapeBlue > M. +91 88 262 30892 | rohit.ya...@shapeblue.com > Blog: bhaisaab.org | Twitter: @_bhaisaab > > > > Find out more about ShapeBlue and our range of CloudStack related services > > IaaS Cloud Design & Build< > http://shapeblue.com/iaas-cloud-design-and-build//> > CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/> > CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/> > CloudStack Software Engineering< > http://shapeblue.com/cloudstack-software-engineering/> > CloudStack Infrastructure Support< > http://shapeblue.com/cloudstack-infrastructure-support/> > CloudStack Bootcamp Training Courses< > http://shapeblue.com/cloudstack-training/> > > This email and any attachments to it may be confidential and are intended > solely for the use of the individual to whom it is addressed. Any views or > opinions expressed are solely those of the author and do not necessarily > represent those of Shape Blue Ltd or related companies. If you are not the > intended recipient of this email, you must neither take any action based > upon its contents, nor copy or show it to anyone. Please contact the sender > if you believe you have received this email in error. Shape Blue Ltd is a > company incorporated in England & Wales. ShapeBlue Services India LLP is a > company incorporated in India and is operated under license from Shape Blue > Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil > and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is > a company registered by The Republic of South Africa and is traded under > license from Shape Blue Ltd. ShapeBlue is a registered trademark. > -- *Mike Tutkowski* *Senior CloudStack Developer, SolidFire Inc.* e: mike.tutkow...@solidfire.com o: 303.746.7302 Advancing the way the world uses the cloud <http://solidfire.com/solution/overview/?video=play>*™*
