Do you think this info is sufficient, Rohit? On Friday, November 14, 2014, Nitin Mehta <nitin.me...@citrix.com> wrote:
> Mike - we already do that in the action events (event table) ? We log the > user_id as well and so we always would know the user responsible for an > action > One thing better we can do there is have a resource_id column in the table > since the resource_id is currently embedded in the description at the > moment. > So instead of adding user_id for each resource we should do the change in > the event table. Since all we want is a log of the actions. > > Thanks, > -Nitin > > On 14/11/14 11:19 AM, "Mike Tutkowski" <mike.tutkow...@solidfire.com > <javascript:;>> > wrote: > > >Yeah, I think the idea is not to change ownership of the resource but to > >be > >better able to 'assign blame' for action x or y. > > > >On Fri, Nov 14, 2014 at 12:17 PM, Prachi Damle <prachi.da...@citrix.com > <javascript:;>> > >wrote: > > > >> Rohit, > >> > >> Just on note on: > >> >>>Min, you’re right I don’t propose to change the IAM model just some > >> additional data that notes who *actually* owns the resource (VM, volume, > >> etc.) in an account which can be useful for sysadmins to list resource > >>by > >> userid etc. > >> > >> Adding 'user_id' column but not changing IAM model should be a small > >> change and not causing any IAM side effects. > >> > >> But, it still won't really mean that that 'userid' 'owns' the resource. > >> The ownership will still stay with the account - and so all other users > >>in > >> that account will still be able to access that resource, as per CS IAM. > >> The userid will just provide an insight on which user in the account > >> created the resource. > >> > >> Thanks, > >> Prachi > >> > >> -----Original Message----- > >> From: Rohit Yadav [mailto:rohit.ya...@shapeblue.com <javascript:;>] > >> Sent: Friday, November 14, 2014 11:04 AM > >> To: dev@cloudstack.apache.org <javascript:;> > >> Subject: Re: [DISCUSS] Major business logic refactoring: Move from > >>Account > >> to UserAccount > >> > >> Min, you’re right I don’t propose to change the IAM model just some > >> additional data that notes who *actually* owns the resource (VM, volume, > >> etc.) in an account which can be useful for sysadmins to list resource > >>by > >> userid etc. > >> > >> I can understand the hesitation and the side effects such a refactoring > >> can produce, so I think the best would be to add user_id (uuid) columns > >>and > >> change only the API/query layer. > >> > >> Mike: I don’t propose to use user name but uuids so they are unique. My > >> concern was adding user_id column to say vm_instance table denormalizes > >> data as that table already has domain_id and account_id in it and as > >>Rajani > >> suggested earlier those two are not needed as using user_id one can find > >> account_id and domain_id. I guess, the easiest way would be to just add > >>an > >> additional user_id column. > >> > >> Cheers. > >> > >> > On 15-Nov-2014, at 12:14 am, Min Chen <min.c...@citrix.com > <javascript:;>> wrote: > >> > > >> > Rohit, If I understood you correctly, the user_id column is only used > >> > for listing resources to indicate which user is the real owner/creator > >> > of the resource, but you don't want to change CloudStack account-level > >> > permission model to user-level permission model, right? If so, the > >> > change will be smaller, maybe some Response classes, which should not > >> > involve too many business layer change. I will hesitate to really > >> > change CloudStack IAM model though. > >> > > >> > Thanks > >> > -min > >> > > >> > On 11/14/14 10:35 AM, "Rohit Yadav" <rohit.ya...@shapeblue.com > <javascript:;>> wrote: > >> > > >> >> Hi Min, > >> >> > >> >> Good to know. What do you propose we do moving forward. Do a > >> >> refactoring run to fix it or leave it as it is and perhaps add > >> >> user_id columns to few resources that are more useful for sysadmins > >> such as vm_instance table. > >> >> > >> >>> On 14-Nov-2014, at 11:49 pm, Min Chen <min.c...@citrix.com > <javascript:;>> wrote: > >> >>> > >> >>> Rohit, > >> >>> > >> >>> I think that the historic reason for this is that CloudStack is only > >> >>> doing IAM access permission check on account level, user is only > >> >>> login authentication purpose. That is why we will see that all our > >> >>> CloudStack resource owner field is an account, since that is the > >> >>> only information used for controlling whether you have some > >> permissions to the resource. > >> >>> Thanks > >> >>> -min > >> >>> > >> >>> On 11/14/14 12:53 AM, "Rohit Yadav" <rohit.ya...@shapeblue.com > <javascript:;>> > >>wrote: > >> >>> > >> >>>> Hi, > >> >>>> > >> >>>> All CloudStack DB entities (VM, storage, network etc.) have an > >> >>>> owner field which is mostly the account. An account can have > >> >>>> multiple users so just by looking at the resource (say VM) it¹s not > >> >>>> possible to make out which user in the account (owner or account_id > >> >>>> field in the db row of the > >> >>>> entity) created it. CloudStack users may want to know this > >> >>>> information for at least entities such as VMs and Volumes. > >> >>>> > >> >>>> Historically, why is the account owner of an entity and not a user? > >> >>>> If user were the owner, we could easily get the account Id using > >> >>>> the user Id. > >> >>>> > >> >>>> One solution to fix this problem is to refactor and replace Account > >> >>>> (interface) usage with UserAccount (interface) usage, fix the DAO > >> >>>> and resource layer, and add columns in the schema. This gets us all > >> >>>> the information we need to determine domainId, AccountId and Id > >> >>>> (the user ID). Should we do it for all entities or just keep status > >> >>>> quo (use account as owners), or just fix it on-demand basis for > >> >>>> specific entities such as for user VMs [1]. > >> >>>> > >> >>>> [1] https://issues.apache.org/jira/browse/CLOUDSTACK-7908 > >> >>>> > >> >>>> Regards, > >> >>>> Rohit Yadav > >> >>>> Software Architect, ShapeBlue > >> >>>> M. +91 88 262 30892 | rohit.ya...@shapeblue.com <javascript:;> > >> >>>> Blog: bhaisaab.org | Twitter: @_bhaisaab > >> >>>> > >> >>>> > >> >>>> > >> >>>> Find out more about ShapeBlue and our range of CloudStack related > >> >>>> services > >> >>>> > >> >>>> IaaS Cloud Design & > >> >>>> Build<http://shapeblue.com/iaas-cloud-design-and-build//> > >> >>>> CSForge rapid IaaS deployment > >> >>>> framework<http://shapeblue.com/csforge/> > >> >>>> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/ > > > >> >>>> CloudStack Software > >> >>>> Engineering<http://shapeblue.com/cloudstack-software-engineering/> > >> >>>> CloudStack Infrastructure > >> >>>> Support<http://shapeblue.com/cloudstack-infrastructure-support/> > >> >>>> CloudStack Bootcamp Training > >> >>>> Courses<http://shapeblue.com/cloudstack-training/> > >> >>>> > >> >>>> This email and any attachments to it may be confidential and are > >> >>>> intended solely for the use of the individual to whom it is > >> >>>> addressed. Any views or opinions expressed are solely those of the > >> >>>> author and do not necessarily represent those of Shape Blue Ltd or > >> >>>> related companies. If you are not the intended recipient of this > >> >>>> email, you must neither take any action based upon its contents, > >> >>>> nor copy or show it to anyone. > >> >>>> Please > >> >>>> contact the sender if you believe you have received this email in > >> >>>> error. > >> >>>> Shape Blue Ltd is a company incorporated in England & Wales. > >> >>>> ShapeBlue Services India LLP is a company incorporated in India and > >> >>>> is operated under license from Shape Blue Ltd. Shape Blue Brasil > >> >>>> Consultoria Ltda is a company incorporated in Brasil and is > >> >>>> operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is > >> >>>> a company registered by The Republic of South Africa and is traded > >> >>>> under license from Shape Blue Ltd. ShapeBlue is a registered > >> >>>> trademark. > >> >>> > >> >> > >> >> Regards, > >> >> Rohit Yadav > >> >> Software Architect, ShapeBlue > >> >> M. +91 88 262 30892 | rohit.ya...@shapeblue.com <javascript:;> > >> >> Blog: bhaisaab.org | Twitter: @_bhaisaab > >> >> > >> >> > >> >> > >> >> Find out more about ShapeBlue and our range of CloudStack related > >> >> services > >> >> > >> >> IaaS Cloud Design & > >> >> Build<http://shapeblue.com/iaas-cloud-design-and-build//> > >> >> CSForge rapid IaaS deployment > >> >> framework<http://shapeblue.com/csforge/> > >> >> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/> > >> >> CloudStack Software > >> >> Engineering<http://shapeblue.com/cloudstack-software-engineering/> > >> >> CloudStack Infrastructure > >> >> Support<http://shapeblue.com/cloudstack-infrastructure-support/> > >> >> CloudStack Bootcamp Training > >> >> Courses<http://shapeblue.com/cloudstack-training/> > >> >> > >> >> This email and any attachments to it may be confidential and are > >> >> intended solely for the use of the individual to whom it is > >> >> addressed. Any views or opinions expressed are solely those of the > >> >> author and do not necessarily represent those of Shape Blue Ltd or > >> >> related companies. If you are not the intended recipient of this > >> >> email, you must neither take any action based upon its contents, nor > >> >> copy or show it to anyone. Please contact the sender if you believe > >>you > >> have received this email in error. > >> >> Shape Blue Ltd is a company incorporated in England & Wales. > >> >> ShapeBlue Services India LLP is a company incorporated in India and > >> >> is operated under license from Shape Blue Ltd. Shape Blue Brasil > >> >> Consultoria Ltda is a company incorporated in Brasil and is operated > >> >> under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company > >> >> registered by The Republic of South Africa and is traded under > >> >> license from Shape Blue Ltd. ShapeBlue is a registered trademark. > >> > > >> > >> Regards, > >> Rohit Yadav > >> Software Architect, ShapeBlue > >> M. +91 88 262 30892 | rohit.ya...@shapeblue.com <javascript:;> > >> Blog: bhaisaab.org | Twitter: @_bhaisaab > >> > >> > >> > >> Find out more about ShapeBlue and our range of CloudStack related > >>services > >> > >> IaaS Cloud Design & Build< > >> http://shapeblue.com/iaas-cloud-design-and-build//> > >> CSForge rapid IaaS deployment framework<http://shapeblue.com/csforge/ > > > >> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/> > >> CloudStack Software Engineering< > >> http://shapeblue.com/cloudstack-software-engineering/> > >> CloudStack Infrastructure Support< > >> http://shapeblue.com/cloudstack-infrastructure-support/> > >> CloudStack Bootcamp Training Courses< > >> http://shapeblue.com/cloudstack-training/> > >> > >> This email and any attachments to it may be confidential and are > >>intended > >> solely for the use of the individual to whom it is addressed. Any views > >>or > >> opinions expressed are solely those of the author and do not necessarily > >> represent those of Shape Blue Ltd or related companies. If you are not > >>the > >> intended recipient of this email, you must neither take any action based > >> upon its contents, nor copy or show it to anyone. Please contact the > >>sender > >> if you believe you have received this email in error. Shape Blue Ltd is > >>a > >> company incorporated in England & Wales. ShapeBlue Services India LLP > >>is a > >> company incorporated in India and is operated under license from Shape > >>Blue > >> Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in > >>Brasil > >> and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd > >>is > >> a company registered by The Republic of South Africa and is traded under > >> license from Shape Blue Ltd. ShapeBlue is a registered trademark. > >> > > > > > > > >-- > >*Mike Tutkowski* > >*Senior CloudStack Developer, SolidFire Inc.* > >e: mike.tutkow...@solidfire.com <javascript:;> > >o: 303.746.7302 > >Advancing the way the world uses the cloud > ><http://solidfire.com/solution/overview/?video=play>*™* > > -- *Mike Tutkowski* *Senior CloudStack Developer, SolidFire Inc.* e: mike.tutkow...@solidfire.com o: 303.746.7302 Advancing the way the world uses the cloud <http://solidfire.com/solution/overview/?video=play>*™*
