Hi Ruben, Thanks for the message. (It's still confusing to me though.)
Let me see if I understand this right. In "Merge Use Case" section of http://docs.opennebula.org/4.4/user/virtual_resource_management/vm_guide.html suppose there is VM_RESTRICTED_ATTR="CPU" in oned.conf. This only prevents non-oneadmin-group users from using —cpu option to onetemplate instantiate command but it (VM_RESTRICTED_ATTR="CPU" in oned.conf) does NOT prevent users from using CPU attribute in their VM templates. Is this right? In ON3.2, src/vm/VirtualMachineTemplate.cc has the following code [A] = const string VirtualMachineTemplate::RESTRICTED_ATTRIBUTES[] = { "CONTEXT/FILES", "DISK/SOURCE", "NIC/MAC", "NIC/VLAN_ID", "RANK" }; We know that this prevents non-oneadmin-users from using for example CONTEXT/FILES attribute in their template so we had to modify the above to comment out CONTEXT/FILES and RANK. But it looks like this array is gone now but the new entries in oned.cof (VM_RESTRICTED_ATTR) has NOT inherited the functionality. So, in summary, looks like there is restriction that prevents normal users from using those attributes [A] in their templates. Do I understand right? Thanks again, Hyunwoo FermiCloud From: "Ruben S. Montero" <rsmont...@opennebula.org<mailto:rsmont...@opennebula.org>> Date: Wednesday, April 16, 2014 9:37 AM To: Carlos Martín Sánchez <cmar...@opennebula.org<mailto:cmar...@opennebula.org>> Cc: Hyunwoo Kim <hyun...@fnal.gov<mailto:hyun...@fnal.gov>>, users <users@lists.opennebula.org<mailto:users@lists.opennebula.org>> Subject: Re: [one-users] restricted_attr in oned.conf of ON44 Hi Hyun We've taken a look into it and it seems to be working. A couple of notes: 1.- VM Template is checked for restricted attributes if the owner is not oneadmin (or in oneadmin group). The rationale behind it is that oneadmin can prepare templates with "unsafe" attributes but let the user instantiate them (but not set or modify the attributes). We'll make it clearer in the doc. 2. Disk snapshot operation may use the SOURCE attribute but internally, the user cannot modify or set the SOURCE attribute. Hope it makes it clearer. Cheers Ruben On Wed, Apr 16, 2014 at 3:22 PM, Carlos Martín Sánchez <cmar...@opennebula.org<mailto:cmar...@opennebula.org>> wrote: Hi, There is not much to it, it should be working as you describe. We'll try to reproduce it and fix it for 4.6 if it's broken. http://dev.opennebula.org/issues/2838 Regards. -- Carlos Martín, MSc Project Engineer OpenNebula - Flexible Enterprise Cloud Made Simple www.OpenNebula.org<http://www.OpenNebula.org> | cmar...@opennebula.org<mailto:cmar...@opennebula.org> | @OpenNebula<http://twitter.com/opennebula><mailto:cmar...@opennebula.org> On Tue, Apr 15, 2014 at 5:50 PM, Hyun Woo Kim <hyun...@fnal.gov<mailto:hyun...@fnal.gov>> wrote: Hello, http://docs.opennebula.org/4.4/administration/references/oned_conf.html#oned-conf-restricted-attributes-configuration says we can use {VM,IMAGE}_RESTRICTED_ATTR to restrict users outside the oneadmin group but I experiment as a user whose group is users, not oneadmin to launch a VM from a vm.template with CONTEXT/FILES and onevm disk-snapshot command which must use SOURCE attribute, both work, i.e. restricted_attr do not seem to work.. Am I missing something? Thanks, Hyunwoo KIM FermiCloud _______________________________________________ Users mailing list Users@lists.opennebula.org<mailto:Users@lists.opennebula.org> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org _______________________________________________ Users mailing list Users@lists.opennebula.org<mailto:Users@lists.opennebula.org> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org -- -- Ruben S. Montero, PhD Project co-Lead and Chief Architect OpenNebula - Flexible Enterprise Cloud Made Simple www.OpenNebula.org<http://www.OpenNebula.org> | rsmont...@opennebula.org<mailto:rsmont...@opennebula.org> | @OpenNebula
_______________________________________________ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
