On Wed, Apr 16, 2014 at 5:15 PM, Hyun Woo Kim <[email protected]> wrote:
> Hi Ruben, > > Thanks for the message. (It's still confusing to me though.) > > Let me see if I understand this right. > > In "Merge Use Case" section of > http://docs.opennebula.org/4.4/user/virtual_resource_management/vm_guide.html > > suppose there is VM_RESTRICTED_ATTR="CPU" in oned.conf. > This only prevents non-oneadmin-group users from > using —cpu option to onetemplate instantiate command > but it (VM_RESTRICTED_ATTR="CPU" in oned.conf) does NOT prevent users from > using > CPU attribute in their VM templates. Is this right? > Right (although they won't be able to instantiate them) > > In ON3.2, src/vm/VirtualMachineTemplate.cc has the following code > [A] = > const string VirtualMachineTemplate::RESTRICTED_ATTRIBUTES[] = { > "CONTEXT/FILES", > "DISK/SOURCE", > "NIC/MAC", > "NIC/VLAN_ID", > "RANK" > }; > > We know that this prevents non-oneadmin-users from using for example > CONTEXT/FILES attribute in their template > so we had to modify the above to comment out CONTEXT/FILES and RANK. > > But it looks like this array is gone now but the new entries in oned.cof > (VM_RESTRICTED_ATTR) has NOT inherited the functionality. > You are right, we've restructured the code, and probably move the checks to onetemplate instantiate / onevm create. > So, in summary, looks like there is restriction that prevents normal > users from using > those attributes [A] in their templates. > > Do I understand right? > In summary, template checks for restricted attributes are made: 1.- on VM template instantiate (onetemplate instantiate) 2.- on VM create (onevm create) 3.- on VM attach nic (onevm attachnic) (for example to not allow users to use NIC/MAC) Hope it is clearer now, Cheers Ruben > > Thanks again, > Hyunwoo > FermiCloud > > > From: "Ruben S. Montero" <[email protected]> > Date: Wednesday, April 16, 2014 9:37 AM > To: Carlos Martín Sánchez <[email protected]> > Cc: Hyunwoo Kim <[email protected]>, users <[email protected]> > Subject: Re: [one-users] restricted_attr in oned.conf of ON44 > > Hi Hyun > > We've taken a look into it and it seems to be working. A couple of notes: > > 1.- VM Template is checked for restricted attributes if the owner is not > oneadmin (or in oneadmin group). The rationale behind it is that oneadmin > can prepare templates with "unsafe" attributes but let the user instantiate > them (but not set or modify the attributes). We'll make it clearer in the > doc. > > 2. Disk snapshot operation may use the SOURCE attribute but internally, > the user cannot modify or set the SOURCE attribute. > > Hope it makes it clearer. > > Cheers > > Ruben > > > On Wed, Apr 16, 2014 at 3:22 PM, Carlos Martín Sánchez < > [email protected]> wrote: > >> Hi, >> >> There is not much to it, it should be working as you describe. We'll >> try to reproduce it and fix it for 4.6 if it's broken. >> http://dev.opennebula.org/issues/2838 >> >> Regards. >> >> -- >> Carlos Martín, MSc >> Project Engineer >> OpenNebula - Flexible Enterprise Cloud Made Simple >> www.OpenNebula.org | [email protected] | >> @OpenNebula<http://twitter.com/opennebula><[email protected]> >> >> >> On Tue, Apr 15, 2014 at 5:50 PM, Hyun Woo Kim <[email protected]> wrote: >> >>> Hello, >>> >>> >>> http://docs.opennebula.org/4.4/administration/references/oned_conf.html#oned-conf-restricted-attributes-configuration >>> says we can use {VM,IMAGE}_RESTRICTED_ATTR >>> to restrict users outside the oneadmin group >>> >>> but I experiment as a user whose group is users, not oneadmin >>> to launch a VM from a vm.template with CONTEXT/FILES >>> and onevm disk-snapshot command which must use SOURCE attribute, >>> both work, i.e. restricted_attr do not seem to work.. >>> >>> Am I missing something? >>> >>> Thanks, >>> Hyunwoo KIM >>> FermiCloud >>> >>> >>> >>> _______________________________________________ >>> Users mailing list >>> [email protected] >>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org >>> >>> >> >> _______________________________________________ >> Users mailing list >> [email protected] >> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org >> >> > > > -- > -- > Ruben S. Montero, PhD > Project co-Lead and Chief Architect > OpenNebula - Flexible Enterprise Cloud Made Simple > www.OpenNebula.org | [email protected] | @OpenNebula > -- -- Ruben S. Montero, PhD Project co-Lead and Chief Architect OpenNebula - Flexible Enterprise Cloud Made Simple www.OpenNebula.org | [email protected] | @OpenNebula
_______________________________________________ Users mailing list [email protected] http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
