You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cloudstack.apache.org by Ryan Lei <ry...@gmail.com> on 2013/05/20 05:08:23 UTC
Re: [Discuss] - Domain admin not having the flexibility to create
sub-domains/sub-child domains/accounts
Dear all,
I have recently trying the functionality of CloudStack 4.0.2, and
encountered the exact same problem:
A domain admin has NOT MUCH MORE POWER than a regular user. They can not
create the user accounts or sub-domain under their domain. Nor can they
"manage" such accounts by disabling/deleting/resource limiting them. A
domain admin does have the power of fully-accessing the "resources"
(instances, volumes, security groups, etc.) of the whole domain, and
nothing else.
In my understanding, currently a domain admin's privilege is just the UNION
of all the USER'S privileges under the same domain, but without any ADMIN
POWER. This is inconsistent with the documentation, Internet articles, or
common sense. And will be a major issue in a real production environment!
Most of the admin jobs still require the power of "root" admin.
I searched JIRA, but only found this related issue: CLOUDSTACK-1915: Domain
Administrator's Guide.
https://issues.apache.org/jira/browse/CLOUDSTACK-1915
On Tue, Apr 23, 2013 at 2:05 AM, Alena Prokharchyk <
Alena.Prokharchyk@citrix.com> wrote:
> On 4/22/13 10:47 AM, "Chip Childers" <ch...@sungard.com> wrote:
>
> >On Mon, Apr 22, 2013 at 11:22:16AM +0000, Pranav Saxena wrote:
> >> Hi,
> >>
> >> Currently only the ROOT-admin has the power to create any
> >>domains/sub-domains/sub-child domains for himself or the domain-admin .
> >>But there are certain situations ( like updating resource limit for a
> >>sub-child domain under a domain admin ) for which the ROOT-admin has to
> >>create a sub-child domain for a domain admin to allow him to update the
> >>resource limits for that particular sub-child domain.
> >>
> >> With this in mind , why hasn't the domain -admin been given the
> >>privilege of creating sub-child domains himself ? Are there any
> >>concerns/threats because of which the current architecture doesn't serve
> >>this purpose ?
> >>
> >> Also , a domain-admin cannot create an account on his own using an API
> >>as well ( UI can be overlooked for now) . He has to go through the
> >>ROOT-admin to have this functionality enabled . So doesn't that conclude
> >>that domain-admin is almost a USELESS guy with *No powers* . To be able
> >>to navigate from step 1 - > step 2 , you have to go through step 3
> >>which seems to be unconvincing at times .
> >>
> >> Could someone explain about why such a functionality is not supported
> >>in the current architecture ? Please let me know in case I am missing
> >>something here.
> >>
> >> Thanks,
> >> Pranav
> >
> >This never made much sense to me.
> >
>
>
> I remember seeing a feature request for this functionality somewhere on CS
> Jira, you might try to locate it and check the status/targeted release.
>
>
RE: [Discuss] - Domain admin not having the flexibility to create
sub-domains/sub-child domains/accounts
Posted by Pranav Saxena <pr...@citrix.com>.
I had raised this concern sometime back and I believe , this might be taken up for some future apache CloudStack release ( may be 4.2 or later) . If you are willing to take this up , please go ahead :).
-----Original Message-----
From: ryanlei750328@gmail.com [mailto:ryanlei750328@gmail.com]
Sent: Monday, May 20, 2013 8:38 AM
To: dev@cloudstack.apache.org
Subject: Re: [Discuss] - Domain admin not having the flexibility to create sub-domains/sub-child domains/accounts
Dear all,
I have recently trying the functionality of CloudStack 4.0.2, and encountered the exact same problem:
A domain admin has NOT MUCH MORE POWER than a regular user. They can not create the user accounts or sub-domain under their domain. Nor can they "manage" such accounts by disabling/deleting/resource limiting them. A domain admin does have the power of fully-accessing the "resources"
(instances, volumes, security groups, etc.) of the whole domain, and nothing else.
In my understanding, currently a domain admin's privilege is just the UNION of all the USER'S privileges under the same domain, but without any ADMIN POWER. This is inconsistent with the documentation, Internet articles, or common sense. And will be a major issue in a real production environment!
Most of the admin jobs still require the power of "root" admin.
I searched JIRA, but only found this related issue: CLOUDSTACK-1915: Domain Administrator's Guide.
https://issues.apache.org/jira/browse/CLOUDSTACK-1915
On Tue, Apr 23, 2013 at 2:05 AM, Alena Prokharchyk < Alena.Prokharchyk@citrix.com> wrote:
> On 4/22/13 10:47 AM, "Chip Childers" <ch...@sungard.com> wrote:
>
> >On Mon, Apr 22, 2013 at 11:22:16AM +0000, Pranav Saxena wrote:
> >> Hi,
> >>
> >> Currently only the ROOT-admin has the power to create any
> >>domains/sub-domains/sub-child domains for himself or the domain-admin .
> >>But there are certain situations ( like updating resource limit for
> >>a sub-child domain under a domain admin ) for which the ROOT-admin
> >>has to create a sub-child domain for a domain admin to allow him to
> >>update the resource limits for that particular sub-child domain.
> >>
> >> With this in mind , why hasn't the domain -admin been given the
> >>privilege of creating sub-child domains himself ? Are there any
> >>concerns/threats because of which the current architecture doesn't
> >>serve this purpose ?
> >>
> >> Also , a domain-admin cannot create an account on his own using an
> >>API as well ( UI can be overlooked for now) . He has to go through
> >>the ROOT-admin to have this functionality enabled . So doesn't that
> >>conclude that domain-admin is almost a USELESS guy with *No powers*
> >>. To be able to navigate from step 1 - > step 2 , you have to go
> >>through step 3 which seems to be unconvincing at times .
> >>
> >> Could someone explain about why such a functionality is not
> >>supported in the current architecture ? Please let me know in case I
> >>am missing something here.
> >>
> >> Thanks,
> >> Pranav
> >
> >This never made much sense to me.
> >
>
>
> I remember seeing a feature request for this functionality somewhere
> on CS Jira, you might try to locate it and check the status/targeted release.
>
>