You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cloudstack.apache.org by Chris Sciarrino <ch...@gmail.com> on 2013/10/07 18:37:48 UTC
Prevent users from deploying instances
Hi,
Is it possible to prevent users from deploying their own instances but
still have access to cloudstack for creating snapshots and powering on/off
etc? Their instances would be assigned from an admin account. I see the
option on the user account for instance limits, but setting that to 0
prevents me from assigning VMs. Just wondering if there is another way to
do it on CS 4.2.
Thanks
Re: Prevent users from deploying instances
Posted by Chris Sciarrino <ch...@gmail.com>.
Hi Nitin,
That is correct they would be created as admin/domain admin and then
assigned to the end user account using assignVirtualMachine api which
Jessica looks like she is adding the functionality to the UI in 4.2.1
(CLOUDSTACK-4796).
In order for this use case to be functional through the UI the admin
would also have to be able to create a network on the destination
account (CLOUDSTACK-4831) so that they could assign the virtual
machine and then create the necessary port forwarding rules for the
user in order to allow access via vnc, rdp etc. As well as specify the
correct IP address for the instance during its deployment as the
template may have been built using a hardcoded IP in its network
configuration (CLOUDSTACK-4818).
Thanks,
Chris
On Tue, Oct 8, 2013 at 1:25 PM, Nitin Mehta <Ni...@citrix.com> wrote:
> Chris - Thanks for putting in the use case.
> As you said suggestion 1 fits in fine for your use case.
> One clarification though - would you be creating the vms as an admin and
> then using assignVirtualMachine to assign the vms to the end user ?
> This is preferable for vm usage calculations.
>
> Thanks,
> -Nitin
>
> On 07/10/13 8:01 PM, "Chris Sciarrino" <ch...@gmail.com> wrote:
>
>>Hi Nitin,
>>
>>For our use case we would be looking at having a separate "deployment
>>portal" which would get the user to provide the necessary information
>>for deploying their instance i.e template, ram, cpu etc and would
>>create a work order for the administrators to do the deployment. When
>>the instance is created, the administrator would assign it to the
>>users account in cloudstack so that they can still power on, view the
>>console take snapshots etc.
>>
>>I am trying to prevent regular users from going in and deploying
>>instances through cloudstack, these should come in as requests through
>>the portal. Only Root admin or domain admin accounts should be able to
>>deploy virtual machines.
>>
>>Let me know if you need any clarification on the use case.
>>
>>I believe the first suggestion you made will fix the issue. I can set
>>the permissions to to root and domain admins which should suffice.
>>
>>Thanks
>>
>>Chris
>>
>>On Mon, Oct 7, 2013 at 1:55 PM, Nitin Mehta <Ni...@citrix.com>
>>wrote:
>>> You can change the deployVirtualMachine Api attributes to ROOT admin
>>> only(currently allowed to all). You can change that in
>>> commands.properties.in
>>>
>>> There is something else as well which you can leverage and see if it
>>>fits
>>> your use case.
>>> In current code base, admin can create vm instances using the flag -
>>> displayvm=false on behalf of the users.
>>> This flag will hide these resources to the end users. The ROOT volume
>>>can
>>> be made visible through the display volume flag and the end user can
>>> create snapshots on them.
>>>
>>> It would be great to if you can write down your use case and its use.
>>>
>>> Let me know if any of the solution fits for you.
>>>
>>> Thanks,
>>> -Nitin
>>>
>>> On 07/10/13 9:37 AM, "Chris Sciarrino" <ch...@gmail.com>
>>>wrote:
>>>
>>>>Hi,
>>>>
>>>>Is it possible to prevent users from deploying their own instances but
>>>>still have access to cloudstack for creating snapshots and powering
>>>>on/off
>>>>etc? Their instances would be assigned from an admin account. I see the
>>>>option on the user account for instance limits, but setting that to 0
>>>>prevents me from assigning VMs. Just wondering if there is another way
>>>>to
>>>>do it on CS 4.2.
>>>>
>>>>Thanks
>>>
>
Re: Prevent users from deploying instances
Posted by Koushik Das <ko...@citrix.com>.
There was some discussion about a new RBAC framework sometimes back. It should have some provision to address the below use case.
On 08-Oct-2013, at 10:55 PM, Nitin Mehta <Ni...@citrix.com> wrote:
> Chris - Thanks for putting in the use case.
> As you said suggestion 1 fits in fine for your use case.
> One clarification though - would you be creating the vms as an admin and
> then using assignVirtualMachine to assign the vms to the end user ?
> This is preferable for vm usage calculations.
>
> Thanks,
> -Nitin
>
> On 07/10/13 8:01 PM, "Chris Sciarrino" <ch...@gmail.com> wrote:
>
>> Hi Nitin,
>>
>> For our use case we would be looking at having a separate "deployment
>> portal" which would get the user to provide the necessary information
>> for deploying their instance i.e template, ram, cpu etc and would
>> create a work order for the administrators to do the deployment. When
>> the instance is created, the administrator would assign it to the
>> users account in cloudstack so that they can still power on, view the
>> console take snapshots etc.
>>
>> I am trying to prevent regular users from going in and deploying
>> instances through cloudstack, these should come in as requests through
>> the portal. Only Root admin or domain admin accounts should be able to
>> deploy virtual machines.
>>
>> Let me know if you need any clarification on the use case.
>>
>> I believe the first suggestion you made will fix the issue. I can set
>> the permissions to to root and domain admins which should suffice.
>>
>> Thanks
>>
>> Chris
>>
>> On Mon, Oct 7, 2013 at 1:55 PM, Nitin Mehta <Ni...@citrix.com>
>> wrote:
>>> You can change the deployVirtualMachine Api attributes to ROOT admin
>>> only(currently allowed to all). You can change that in
>>> commands.properties.in
>>>
>>> There is something else as well which you can leverage and see if it
>>> fits
>>> your use case.
>>> In current code base, admin can create vm instances using the flag -
>>> displayvm=false on behalf of the users.
>>> This flag will hide these resources to the end users. The ROOT volume
>>> can
>>> be made visible through the display volume flag and the end user can
>>> create snapshots on them.
>>>
>>> It would be great to if you can write down your use case and its use.
>>>
>>> Let me know if any of the solution fits for you.
>>>
>>> Thanks,
>>> -Nitin
>>>
>>> On 07/10/13 9:37 AM, "Chris Sciarrino" <ch...@gmail.com>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> Is it possible to prevent users from deploying their own instances but
>>>> still have access to cloudstack for creating snapshots and powering
>>>> on/off
>>>> etc? Their instances would be assigned from an admin account. I see the
>>>> option on the user account for instance limits, but setting that to 0
>>>> prevents me from assigning VMs. Just wondering if there is another way
>>>> to
>>>> do it on CS 4.2.
>>>>
>>>> Thanks
>>>
>
Re: Prevent users from deploying instances
Posted by Nitin Mehta <Ni...@citrix.com>.
Chris - Thanks for putting in the use case.
As you said suggestion 1 fits in fine for your use case.
One clarification though - would you be creating the vms as an admin and
then using assignVirtualMachine to assign the vms to the end user ?
This is preferable for vm usage calculations.
Thanks,
-Nitin
On 07/10/13 8:01 PM, "Chris Sciarrino" <ch...@gmail.com> wrote:
>Hi Nitin,
>
>For our use case we would be looking at having a separate "deployment
>portal" which would get the user to provide the necessary information
>for deploying their instance i.e template, ram, cpu etc and would
>create a work order for the administrators to do the deployment. When
>the instance is created, the administrator would assign it to the
>users account in cloudstack so that they can still power on, view the
>console take snapshots etc.
>
>I am trying to prevent regular users from going in and deploying
>instances through cloudstack, these should come in as requests through
>the portal. Only Root admin or domain admin accounts should be able to
>deploy virtual machines.
>
>Let me know if you need any clarification on the use case.
>
>I believe the first suggestion you made will fix the issue. I can set
>the permissions to to root and domain admins which should suffice.
>
>Thanks
>
>Chris
>
>On Mon, Oct 7, 2013 at 1:55 PM, Nitin Mehta <Ni...@citrix.com>
>wrote:
>> You can change the deployVirtualMachine Api attributes to ROOT admin
>> only(currently allowed to all). You can change that in
>> commands.properties.in
>>
>> There is something else as well which you can leverage and see if it
>>fits
>> your use case.
>> In current code base, admin can create vm instances using the flag -
>> displayvm=false on behalf of the users.
>> This flag will hide these resources to the end users. The ROOT volume
>>can
>> be made visible through the display volume flag and the end user can
>> create snapshots on them.
>>
>> It would be great to if you can write down your use case and its use.
>>
>> Let me know if any of the solution fits for you.
>>
>> Thanks,
>> -Nitin
>>
>> On 07/10/13 9:37 AM, "Chris Sciarrino" <ch...@gmail.com>
>>wrote:
>>
>>>Hi,
>>>
>>>Is it possible to prevent users from deploying their own instances but
>>>still have access to cloudstack for creating snapshots and powering
>>>on/off
>>>etc? Their instances would be assigned from an admin account. I see the
>>>option on the user account for instance limits, but setting that to 0
>>>prevents me from assigning VMs. Just wondering if there is another way
>>>to
>>>do it on CS 4.2.
>>>
>>>Thanks
>>
Re: Prevent users from deploying instances
Posted by Chris Sciarrino <ch...@gmail.com>.
Hi Nitin,
For our use case we would be looking at having a separate "deployment
portal" which would get the user to provide the necessary information
for deploying their instance i.e template, ram, cpu etc and would
create a work order for the administrators to do the deployment. When
the instance is created, the administrator would assign it to the
users account in cloudstack so that they can still power on, view the
console take snapshots etc.
I am trying to prevent regular users from going in and deploying
instances through cloudstack, these should come in as requests through
the portal. Only Root admin or domain admin accounts should be able to
deploy virtual machines.
Let me know if you need any clarification on the use case.
I believe the first suggestion you made will fix the issue. I can set
the permissions to to root and domain admins which should suffice.
Thanks
Chris
On Mon, Oct 7, 2013 at 1:55 PM, Nitin Mehta <Ni...@citrix.com> wrote:
> You can change the deployVirtualMachine Api attributes to ROOT admin
> only(currently allowed to all). You can change that in
> commands.properties.in
>
> There is something else as well which you can leverage and see if it fits
> your use case.
> In current code base, admin can create vm instances using the flag -
> displayvm=false on behalf of the users.
> This flag will hide these resources to the end users. The ROOT volume can
> be made visible through the display volume flag and the end user can
> create snapshots on them.
>
> It would be great to if you can write down your use case and its use.
>
> Let me know if any of the solution fits for you.
>
> Thanks,
> -Nitin
>
> On 07/10/13 9:37 AM, "Chris Sciarrino" <ch...@gmail.com> wrote:
>
>>Hi,
>>
>>Is it possible to prevent users from deploying their own instances but
>>still have access to cloudstack for creating snapshots and powering on/off
>>etc? Their instances would be assigned from an admin account. I see the
>>option on the user account for instance limits, but setting that to 0
>>prevents me from assigning VMs. Just wondering if there is another way to
>>do it on CS 4.2.
>>
>>Thanks
>
Re: Prevent users from deploying instances
Posted by Nitin Mehta <Ni...@citrix.com>.
You can change the deployVirtualMachine Api attributes to ROOT admin
only(currently allowed to all). You can change that in
commands.properties.in
There is something else as well which you can leverage and see if it fits
your use case.
In current code base, admin can create vm instances using the flag -
displayvm=false on behalf of the users.
This flag will hide these resources to the end users. The ROOT volume can
be made visible through the display volume flag and the end user can
create snapshots on them.
It would be great to if you can write down your use case and its use.
Let me know if any of the solution fits for you.
Thanks,
-Nitin
On 07/10/13 9:37 AM, "Chris Sciarrino" <ch...@gmail.com> wrote:
>Hi,
>
>Is it possible to prevent users from deploying their own instances but
>still have access to cloudstack for creating snapshots and powering on/off
>etc? Their instances would be assigned from an admin account. I see the
>option on the user account for instance limits, but setting that to 0
>prevents me from assigning VMs. Just wondering if there is another way to
>do it on CS 4.2.
>
>Thanks