You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cloudstack.apache.org by Olga Smola <ol...@gmail.com> on 2012/06/15 10:01:56 UTC
Construct / change role permissions
Hi,
I would like to discuss CloudStack roles capabilities. As far as I
understand, there are 3 distinct roles and there is no possibility to
change any role permissions. Sometimes it's not so comfortable for
situation when it is needed to allow some action from one role to another
one. For example, if you would like to allow USER new action "Add account",
you can't. Because there is no API command for USER. What about new roles?
Have you got any ideas how to extend the CloudStack mechanism of roles
creation? It will be more convenient if there is something that allow to
create custom roles with needed permissions. For example, give basic role
ADMIN or USER and then create new role based on it, change
permissions(remove, add). Something like Role's constructor.
Also I would like to know if somebody else needs similar extension?
Fill free to write any ideas.
Thanks a lot,
Olga
RE: Construct / change role permissions
Posted by Deepti Dohare <de...@citrix.com>.
I have added a patch (https://reviews.apache.org/r/5573/diff/#index_header) for CS-15300. It enables a domain admin account to respect the limits.
This bug also state that domain admin shouldn't have the right to create infinite resources. In this case what should be the maximum limit of the resources, a domain admin account can have?
Thanks
Deepti
-----Original Message-----
From: Kelven Yang [mailto:kelven.yang@citrix.com]
Sent: Saturday, June 16, 2012 2:49 AM
To: cloudstack-users@incubator.apache.org; 'cloudstack-dev@incubator.apache.org'
Subject: RE: Construct / change role permissions
This might be a separate topic, we just happened to have an internal discussion this morning on how we can improve role based access control in CloudStack, here is a link to part of the presentation I did. Any feedback would be very welcome
http://wiki.cloudstack.org/pages/viewpageattachments.action?pageId=1344392&highlight=acl.pptx#Home-attachment-acl.pptx
Kelven
> -----Original Message-----
> From: Clayton Weise [mailto:cweise@iswest.net]
> Sent: Friday, June 15, 2012 10:18 AM
> To: 'cloudstack-users@incubator.apache.org'; 'cloudstack-
> dev@incubator.apache.org'
> Subject: RE: Construct / change role permissions
>
> Thanks Alena, it's filed as bug 15300.
>
> -----Original Message-----
> From: Alena Prokharchyk [mailto:Alena.Prokharchyk@citrix.com]
> Sent: Friday, June 15, 2012 10:10 AM
> To: cloudstack-users@incubator.apache.org; 'cloudstack-
> dev@incubator.apache.org'
> Subject: Re: Construct / change role permissions
>
> On 6/15/12 9:49 AM, "Clayton Weise" <cw...@iswest.net> wrote:
>
> >With regard to the subject of roles. I've noticed that domain admins
> >do not have limits enforced. So if a domain is limited to 10
> >snapshots, a domain admin can create 11. And because limits cannot
> >be imposed, as
> far
> >as we're concerned, this type of user is pretty much useless because
> >we have no way to control what it can do. Is this by design?
>
>
> It was designed that way from the beginning. But you are right -
> domain admin should respect the limits as he doesn't own the system,
> and there should be a way to control his resources.
> Can you please file a CS bug on this regard.
>
>
> Thanks,
> -Alena.
>
>
>
> >And if so, why and is there a way it can be changed so that domain
> admins
> >can have limits enforced?
> >
> >Thanks,
> >Clayton
> >
> >>-----Original Message-----
> >>From: Will Chan [mailto:will.chan@citrix.com]
> >>Sent: Friday, June 15, 2012 9:32 AM
> >>To: cloudstack-dev@incubator.apache.org;
> >>cloudstack-users@incubator.apache.org
> >>Subject: RE: Construct / change role permissions
> >>
> >>You are correct that Cloudstack has created essentially three static
> >>roles today. The most you can do today is to allow/disallow API
> >>commands to each role via the commands.properties file.
> >>
> >>It has been something that has been requested many times before,
> >>however, most production systems that go live on CloudStack
> >>typically are fronted by some type of "portal." These portals are
> >>the ones that decide permissions for each user type. Essentially,
> >>it's the user role that require a bit more flexibility as the other
> >>two roles are pretty standard.
> >>
> >>I do know that Citrix is working on contributing back some
> >>refactoring work on the domain and user ACL checklist so you might
> >>want to wait for that first.
> >>
> >>Will
> >>
> >>> -----Original Message-----
> >>> From: Olga Smola [mailto:olya.smola@gmail.com]
> >>> Sent: Friday, June 15, 2012 1:02 AM
> >>> To: cloudstack-dev@incubator.apache.org; cloudstack-
> >>> users@incubator.apache.org
> >>> Subject: Construct / change role permissions
> >>>
> >>> Hi,
> >>>
> >>> I would like to discuss CloudStack roles capabilities. As far as I
> >>>understand, there are 3 distinct roles and there is no possibility
> >>>to change any role permissions.
> >>> Sometimes it's not so comfortable for situation when it is needed
> >>>to allow some action from one role to another one. For example, if
> >>>you would like
> to
> >>>allow
> >>> USER new action "Add account", you can't. Because there is no API
> >>>command for USER. What about new roles?
> >>> Have you got any ideas how to extend the CloudStack mechanism of
> roles
> >>> creation? It will be more convenient if there is something that
> >>>allow to create custom roles with needed permissions. For example,
> >>>give basic role ADMIN or USER and then create new role based on
> >>>it, change permissions(remove, add).
> >>> Something like Role's constructor.
> >>> Also I would like to know if somebody else needs similar extension?
> >>>
> >>> Fill free to write any ideas.
> >>>
> >>> Thanks a lot,
> >>> Olga
> >
>
RE: Construct / change role permissions
Posted by Deepti Dohare <de...@citrix.com>.
I have added a patch (https://reviews.apache.org/r/5573/diff/#index_header) for CS-15300. It enables a domain admin account to respect the limits.
This bug also state that domain admin shouldn't have the right to create infinite resources. In this case what should be the maximum limit of the resources, a domain admin account can have?
Thanks
Deepti
-----Original Message-----
From: Kelven Yang [mailto:kelven.yang@citrix.com]
Sent: Saturday, June 16, 2012 2:49 AM
To: cloudstack-users@incubator.apache.org; 'cloudstack-dev@incubator.apache.org'
Subject: RE: Construct / change role permissions
This might be a separate topic, we just happened to have an internal discussion this morning on how we can improve role based access control in CloudStack, here is a link to part of the presentation I did. Any feedback would be very welcome
http://wiki.cloudstack.org/pages/viewpageattachments.action?pageId=1344392&highlight=acl.pptx#Home-attachment-acl.pptx
Kelven
> -----Original Message-----
> From: Clayton Weise [mailto:cweise@iswest.net]
> Sent: Friday, June 15, 2012 10:18 AM
> To: 'cloudstack-users@incubator.apache.org'; 'cloudstack-
> dev@incubator.apache.org'
> Subject: RE: Construct / change role permissions
>
> Thanks Alena, it's filed as bug 15300.
>
> -----Original Message-----
> From: Alena Prokharchyk [mailto:Alena.Prokharchyk@citrix.com]
> Sent: Friday, June 15, 2012 10:10 AM
> To: cloudstack-users@incubator.apache.org; 'cloudstack-
> dev@incubator.apache.org'
> Subject: Re: Construct / change role permissions
>
> On 6/15/12 9:49 AM, "Clayton Weise" <cw...@iswest.net> wrote:
>
> >With regard to the subject of roles. I've noticed that domain admins
> >do not have limits enforced. So if a domain is limited to 10
> >snapshots, a domain admin can create 11. And because limits cannot
> >be imposed, as
> far
> >as we're concerned, this type of user is pretty much useless because
> >we have no way to control what it can do. Is this by design?
>
>
> It was designed that way from the beginning. But you are right -
> domain admin should respect the limits as he doesn't own the system,
> and there should be a way to control his resources.
> Can you please file a CS bug on this regard.
>
>
> Thanks,
> -Alena.
>
>
>
> >And if so, why and is there a way it can be changed so that domain
> admins
> >can have limits enforced?
> >
> >Thanks,
> >Clayton
> >
> >>-----Original Message-----
> >>From: Will Chan [mailto:will.chan@citrix.com]
> >>Sent: Friday, June 15, 2012 9:32 AM
> >>To: cloudstack-dev@incubator.apache.org;
> >>cloudstack-users@incubator.apache.org
> >>Subject: RE: Construct / change role permissions
> >>
> >>You are correct that Cloudstack has created essentially three static
> >>roles today. The most you can do today is to allow/disallow API
> >>commands to each role via the commands.properties file.
> >>
> >>It has been something that has been requested many times before,
> >>however, most production systems that go live on CloudStack
> >>typically are fronted by some type of "portal." These portals are
> >>the ones that decide permissions for each user type. Essentially,
> >>it's the user role that require a bit more flexibility as the other
> >>two roles are pretty standard.
> >>
> >>I do know that Citrix is working on contributing back some
> >>refactoring work on the domain and user ACL checklist so you might
> >>want to wait for that first.
> >>
> >>Will
> >>
> >>> -----Original Message-----
> >>> From: Olga Smola [mailto:olya.smola@gmail.com]
> >>> Sent: Friday, June 15, 2012 1:02 AM
> >>> To: cloudstack-dev@incubator.apache.org; cloudstack-
> >>> users@incubator.apache.org
> >>> Subject: Construct / change role permissions
> >>>
> >>> Hi,
> >>>
> >>> I would like to discuss CloudStack roles capabilities. As far as I
> >>>understand, there are 3 distinct roles and there is no possibility
> >>>to change any role permissions.
> >>> Sometimes it's not so comfortable for situation when it is needed
> >>>to allow some action from one role to another one. For example, if
> >>>you would like
> to
> >>>allow
> >>> USER new action "Add account", you can't. Because there is no API
> >>>command for USER. What about new roles?
> >>> Have you got any ideas how to extend the CloudStack mechanism of
> roles
> >>> creation? It will be more convenient if there is something that
> >>>allow to create custom roles with needed permissions. For example,
> >>>give basic role ADMIN or USER and then create new role based on
> >>>it, change permissions(remove, add).
> >>> Something like Role's constructor.
> >>> Also I would like to know if somebody else needs similar extension?
> >>>
> >>> Fill free to write any ideas.
> >>>
> >>> Thanks a lot,
> >>> Olga
> >
>
RE: Construct / change role permissions
Posted by Kelven Yang <ke...@citrix.com>.
This might be a separate topic, we just happened to have an internal discussion this morning on how we can improve role based access control in CloudStack, here is a link to part of the presentation I did. Any feedback would be very welcome
http://wiki.cloudstack.org/pages/viewpageattachments.action?pageId=1344392&highlight=acl.pptx#Home-attachment-acl.pptx
Kelven
> -----Original Message-----
> From: Clayton Weise [mailto:cweise@iswest.net]
> Sent: Friday, June 15, 2012 10:18 AM
> To: 'cloudstack-users@incubator.apache.org'; 'cloudstack-
> dev@incubator.apache.org'
> Subject: RE: Construct / change role permissions
>
> Thanks Alena, it's filed as bug 15300.
>
> -----Original Message-----
> From: Alena Prokharchyk [mailto:Alena.Prokharchyk@citrix.com]
> Sent: Friday, June 15, 2012 10:10 AM
> To: cloudstack-users@incubator.apache.org; 'cloudstack-
> dev@incubator.apache.org'
> Subject: Re: Construct / change role permissions
>
> On 6/15/12 9:49 AM, "Clayton Weise" <cw...@iswest.net> wrote:
>
> >With regard to the subject of roles. I've noticed that domain admins do
> >not have limits enforced. So if a domain is limited to 10 snapshots, a
> >domain admin can create 11. And because limits cannot be imposed, as
> far
> >as we're concerned, this type of user is pretty much useless because we
> >have no way to control what it can do. Is this by design?
>
>
> It was designed that way from the beginning. But you are right - domain
> admin should respect the limits as he doesn't own the system, and there
> should be a way to control his resources.
> Can you please file a CS bug on this regard.
>
>
> Thanks,
> -Alena.
>
>
>
> >And if so, why and is there a way it can be changed so that domain
> admins
> >can have limits enforced?
> >
> >Thanks,
> >Clayton
> >
> >>-----Original Message-----
> >>From: Will Chan [mailto:will.chan@citrix.com]
> >>Sent: Friday, June 15, 2012 9:32 AM
> >>To: cloudstack-dev@incubator.apache.org;
> >>cloudstack-users@incubator.apache.org
> >>Subject: RE: Construct / change role permissions
> >>
> >>You are correct that Cloudstack has created essentially three static
> >>roles today. The most you can do today is to allow/disallow API
> >>commands to each role via the commands.properties file.
> >>
> >>It has been something that has been requested many times before,
> >>however, most production systems that go live on CloudStack typically
> >>are fronted by some type of "portal." These portals are the ones that
> >>decide permissions for each user type. Essentially, it's the user role
> >>that require a bit more flexibility as the other two roles are pretty
> >>standard.
> >>
> >>I do know that Citrix is working on contributing back some refactoring
> >>work on the domain and user ACL checklist so you might want to wait for
> >>that first.
> >>
> >>Will
> >>
> >>> -----Original Message-----
> >>> From: Olga Smola [mailto:olya.smola@gmail.com]
> >>> Sent: Friday, June 15, 2012 1:02 AM
> >>> To: cloudstack-dev@incubator.apache.org; cloudstack-
> >>> users@incubator.apache.org
> >>> Subject: Construct / change role permissions
> >>>
> >>> Hi,
> >>>
> >>> I would like to discuss CloudStack roles capabilities. As far as I
> >>>understand, there
> >>> are 3 distinct roles and there is no possibility to change any role
> >>>permissions.
> >>> Sometimes it's not so comfortable for situation when it is needed to
> >>>allow some
> >>> action from one role to another one. For example, if you would like
> to
> >>>allow
> >>> USER new action "Add account", you can't. Because there is no API
> >>>command
> >>> for USER. What about new roles?
> >>> Have you got any ideas how to extend the CloudStack mechanism of
> roles
> >>> creation? It will be more convenient if there is something that allow
> >>>to create
> >>> custom roles with needed permissions. For example, give basic role
> >>>ADMIN or
> >>> USER and then create new role based on it, change permissions(remove,
> >>>add).
> >>> Something like Role's constructor.
> >>> Also I would like to know if somebody else needs similar extension?
> >>>
> >>> Fill free to write any ideas.
> >>>
> >>> Thanks a lot,
> >>> Olga
> >
>
RE: Construct / change role permissions
Posted by Kelven Yang <ke...@citrix.com>.
This might be a separate topic, we just happened to have an internal discussion this morning on how we can improve role based access control in CloudStack, here is a link to part of the presentation I did. Any feedback would be very welcome
http://wiki.cloudstack.org/pages/viewpageattachments.action?pageId=1344392&highlight=acl.pptx#Home-attachment-acl.pptx
Kelven
> -----Original Message-----
> From: Clayton Weise [mailto:cweise@iswest.net]
> Sent: Friday, June 15, 2012 10:18 AM
> To: 'cloudstack-users@incubator.apache.org'; 'cloudstack-
> dev@incubator.apache.org'
> Subject: RE: Construct / change role permissions
>
> Thanks Alena, it's filed as bug 15300.
>
> -----Original Message-----
> From: Alena Prokharchyk [mailto:Alena.Prokharchyk@citrix.com]
> Sent: Friday, June 15, 2012 10:10 AM
> To: cloudstack-users@incubator.apache.org; 'cloudstack-
> dev@incubator.apache.org'
> Subject: Re: Construct / change role permissions
>
> On 6/15/12 9:49 AM, "Clayton Weise" <cw...@iswest.net> wrote:
>
> >With regard to the subject of roles. I've noticed that domain admins do
> >not have limits enforced. So if a domain is limited to 10 snapshots, a
> >domain admin can create 11. And because limits cannot be imposed, as
> far
> >as we're concerned, this type of user is pretty much useless because we
> >have no way to control what it can do. Is this by design?
>
>
> It was designed that way from the beginning. But you are right - domain
> admin should respect the limits as he doesn't own the system, and there
> should be a way to control his resources.
> Can you please file a CS bug on this regard.
>
>
> Thanks,
> -Alena.
>
>
>
> >And if so, why and is there a way it can be changed so that domain
> admins
> >can have limits enforced?
> >
> >Thanks,
> >Clayton
> >
> >>-----Original Message-----
> >>From: Will Chan [mailto:will.chan@citrix.com]
> >>Sent: Friday, June 15, 2012 9:32 AM
> >>To: cloudstack-dev@incubator.apache.org;
> >>cloudstack-users@incubator.apache.org
> >>Subject: RE: Construct / change role permissions
> >>
> >>You are correct that Cloudstack has created essentially three static
> >>roles today. The most you can do today is to allow/disallow API
> >>commands to each role via the commands.properties file.
> >>
> >>It has been something that has been requested many times before,
> >>however, most production systems that go live on CloudStack typically
> >>are fronted by some type of "portal." These portals are the ones that
> >>decide permissions for each user type. Essentially, it's the user role
> >>that require a bit more flexibility as the other two roles are pretty
> >>standard.
> >>
> >>I do know that Citrix is working on contributing back some refactoring
> >>work on the domain and user ACL checklist so you might want to wait for
> >>that first.
> >>
> >>Will
> >>
> >>> -----Original Message-----
> >>> From: Olga Smola [mailto:olya.smola@gmail.com]
> >>> Sent: Friday, June 15, 2012 1:02 AM
> >>> To: cloudstack-dev@incubator.apache.org; cloudstack-
> >>> users@incubator.apache.org
> >>> Subject: Construct / change role permissions
> >>>
> >>> Hi,
> >>>
> >>> I would like to discuss CloudStack roles capabilities. As far as I
> >>>understand, there
> >>> are 3 distinct roles and there is no possibility to change any role
> >>>permissions.
> >>> Sometimes it's not so comfortable for situation when it is needed to
> >>>allow some
> >>> action from one role to another one. For example, if you would like
> to
> >>>allow
> >>> USER new action "Add account", you can't. Because there is no API
> >>>command
> >>> for USER. What about new roles?
> >>> Have you got any ideas how to extend the CloudStack mechanism of
> roles
> >>> creation? It will be more convenient if there is something that allow
> >>>to create
> >>> custom roles with needed permissions. For example, give basic role
> >>>ADMIN or
> >>> USER and then create new role based on it, change permissions(remove,
> >>>add).
> >>> Something like Role's constructor.
> >>> Also I would like to know if somebody else needs similar extension?
> >>>
> >>> Fill free to write any ideas.
> >>>
> >>> Thanks a lot,
> >>> Olga
> >
>
RE: Construct / change role permissions
Posted by Clayton Weise <cw...@iswest.net>.
Thanks Alena, it's filed as bug 15300.
-----Original Message-----
From: Alena Prokharchyk [mailto:Alena.Prokharchyk@citrix.com]
Sent: Friday, June 15, 2012 10:10 AM
To: cloudstack-users@incubator.apache.org; 'cloudstack-dev@incubator.apache.org'
Subject: Re: Construct / change role permissions
On 6/15/12 9:49 AM, "Clayton Weise" <cw...@iswest.net> wrote:
>With regard to the subject of roles. I've noticed that domain admins do
>not have limits enforced. So if a domain is limited to 10 snapshots, a
>domain admin can create 11. And because limits cannot be imposed, as far
>as we're concerned, this type of user is pretty much useless because we
>have no way to control what it can do. Is this by design?
It was designed that way from the beginning. But you are right - domain
admin should respect the limits as he doesn't own the system, and there
should be a way to control his resources.
Can you please file a CS bug on this regard.
Thanks,
-Alena.
>And if so, why and is there a way it can be changed so that domain admins
>can have limits enforced?
>
>Thanks,
>Clayton
>
>>-----Original Message-----
>>From: Will Chan [mailto:will.chan@citrix.com]
>>Sent: Friday, June 15, 2012 9:32 AM
>>To: cloudstack-dev@incubator.apache.org;
>>cloudstack-users@incubator.apache.org
>>Subject: RE: Construct / change role permissions
>>
>>You are correct that Cloudstack has created essentially three static
>>roles today. The most you can do today is to allow/disallow API
>>commands to each role via the commands.properties file.
>>
>>It has been something that has been requested many times before,
>>however, most production systems that go live on CloudStack typically
>>are fronted by some type of "portal." These portals are the ones that
>>decide permissions for each user type. Essentially, it's the user role
>>that require a bit more flexibility as the other two roles are pretty
>>standard.
>>
>>I do know that Citrix is working on contributing back some refactoring
>>work on the domain and user ACL checklist so you might want to wait for
>>that first.
>>
>>Will
>>
>>> -----Original Message-----
>>> From: Olga Smola [mailto:olya.smola@gmail.com]
>>> Sent: Friday, June 15, 2012 1:02 AM
>>> To: cloudstack-dev@incubator.apache.org; cloudstack-
>>> users@incubator.apache.org
>>> Subject: Construct / change role permissions
>>>
>>> Hi,
>>>
>>> I would like to discuss CloudStack roles capabilities. As far as I
>>>understand, there
>>> are 3 distinct roles and there is no possibility to change any role
>>>permissions.
>>> Sometimes it's not so comfortable for situation when it is needed to
>>>allow some
>>> action from one role to another one. For example, if you would like to
>>>allow
>>> USER new action "Add account", you can't. Because there is no API
>>>command
>>> for USER. What about new roles?
>>> Have you got any ideas how to extend the CloudStack mechanism of roles
>>> creation? It will be more convenient if there is something that allow
>>>to create
>>> custom roles with needed permissions. For example, give basic role
>>>ADMIN or
>>> USER and then create new role based on it, change permissions(remove,
>>>add).
>>> Something like Role's constructor.
>>> Also I would like to know if somebody else needs similar extension?
>>>
>>> Fill free to write any ideas.
>>>
>>> Thanks a lot,
>>> Olga
>
RE: Construct / change role permissions
Posted by Clayton Weise <cw...@iswest.net>.
Thanks Alena, it's filed as bug 15300.
-----Original Message-----
From: Alena Prokharchyk [mailto:Alena.Prokharchyk@citrix.com]
Sent: Friday, June 15, 2012 10:10 AM
To: cloudstack-users@incubator.apache.org; 'cloudstack-dev@incubator.apache.org'
Subject: Re: Construct / change role permissions
On 6/15/12 9:49 AM, "Clayton Weise" <cw...@iswest.net> wrote:
>With regard to the subject of roles. I've noticed that domain admins do
>not have limits enforced. So if a domain is limited to 10 snapshots, a
>domain admin can create 11. And because limits cannot be imposed, as far
>as we're concerned, this type of user is pretty much useless because we
>have no way to control what it can do. Is this by design?
It was designed that way from the beginning. But you are right - domain
admin should respect the limits as he doesn't own the system, and there
should be a way to control his resources.
Can you please file a CS bug on this regard.
Thanks,
-Alena.
>And if so, why and is there a way it can be changed so that domain admins
>can have limits enforced?
>
>Thanks,
>Clayton
>
>>-----Original Message-----
>>From: Will Chan [mailto:will.chan@citrix.com]
>>Sent: Friday, June 15, 2012 9:32 AM
>>To: cloudstack-dev@incubator.apache.org;
>>cloudstack-users@incubator.apache.org
>>Subject: RE: Construct / change role permissions
>>
>>You are correct that Cloudstack has created essentially three static
>>roles today. The most you can do today is to allow/disallow API
>>commands to each role via the commands.properties file.
>>
>>It has been something that has been requested many times before,
>>however, most production systems that go live on CloudStack typically
>>are fronted by some type of "portal." These portals are the ones that
>>decide permissions for each user type. Essentially, it's the user role
>>that require a bit more flexibility as the other two roles are pretty
>>standard.
>>
>>I do know that Citrix is working on contributing back some refactoring
>>work on the domain and user ACL checklist so you might want to wait for
>>that first.
>>
>>Will
>>
>>> -----Original Message-----
>>> From: Olga Smola [mailto:olya.smola@gmail.com]
>>> Sent: Friday, June 15, 2012 1:02 AM
>>> To: cloudstack-dev@incubator.apache.org; cloudstack-
>>> users@incubator.apache.org
>>> Subject: Construct / change role permissions
>>>
>>> Hi,
>>>
>>> I would like to discuss CloudStack roles capabilities. As far as I
>>>understand, there
>>> are 3 distinct roles and there is no possibility to change any role
>>>permissions.
>>> Sometimes it's not so comfortable for situation when it is needed to
>>>allow some
>>> action from one role to another one. For example, if you would like to
>>>allow
>>> USER new action "Add account", you can't. Because there is no API
>>>command
>>> for USER. What about new roles?
>>> Have you got any ideas how to extend the CloudStack mechanism of roles
>>> creation? It will be more convenient if there is something that allow
>>>to create
>>> custom roles with needed permissions. For example, give basic role
>>>ADMIN or
>>> USER and then create new role based on it, change permissions(remove,
>>>add).
>>> Something like Role's constructor.
>>> Also I would like to know if somebody else needs similar extension?
>>>
>>> Fill free to write any ideas.
>>>
>>> Thanks a lot,
>>> Olga
>
RE: Construct / change role permissions
Posted by Will Chan <wi...@citrix.com>.
That could be a bug. As far as I know domain-admins should be limited as well.
Will
> -----Original Message-----
> From: Clayton Weise [mailto:cweise@iswest.net]
> Sent: Friday, June 15, 2012 9:50 AM
> To: 'cloudstack-dev@incubator.apache.org'; 'cloudstack-
> users@incubator.apache.org'
> Subject: RE: Construct / change role permissions
>
> With regard to the subject of roles. I've noticed that domain admins do not
> have limits enforced. So if a domain is limited to 10 snapshots, a domain admin
> can create 11. And because limits cannot be imposed, as far as we're
> concerned, this type of user is pretty much useless because we have no way to
> control what it can do. Is this by design? And if so, why and is there a way it can
> be changed so that domain admins can have limits enforced?
>
> Thanks,
> Clayton
>
> >-----Original Message-----
> >From: Will Chan [mailto:will.chan@citrix.com]
> >Sent: Friday, June 15, 2012 9:32 AM
> >To: cloudstack-dev@incubator.apache.org;
> >cloudstack-users@incubator.apache.org
> >Subject: RE: Construct / change role permissions
> >
> >You are correct that Cloudstack has created essentially three static roles today.
> The most you can do today is to allow/disallow API commands to each role via
> the commands.properties file.
> >
> >It has been something that has been requested many times before, however,
> most production systems that go live on CloudStack typically are fronted by
> some type of "portal." These portals are the ones that decide permissions for
> each user type. Essentially, it's the user role that require a bit more flexibility as
> the other two roles are pretty standard.
> >
> >I do know that Citrix is working on contributing back some refactoring work on
> the domain and user ACL checklist so you might want to wait for that first.
> >
> >Will
> >
> >> -----Original Message-----
> >> From: Olga Smola [mailto:olya.smola@gmail.com]
> >> Sent: Friday, June 15, 2012 1:02 AM
> >> To: cloudstack-dev@incubator.apache.org; cloudstack-
> >> users@incubator.apache.org
> >> Subject: Construct / change role permissions
> >>
> >> Hi,
> >>
> >> I would like to discuss CloudStack roles capabilities. As far as I
> >> understand, there are 3 distinct roles and there is no possibility to change any
> role permissions.
> >> Sometimes it's not so comfortable for situation when it is needed to
> >> allow some action from one role to another one. For example, if you
> >> would like to allow USER new action "Add account", you can't. Because
> >> there is no API command for USER. What about new roles?
> >> Have you got any ideas how to extend the CloudStack mechanism of
> >> roles creation? It will be more convenient if there is something that
> >> allow to create custom roles with needed permissions. For example,
> >> give basic role ADMIN or USER and then create new role based on it, change
> permissions(remove, add).
> >> Something like Role's constructor.
> >> Also I would like to know if somebody else needs similar extension?
> >>
> >> Fill free to write any ideas.
> >>
> >> Thanks a lot,
> >> Olga
RE: Construct / change role permissions
Posted by Will Chan <wi...@citrix.com>.
That could be a bug. As far as I know domain-admins should be limited as well.
Will
> -----Original Message-----
> From: Clayton Weise [mailto:cweise@iswest.net]
> Sent: Friday, June 15, 2012 9:50 AM
> To: 'cloudstack-dev@incubator.apache.org'; 'cloudstack-
> users@incubator.apache.org'
> Subject: RE: Construct / change role permissions
>
> With regard to the subject of roles. I've noticed that domain admins do not
> have limits enforced. So if a domain is limited to 10 snapshots, a domain admin
> can create 11. And because limits cannot be imposed, as far as we're
> concerned, this type of user is pretty much useless because we have no way to
> control what it can do. Is this by design? And if so, why and is there a way it can
> be changed so that domain admins can have limits enforced?
>
> Thanks,
> Clayton
>
> >-----Original Message-----
> >From: Will Chan [mailto:will.chan@citrix.com]
> >Sent: Friday, June 15, 2012 9:32 AM
> >To: cloudstack-dev@incubator.apache.org;
> >cloudstack-users@incubator.apache.org
> >Subject: RE: Construct / change role permissions
> >
> >You are correct that Cloudstack has created essentially three static roles today.
> The most you can do today is to allow/disallow API commands to each role via
> the commands.properties file.
> >
> >It has been something that has been requested many times before, however,
> most production systems that go live on CloudStack typically are fronted by
> some type of "portal." These portals are the ones that decide permissions for
> each user type. Essentially, it's the user role that require a bit more flexibility as
> the other two roles are pretty standard.
> >
> >I do know that Citrix is working on contributing back some refactoring work on
> the domain and user ACL checklist so you might want to wait for that first.
> >
> >Will
> >
> >> -----Original Message-----
> >> From: Olga Smola [mailto:olya.smola@gmail.com]
> >> Sent: Friday, June 15, 2012 1:02 AM
> >> To: cloudstack-dev@incubator.apache.org; cloudstack-
> >> users@incubator.apache.org
> >> Subject: Construct / change role permissions
> >>
> >> Hi,
> >>
> >> I would like to discuss CloudStack roles capabilities. As far as I
> >> understand, there are 3 distinct roles and there is no possibility to change any
> role permissions.
> >> Sometimes it's not so comfortable for situation when it is needed to
> >> allow some action from one role to another one. For example, if you
> >> would like to allow USER new action "Add account", you can't. Because
> >> there is no API command for USER. What about new roles?
> >> Have you got any ideas how to extend the CloudStack mechanism of
> >> roles creation? It will be more convenient if there is something that
> >> allow to create custom roles with needed permissions. For example,
> >> give basic role ADMIN or USER and then create new role based on it, change
> permissions(remove, add).
> >> Something like Role's constructor.
> >> Also I would like to know if somebody else needs similar extension?
> >>
> >> Fill free to write any ideas.
> >>
> >> Thanks a lot,
> >> Olga
Re: Construct / change role permissions
Posted by Alena Prokharchyk <Al...@citrix.com>.
On 6/15/12 9:49 AM, "Clayton Weise" <cw...@iswest.net> wrote:
>With regard to the subject of roles. I've noticed that domain admins do
>not have limits enforced. So if a domain is limited to 10 snapshots, a
>domain admin can create 11. And because limits cannot be imposed, as far
>as we're concerned, this type of user is pretty much useless because we
>have no way to control what it can do. Is this by design?
It was designed that way from the beginning. But you are right - domain
admin should respect the limits as he doesn't own the system, and there
should be a way to control his resources.
Can you please file a CS bug on this regard.
Thanks,
-Alena.
>And if so, why and is there a way it can be changed so that domain admins
>can have limits enforced?
>
>Thanks,
>Clayton
>
>>-----Original Message-----
>>From: Will Chan [mailto:will.chan@citrix.com]
>>Sent: Friday, June 15, 2012 9:32 AM
>>To: cloudstack-dev@incubator.apache.org;
>>cloudstack-users@incubator.apache.org
>>Subject: RE: Construct / change role permissions
>>
>>You are correct that Cloudstack has created essentially three static
>>roles today. The most you can do today is to allow/disallow API
>>commands to each role via the commands.properties file.
>>
>>It has been something that has been requested many times before,
>>however, most production systems that go live on CloudStack typically
>>are fronted by some type of "portal." These portals are the ones that
>>decide permissions for each user type. Essentially, it's the user role
>>that require a bit more flexibility as the other two roles are pretty
>>standard.
>>
>>I do know that Citrix is working on contributing back some refactoring
>>work on the domain and user ACL checklist so you might want to wait for
>>that first.
>>
>>Will
>>
>>> -----Original Message-----
>>> From: Olga Smola [mailto:olya.smola@gmail.com]
>>> Sent: Friday, June 15, 2012 1:02 AM
>>> To: cloudstack-dev@incubator.apache.org; cloudstack-
>>> users@incubator.apache.org
>>> Subject: Construct / change role permissions
>>>
>>> Hi,
>>>
>>> I would like to discuss CloudStack roles capabilities. As far as I
>>>understand, there
>>> are 3 distinct roles and there is no possibility to change any role
>>>permissions.
>>> Sometimes it's not so comfortable for situation when it is needed to
>>>allow some
>>> action from one role to another one. For example, if you would like to
>>>allow
>>> USER new action "Add account", you can't. Because there is no API
>>>command
>>> for USER. What about new roles?
>>> Have you got any ideas how to extend the CloudStack mechanism of roles
>>> creation? It will be more convenient if there is something that allow
>>>to create
>>> custom roles with needed permissions. For example, give basic role
>>>ADMIN or
>>> USER and then create new role based on it, change permissions(remove,
>>>add).
>>> Something like Role's constructor.
>>> Also I would like to know if somebody else needs similar extension?
>>>
>>> Fill free to write any ideas.
>>>
>>> Thanks a lot,
>>> Olga
>
Re: Construct / change role permissions
Posted by Alena Prokharchyk <Al...@citrix.com>.
On 6/15/12 9:49 AM, "Clayton Weise" <cw...@iswest.net> wrote:
>With regard to the subject of roles. I've noticed that domain admins do
>not have limits enforced. So if a domain is limited to 10 snapshots, a
>domain admin can create 11. And because limits cannot be imposed, as far
>as we're concerned, this type of user is pretty much useless because we
>have no way to control what it can do. Is this by design?
It was designed that way from the beginning. But you are right - domain
admin should respect the limits as he doesn't own the system, and there
should be a way to control his resources.
Can you please file a CS bug on this regard.
Thanks,
-Alena.
>And if so, why and is there a way it can be changed so that domain admins
>can have limits enforced?
>
>Thanks,
>Clayton
>
>>-----Original Message-----
>>From: Will Chan [mailto:will.chan@citrix.com]
>>Sent: Friday, June 15, 2012 9:32 AM
>>To: cloudstack-dev@incubator.apache.org;
>>cloudstack-users@incubator.apache.org
>>Subject: RE: Construct / change role permissions
>>
>>You are correct that Cloudstack has created essentially three static
>>roles today. The most you can do today is to allow/disallow API
>>commands to each role via the commands.properties file.
>>
>>It has been something that has been requested many times before,
>>however, most production systems that go live on CloudStack typically
>>are fronted by some type of "portal." These portals are the ones that
>>decide permissions for each user type. Essentially, it's the user role
>>that require a bit more flexibility as the other two roles are pretty
>>standard.
>>
>>I do know that Citrix is working on contributing back some refactoring
>>work on the domain and user ACL checklist so you might want to wait for
>>that first.
>>
>>Will
>>
>>> -----Original Message-----
>>> From: Olga Smola [mailto:olya.smola@gmail.com]
>>> Sent: Friday, June 15, 2012 1:02 AM
>>> To: cloudstack-dev@incubator.apache.org; cloudstack-
>>> users@incubator.apache.org
>>> Subject: Construct / change role permissions
>>>
>>> Hi,
>>>
>>> I would like to discuss CloudStack roles capabilities. As far as I
>>>understand, there
>>> are 3 distinct roles and there is no possibility to change any role
>>>permissions.
>>> Sometimes it's not so comfortable for situation when it is needed to
>>>allow some
>>> action from one role to another one. For example, if you would like to
>>>allow
>>> USER new action "Add account", you can't. Because there is no API
>>>command
>>> for USER. What about new roles?
>>> Have you got any ideas how to extend the CloudStack mechanism of roles
>>> creation? It will be more convenient if there is something that allow
>>>to create
>>> custom roles with needed permissions. For example, give basic role
>>>ADMIN or
>>> USER and then create new role based on it, change permissions(remove,
>>>add).
>>> Something like Role's constructor.
>>> Also I would like to know if somebody else needs similar extension?
>>>
>>> Fill free to write any ideas.
>>>
>>> Thanks a lot,
>>> Olga
>
RE: Construct / change role permissions
Posted by Clayton Weise <cw...@iswest.net>.
With regard to the subject of roles. I've noticed that domain admins do not have limits enforced. So if a domain is limited to 10 snapshots, a domain admin can create 11. And because limits cannot be imposed, as far as we're concerned, this type of user is pretty much useless because we have no way to control what it can do. Is this by design? And if so, why and is there a way it can be changed so that domain admins can have limits enforced?
Thanks,
Clayton
>-----Original Message-----
>From: Will Chan [mailto:will.chan@citrix.com]
>Sent: Friday, June 15, 2012 9:32 AM
>To: cloudstack-dev@incubator.apache.org; cloudstack-users@incubator.apache.org
>Subject: RE: Construct / change role permissions
>
>You are correct that Cloudstack has created essentially three static roles today. The most you can do today is to allow/disallow API commands to each role via the commands.properties file.
>
>It has been something that has been requested many times before, however, most production systems that go live on CloudStack typically are fronted by some type of "portal." These portals are the ones that decide permissions for each user type. Essentially, it's the user role that require a bit more flexibility as the other two roles are pretty standard.
>
>I do know that Citrix is working on contributing back some refactoring work on the domain and user ACL checklist so you might want to wait for that first.
>
>Will
>
>> -----Original Message-----
>> From: Olga Smola [mailto:olya.smola@gmail.com]
>> Sent: Friday, June 15, 2012 1:02 AM
>> To: cloudstack-dev@incubator.apache.org; cloudstack-
>> users@incubator.apache.org
>> Subject: Construct / change role permissions
>>
>> Hi,
>>
>> I would like to discuss CloudStack roles capabilities. As far as I understand, there
>> are 3 distinct roles and there is no possibility to change any role permissions.
>> Sometimes it's not so comfortable for situation when it is needed to allow some
>> action from one role to another one. For example, if you would like to allow
>> USER new action "Add account", you can't. Because there is no API command
>> for USER. What about new roles?
>> Have you got any ideas how to extend the CloudStack mechanism of roles
>> creation? It will be more convenient if there is something that allow to create
>> custom roles with needed permissions. For example, give basic role ADMIN or
>> USER and then create new role based on it, change permissions(remove, add).
>> Something like Role's constructor.
>> Also I would like to know if somebody else needs similar extension?
>>
>> Fill free to write any ideas.
>>
>> Thanks a lot,
>> Olga
RE: Construct / change role permissions
Posted by Clayton Weise <cw...@iswest.net>.
With regard to the subject of roles. I've noticed that domain admins do not have limits enforced. So if a domain is limited to 10 snapshots, a domain admin can create 11. And because limits cannot be imposed, as far as we're concerned, this type of user is pretty much useless because we have no way to control what it can do. Is this by design? And if so, why and is there a way it can be changed so that domain admins can have limits enforced?
Thanks,
Clayton
>-----Original Message-----
>From: Will Chan [mailto:will.chan@citrix.com]
>Sent: Friday, June 15, 2012 9:32 AM
>To: cloudstack-dev@incubator.apache.org; cloudstack-users@incubator.apache.org
>Subject: RE: Construct / change role permissions
>
>You are correct that Cloudstack has created essentially three static roles today. The most you can do today is to allow/disallow API commands to each role via the commands.properties file.
>
>It has been something that has been requested many times before, however, most production systems that go live on CloudStack typically are fronted by some type of "portal." These portals are the ones that decide permissions for each user type. Essentially, it's the user role that require a bit more flexibility as the other two roles are pretty standard.
>
>I do know that Citrix is working on contributing back some refactoring work on the domain and user ACL checklist so you might want to wait for that first.
>
>Will
>
>> -----Original Message-----
>> From: Olga Smola [mailto:olya.smola@gmail.com]
>> Sent: Friday, June 15, 2012 1:02 AM
>> To: cloudstack-dev@incubator.apache.org; cloudstack-
>> users@incubator.apache.org
>> Subject: Construct / change role permissions
>>
>> Hi,
>>
>> I would like to discuss CloudStack roles capabilities. As far as I understand, there
>> are 3 distinct roles and there is no possibility to change any role permissions.
>> Sometimes it's not so comfortable for situation when it is needed to allow some
>> action from one role to another one. For example, if you would like to allow
>> USER new action "Add account", you can't. Because there is no API command
>> for USER. What about new roles?
>> Have you got any ideas how to extend the CloudStack mechanism of roles
>> creation? It will be more convenient if there is something that allow to create
>> custom roles with needed permissions. For example, give basic role ADMIN or
>> USER and then create new role based on it, change permissions(remove, add).
>> Something like Role's constructor.
>> Also I would like to know if somebody else needs similar extension?
>>
>> Fill free to write any ideas.
>>
>> Thanks a lot,
>> Olga
RE: Construct / change role permissions
Posted by Will Chan <wi...@citrix.com>.
You are correct that Cloudstack has created essentially three static roles today. The most you can do today is to allow/disallow API commands to each role via the commands.properties file.
It has been something that has been requested many times before, however, most production systems that go live on CloudStack typically are fronted by some type of "portal." These portals are the ones that decide permissions for each user type. Essentially, it's the user role that require a bit more flexibility as the other two roles are pretty standard.
I do know that Citrix is working on contributing back some refactoring work on the domain and user ACL checklist so you might want to wait for that first.
Will
> -----Original Message-----
> From: Olga Smola [mailto:olya.smola@gmail.com]
> Sent: Friday, June 15, 2012 1:02 AM
> To: cloudstack-dev@incubator.apache.org; cloudstack-
> users@incubator.apache.org
> Subject: Construct / change role permissions
>
> Hi,
>
> I would like to discuss CloudStack roles capabilities. As far as I understand, there
> are 3 distinct roles and there is no possibility to change any role permissions.
> Sometimes it's not so comfortable for situation when it is needed to allow some
> action from one role to another one. For example, if you would like to allow
> USER new action "Add account", you can't. Because there is no API command
> for USER. What about new roles?
> Have you got any ideas how to extend the CloudStack mechanism of roles
> creation? It will be more convenient if there is something that allow to create
> custom roles with needed permissions. For example, give basic role ADMIN or
> USER and then create new role based on it, change permissions(remove, add).
> Something like Role's constructor.
> Also I would like to know if somebody else needs similar extension?
>
> Fill free to write any ideas.
>
> Thanks a lot,
> Olga
RE: Construct / change role permissions
Posted by Will Chan <wi...@citrix.com>.
You are correct that Cloudstack has created essentially three static roles today. The most you can do today is to allow/disallow API commands to each role via the commands.properties file.
It has been something that has been requested many times before, however, most production systems that go live on CloudStack typically are fronted by some type of "portal." These portals are the ones that decide permissions for each user type. Essentially, it's the user role that require a bit more flexibility as the other two roles are pretty standard.
I do know that Citrix is working on contributing back some refactoring work on the domain and user ACL checklist so you might want to wait for that first.
Will
> -----Original Message-----
> From: Olga Smola [mailto:olya.smola@gmail.com]
> Sent: Friday, June 15, 2012 1:02 AM
> To: cloudstack-dev@incubator.apache.org; cloudstack-
> users@incubator.apache.org
> Subject: Construct / change role permissions
>
> Hi,
>
> I would like to discuss CloudStack roles capabilities. As far as I understand, there
> are 3 distinct roles and there is no possibility to change any role permissions.
> Sometimes it's not so comfortable for situation when it is needed to allow some
> action from one role to another one. For example, if you would like to allow
> USER new action "Add account", you can't. Because there is no API command
> for USER. What about new roles?
> Have you got any ideas how to extend the CloudStack mechanism of roles
> creation? It will be more convenient if there is something that allow to create
> custom roles with needed permissions. For example, give basic role ADMIN or
> USER and then create new role based on it, change permissions(remove, add).
> Something like Role's constructor.
> Also I would like to know if somebody else needs similar extension?
>
> Fill free to write any ideas.
>
> Thanks a lot,
> Olga
Re: Construct / change role permissions
Posted by liujunpeng <li...@inspur.com>.
we also need to change the pemissions.
2012-06-15
××××××××××××××××××××××××
刘俊朋
浪潮电子信息产业股份有限公司
系统软件部
地址:浪潮路1036号浪潮科技园S05楼北楼2层
邮编:250101
Email: liujunpeng@inspur.com
办公电话:0531-85106302
××××××××××××××××××××××××
发件人: Olga Smola
发送时间: 2012-06-15 16:02:31
收件人: cloudstack-dev; cloudstack-users
抄送:
主题: Construct / change role permissions
Hi,
I would like to discuss CloudStack roles capabilities. As far as I
understand, there are 3 distinct roles and there is no possibility to
change any role permissions. Sometimes it's not so comfortable for
situation when it is needed to allow some action from one role to another
one. For example, if you would like to allow USER new action "Add account",
you can't. Because there is no API command for USER. What about new roles?
Have you got any ideas how to extend the CloudStack mechanism of roles
creation? It will be more convenient if there is something that allow to
create custom roles with needed permissions. For example, give basic role
ADMIN or USER and then create new role based on it, change
permissions(remove, add). Something like Role's constructor.
Also I would like to know if somebody else needs similar extension?
Fill free to write any ideas.
Thanks a lot,
Olga