You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cloudstack.apache.org by "Fuchs, Andreas (SwissTXT)" <An...@swisstxt.ch> on 2012/11/01 09:26:38 UTC

RE: Users of type 'User' and 'Domain-Admin' cannot update their own passwords / account details / create sub-domains

Hi Kristoffer

We suffer the same issues, opened a feature request a while ago. So please open one too maybe it helps if there are more people requesting those features.
A half a year ago there was talking about a proper RBAC system but so far nothing happened on this topic.
There are more issues: a normal user can also not create his key and secret, also here the root admin has to do it.

For the password issue our workaround was to use LDAP as authentication backend with a system where the user has access to the LDAP to change his password. But be prepared to fight other CS issues to get the LDAP backend working (at least in 3.0.4, we had to change md5HashedLogin to false in sharedFunctions.js, the config can only be done over the API and is not reflected in global settings, there is no fallback or mixed authentication possible from LDAP to local auth).

Regards
Andi

-----Original Message-----
From: Alena Prokharchyk [mailto:Alena.Prokharchyk@citrix.com] 
Sent: Mittwoch, 31. Oktober 2012 23:01
To: kris@cloudcentral.com.au
Cc: cloudstack-users@incubator.apache.org
Subject: Re: Users of type 'User' and 'Domain-Admin' cannot update their own passwords / account details / create sub-domains

Kristoffer,

Sure, whatever you suggest, makes sense. Please file an enhancement request against cloudStack.

-Alena.

From: Kristoffer Sheather - Cloud Central <kr...@cloudcentral.com.au>>
Reply-To: "kris@cloudcentral.com.au<ma...@cloudcentral.com.au>" <kr...@cloudcentral.com.au>>
To: Alena Prokharchyk <al...@citrix.com>>
Cc: "'cloudstack-users@incubator. org'" <cl...@incubator.apache.org>>
Subject: Re: Users of type 'User' and 'Domain-Admin' cannot update their own passwords / account details / create sub-domains

So how does a user reset their own password?  We need to enable users to reset their own passwords without our involvement.

Consider the service provider use case, we need to delegate things like resetting user passwords to the account holders themselves.

We also need to allow Domain-Admin's to be able to create additional accounts and sub-domains within their domain.  This caters for the 'multi-level' reseller use case.

________________________________
From: "Alena Prokharchyk" <Al...@citrix.com>>
Sent: Thursday, November 01, 2012 3:55 AM
To: "cloudstack-users@incubator.apache.org<ma...@incubator.apache.org>" <cl...@incubator.apache.org>>, "kris@cloudcentral.com.au<ma...@cloudcentral.com.au>" <kr...@cloudcentral.com.au>>
Subject: Re: Users of type 'User' and 'Domain-Admin' cannot update their own passwords / account details / create sub-domains

On 10/31/12 4:01 AM, "Kristoffer Sheather - Cloud Central"
<kr...@cloudcentral.com.au>> wrote:

>Not sure whether I'm going crazy or not, but I can't find a way for 
>users with 'Domain-Admin' or 'User' roles to change their passwords, 
>create sub-domains, etc.
>
>I can change them by logging in as the system administrator, but cannot 
>change account passwords or create sub-domains if logged in as 
>'Domain-Admin' for any account.
>
>This behaviour has been evident in my testing of CloudPlatform v3.0.4 
>and v3.0.5. If anyone has any ideas please let me know.
>
>Regards,
>Kristoffer Sheather
>


Kristoffer,

It's by design.


Only Root admin can modify the domain structure (create/delete/update
subdomains) and add/remove/update accounts/users.

Domain admin can only enable/disable existing accounts/users in his domain/subdomains.

Regular user can't perform any CRUD operations neither on other, nor on his own account/domain.

-Alena.

Re: Users of type 'User' and 'Domain-Admin' cannot update their own passwords / account details / create sub-domains

Posted by sx chen <cl...@gmail.com>.
We've also met these questions.
And We had to do some development to meet the requirement.
Also hope for the RBAC feature,When will it release?

Re: Users of type 'User' and 'Domain-Admin' cannot update their own passwords / account details / create sub-domains

Posted by sx chen <cl...@gmail.com>.
We've also met these questions.
And We had to do some development to meet the requirement.
Also hope for the RBAC feature,When will it release?

RE: Users of type 'User' and 'Domain-Admin' cannot update their own passwords / account details / create sub-domains

Posted by Prachi Damle <Pr...@citrix.com>.
Hi Kristoffer,

I am working on a role-based access system feature and will send out a concrete functional spec. when it is ready. The use case of granting user the access to change password/generate keys will be considered as part of this work.

Please keep posting any more use cases you would expect to be addressed.

Thank you,
Prachi


-----Original Message-----
From: Fuchs, Andreas (SwissTXT) [mailto:Andreas.Fuchs@swisstxt.ch] 
Sent: Thursday, November 01, 2012 1:27 AM
To: cloudstack-users@incubator.apache.org; kris@cloudcentral.com.au
Subject: RE: Users of type 'User' and 'Domain-Admin' cannot update their own passwords / account details / create sub-domains

Hi Kristoffer

We suffer the same issues, opened a feature request a while ago. So please open one too maybe it helps if there are more people requesting those features.
A half a year ago there was talking about a proper RBAC system but so far nothing happened on this topic.
There are more issues: a normal user can also not create his key and secret, also here the root admin has to do it.

For the password issue our workaround was to use LDAP as authentication backend with a system where the user has access to the LDAP to change his password. But be prepared to fight other CS issues to get the LDAP backend working (at least in 3.0.4, we had to change md5HashedLogin to false in sharedFunctions.js, the config can only be done over the API and is not reflected in global settings, there is no fallback or mixed authentication possible from LDAP to local auth).

Regards
Andi

-----Original Message-----
From: Alena Prokharchyk [mailto:Alena.Prokharchyk@citrix.com]
Sent: Mittwoch, 31. Oktober 2012 23:01
To: kris@cloudcentral.com.au
Cc: cloudstack-users@incubator.apache.org
Subject: Re: Users of type 'User' and 'Domain-Admin' cannot update their own passwords / account details / create sub-domains

Kristoffer,

Sure, whatever you suggest, makes sense. Please file an enhancement request against cloudStack.

-Alena.

From: Kristoffer Sheather - Cloud Central <kr...@cloudcentral.com.au>>
Reply-To: "kris@cloudcentral.com.au<ma...@cloudcentral.com.au>" <kr...@cloudcentral.com.au>>
To: Alena Prokharchyk <al...@citrix.com>>
Cc: "'cloudstack-users@incubator. org'" <cl...@incubator.apache.org>>
Subject: Re: Users of type 'User' and 'Domain-Admin' cannot update their own passwords / account details / create sub-domains

So how does a user reset their own password?  We need to enable users to reset their own passwords without our involvement.

Consider the service provider use case, we need to delegate things like resetting user passwords to the account holders themselves.

We also need to allow Domain-Admin's to be able to create additional accounts and sub-domains within their domain.  This caters for the 'multi-level' reseller use case.

________________________________
From: "Alena Prokharchyk" <Al...@citrix.com>>
Sent: Thursday, November 01, 2012 3:55 AM
To: "cloudstack-users@incubator.apache.org<ma...@incubator.apache.org>" <cl...@incubator.apache.org>>, "kris@cloudcentral.com.au<ma...@cloudcentral.com.au>" <kr...@cloudcentral.com.au>>
Subject: Re: Users of type 'User' and 'Domain-Admin' cannot update their own passwords / account details / create sub-domains

On 10/31/12 4:01 AM, "Kristoffer Sheather - Cloud Central"
<kr...@cloudcentral.com.au>> wrote:

>Not sure whether I'm going crazy or not, but I can't find a way for 
>users with 'Domain-Admin' or 'User' roles to change their passwords, 
>create sub-domains, etc.
>
>I can change them by logging in as the system administrator, but cannot 
>change account passwords or create sub-domains if logged in as 
>'Domain-Admin' for any account.
>
>This behaviour has been evident in my testing of CloudPlatform v3.0.4 
>and v3.0.5. If anyone has any ideas please let me know.
>
>Regards,
>Kristoffer Sheather
>


Kristoffer,

It's by design.


Only Root admin can modify the domain structure (create/delete/update
subdomains) and add/remove/update accounts/users.

Domain admin can only enable/disable existing accounts/users in his domain/subdomains.

Regular user can't perform any CRUD operations neither on other, nor on his own account/domain.

-Alena.