You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cloudstack.apache.org by Pranav Saxena <pr...@citrix.com> on 2013/04/09 18:31:41 UTC
[DISCUSS] - Deletion of Users within the Admin account
HI,
Do we allow deletion of users created by the admin within the admin account ? Currently if we see the UI (4.1 /master) and create a User within the admin account you won't be able to delete any user . Now when you create a user , its account type is 1 , account is Admin and domain is ROOT . With this in mind , how do you distinguish between the system generated Admin user and a manual generated user .
Also , the delete User API if invoked for the admin himself will delete the admin account leading to a big problem , since the admin won't be able to login to the UI as his credentials will be deleted from the db. So first of all we should have a check at the API layer to disallow such an action .
Next , If I need to put a check at the UI layer to hide/show delete options , what would be the right conditions needed to be checked to distinguish between the system generated user and admin generated manual users ?
Thanks,
Pranav
RE: [DISCUSS] - Deletion of Users within the Admin account
Posted by Pranav Saxena <pr...@citrix.com>.
Yes , you won't be able to login to the UI since the admin credentials would no more exist in the db then .
-----Original Message-----
From: David Nalley [mailto:david@gnsa.us]
Sent: Tuesday, April 09, 2013 10:30 PM
To: dev@cloudstack.apache.org
Cc: Pranav Saxena
Subject: Re: [DISCUSS] - Deletion of Users within the Admin account
On Tue, Apr 9, 2013 at 12:56 PM, Alena Prokharchyk <Al...@citrix.com> wrote:
> We should allow to delete any CS users except for ones that came as a
> part of cloudStack installation ("system" and "admin" users). The
> users you've created using API, should be allowed to be removed no
> matter of their types.
>
I can sorta understand system - but why should I not be able to purge admin?
Is there something that breaks by deleting admin? (user, not account)
--David
Re: [DISCUSS] - Deletion of Users within the Admin account
Posted by Alena Prokharchyk <Al...@citrix.com>.
Dave, you need to have at least one user in order to login to the UI or
execute an API call. You can't do it as a "system" user, so "admin" should
be the one.
-Alena.
On 4/9/13 10:00 AM, "David Nalley" <da...@gnsa.us> wrote:
>On Tue, Apr 9, 2013 at 12:56 PM, Alena Prokharchyk
><Al...@citrix.com> wrote:
>> We should allow to delete any CS users except for ones that came as a
>>part
>> of cloudStack installation ("system" and "admin" users). The users
>>you've
>> created using API, should be allowed to be removed no matter of their
>> types.
>>
>
>
>I can sorta understand system - but why should I not be able to purge
>admin?
>Is there something that breaks by deleting admin? (user, not account)
>
>--David
>
Re: [DISCUSS] - Deletion of Users within the Admin account
Posted by David Nalley <da...@gnsa.us>.
On Tue, Apr 9, 2013 at 12:56 PM, Alena Prokharchyk
<Al...@citrix.com> wrote:
> We should allow to delete any CS users except for ones that came as a part
> of cloudStack installation ("system" and "admin" users). The users you've
> created using API, should be allowed to be removed no matter of their
> types.
>
I can sorta understand system - but why should I not be able to purge admin?
Is there something that breaks by deleting admin? (user, not account)
--David
RE: [DISCUSS] - Deletion of Users within the Admin account
Posted by Pranav Saxena <pr...@citrix.com>.
I second that ! we could leave it in master then .
-----Original Message-----
From: Alena Prokharchyk [mailto:Alena.Prokharchyk@citrix.com]
Sent: Tuesday, April 23, 2013 2:10 AM
To: Chip Childers
Cc: dev@cloudstack.apache.org
Subject: Re: [DISCUSS] - Deletion of Users within the Admin account
On 4/22/13 1:36 PM, "Chip Childers" <ch...@sungard.com> wrote:
>On Mon, Apr 22, 2013 at 01:33:32PM -0700, Alena Prokharchyk wrote:
>> On 4/22/13 12:29 PM, "Chip Childers" <ch...@sungard.com> wrote:
>>
>> >On Mon, Apr 22, 2013 at 07:25:53PM +0000, Pranav Saxena wrote:
>> >> If we don't , then the only trade-off is the deletion of the users
>> >>accounts won't be possible :) . IMHO , we should be allowing that .
>> >>
>> >> I'll leave it upto you to take a final go at it .
>> >
>> >Tell you what... why don't you go ahead and back port it. If it
>> >happens to get into 4.1.0, then great. Otherwise it'll be in 4.1.1.
>> >
>>
>> Chip, the fix includes the DB upgrade - adding the "default" field to
>>user/account DB tables. I've already made changes to 4.1-4.2 upgrade
>>path on master. If we backport the fix to 4.1 branch, where the db
>>upgrade steps should go? As we don't know yet whether it becomes
>>4.1.1 or 4.1.0 yet.
>>
>> -Alena.
>>
>>
>
>Hmmm... well we have been trying to *not* do schema changes for
>bug-fix releases.
>
>If things worked this way for 4.0.x, I don't see any reason to jump on
>pushing this into 4.1.x ATM. Perhaps we just leave it in master then.
>
>Others?
>
+1. Especially when it includes DB changes.
Re: [DISCUSS] - Deletion of Users within the Admin account
Posted by Alena Prokharchyk <Al...@citrix.com>.
On 4/22/13 1:36 PM, "Chip Childers" <ch...@sungard.com> wrote:
>On Mon, Apr 22, 2013 at 01:33:32PM -0700, Alena Prokharchyk wrote:
>> On 4/22/13 12:29 PM, "Chip Childers" <ch...@sungard.com> wrote:
>>
>> >On Mon, Apr 22, 2013 at 07:25:53PM +0000, Pranav Saxena wrote:
>> >> If we don't , then the only trade-off is the deletion of the users
>> >>accounts won't be possible :) . IMHO , we should be allowing that .
>> >>
>> >> I'll leave it upto you to take a final go at it .
>> >
>> >Tell you what... why don't you go ahead and back port it. If it
>> >happens to get into 4.1.0, then great. Otherwise it'll be in 4.1.1.
>> >
>>
>> Chip, the fix includes the DB upgrade - adding the "default" field to
>> user/account DB tables. I've already made changes to 4.1-4.2 upgrade
>>path
>> on master. If we backport the fix to 4.1 branch, where the db upgrade
>> steps should go? As we don't know yet whether it becomes 4.1.1 or 4.1.0
>> yet.
>>
>> -Alena.
>>
>>
>
>Hmmm... well we have been trying to *not* do schema changes for bug-fix
>releases.
>
>If things worked this way for 4.0.x, I don't see any reason to jump on
>pushing this into 4.1.x ATM. Perhaps we just leave it in master then.
>
>Others?
>
+1. Especially when it includes DB changes.
Re: [DISCUSS] - Deletion of Users within the Admin account
Posted by Chip Childers <ch...@sungard.com>.
On Mon, Apr 22, 2013 at 01:33:32PM -0700, Alena Prokharchyk wrote:
> On 4/22/13 12:29 PM, "Chip Childers" <ch...@sungard.com> wrote:
>
> >On Mon, Apr 22, 2013 at 07:25:53PM +0000, Pranav Saxena wrote:
> >> If we don't , then the only trade-off is the deletion of the users
> >>accounts won't be possible :) . IMHO , we should be allowing that .
> >>
> >> I'll leave it upto you to take a final go at it .
> >
> >Tell you what... why don't you go ahead and back port it. If it
> >happens to get into 4.1.0, then great. Otherwise it'll be in 4.1.1.
> >
>
> Chip, the fix includes the DB upgrade - adding the "default" field to
> user/account DB tables. I've already made changes to 4.1-4.2 upgrade path
> on master. If we backport the fix to 4.1 branch, where the db upgrade
> steps should go? As we don't know yet whether it becomes 4.1.1 or 4.1.0
> yet.
>
> -Alena.
>
>
Hmmm... well we have been trying to *not* do schema changes for bug-fix
releases.
If things worked this way for 4.0.x, I don't see any reason to jump on
pushing this into 4.1.x ATM. Perhaps we just leave it in master then.
Others?
Re: [DISCUSS] - Deletion of Users within the Admin account
Posted by Alena Prokharchyk <Al...@citrix.com>.
On 4/22/13 12:29 PM, "Chip Childers" <ch...@sungard.com> wrote:
>On Mon, Apr 22, 2013 at 07:25:53PM +0000, Pranav Saxena wrote:
>> If we don't , then the only trade-off is the deletion of the users
>>accounts won't be possible :) . IMHO , we should be allowing that .
>>
>> I'll leave it upto you to take a final go at it .
>
>Tell you what... why don't you go ahead and back port it. If it
>happens to get into 4.1.0, then great. Otherwise it'll be in 4.1.1.
>
Chip, the fix includes the DB upgrade - adding the "default" field to
user/account DB tables. I've already made changes to 4.1-4.2 upgrade path
on master. If we backport the fix to 4.1 branch, where the db upgrade
steps should go? As we don't know yet whether it becomes 4.1.1 or 4.1.0
yet.
-Alena.
Re: [DISCUSS] - Deletion of Users within the Admin account
Posted by Chip Childers <ch...@sungard.com>.
On Mon, Apr 22, 2013 at 07:25:53PM +0000, Pranav Saxena wrote:
> If we don't , then the only trade-off is the deletion of the users accounts won't be possible :) . IMHO , we should be allowing that .
>
> I'll leave it upto you to take a final go at it .
Tell you what... why don't you go ahead and back port it. If it
happens to get into 4.1.0, then great. Otherwise it'll be in 4.1.1.
RE: [DISCUSS] - Deletion of Users within the Admin account
Posted by Pranav Saxena <pr...@citrix.com>.
If we don't , then the only trade-off is the deletion of the users accounts won't be possible :) . IMHO , we should be allowing that .
I'll leave it upto you to take a final go at it .
-----Original Message-----
From: Chip Childers [mailto:chip.childers@sungard.com]
Sent: Tuesday, April 23, 2013 12:43 AM
To: dev@cloudstack.apache.org
Cc: Alena Prokharchyk
Subject: Re: [DISCUSS] - Deletion of Users within the Admin account
On Mon, Apr 22, 2013 at 07:02:41PM +0000, Pranav Saxena wrote:
> Hi Chip ,
>
> This issue has been fixed in asf/master at both the UI and API layers (CLOUDSTACK-1941) . Now , if you think that we should support the same functionality in 4.1 as well , then myself and Alena can back-port our fixes to 4.1 from master.
I already cut an RC for 4.1.0. Do you think it makes sense to port it over for 4.1.1 (or depending on when it makes it into the branch and how the current RC voting goes, it could end up in 4.1.0)?
I wouldn't object, but I don't think we should re-spin an RC specifically for it.
>
> Thanks,
> Pranav
>
> -----Original Message-----
> From: Alena Prokharchyk
> Sent: Tuesday, April 09, 2013 11:12 PM
> To: dev@cloudstack.apache.org
> Cc: Pranav Saxena
> Subject: Re: [DISCUSS] - Deletion of Users within the Admin account
>
> Chip,
>
> 1) "System" user is always identified by the cloud.user DB id=1 (hardcoded in User.java interface). This user is never exposed via API, you can't remove it - the checks are already in place for it.
>
> 2) For users of "admin" account, currently there is no direct way to tell if the user was added by the system, or using API call. We can't rely on name "admin" as it's not reserved name and renaming is also allowed.
>
> I think for upgrade we can rely on the cloud.user db id - expect it to be "system_user_db_id + 1" as we know that 2 users come with the default cloudStack install.
>
>
> -Alena.
>
>
>
> On 4/9/13 10:02 AM, "Chip Childers" <ch...@sungard.com> wrote:
>
> >On Tue, Apr 09, 2013 at 09:56:37AM -0700, Alena Prokharchyk wrote:
> >> We should allow to delete any CS users except for ones that came as
> >>a part of cloudStack installation ("system" and "admin" users). The
> >>users you've created using API, should be allowed to be removed no
> >>matter of their types.
> >
> >+1 to this in general terms. Not sure about requiring a change like
> >this for 4.1.0 though.
> >
> >>
> >> The right way to distinguish between system generated users, and
> >> users created using APIs would be introducing the flag in the cloud.users DB.
> >
> >Do you have any thoughts on how we would correctly identify these
> >account in existing installs?
> >
> >
>
>
>
Re: [DISCUSS] - Deletion of Users within the Admin account
Posted by Chip Childers <ch...@sungard.com>.
On Mon, Apr 22, 2013 at 07:02:41PM +0000, Pranav Saxena wrote:
> Hi Chip ,
>
> This issue has been fixed in asf/master at both the UI and API layers (CLOUDSTACK-1941) . Now , if you think that we should support the same functionality in 4.1 as well , then myself and Alena can back-port our fixes to 4.1 from master.
I already cut an RC for 4.1.0. Do you think it makes sense to port it
over for 4.1.1 (or depending on when it makes it into the branch and how
the current RC voting goes, it could end up in 4.1.0)?
I wouldn't object, but I don't think we should re-spin an RC specifically for
it.
>
> Thanks,
> Pranav
>
> -----Original Message-----
> From: Alena Prokharchyk
> Sent: Tuesday, April 09, 2013 11:12 PM
> To: dev@cloudstack.apache.org
> Cc: Pranav Saxena
> Subject: Re: [DISCUSS] - Deletion of Users within the Admin account
>
> Chip,
>
> 1) "System" user is always identified by the cloud.user DB id=1 (hardcoded in User.java interface). This user is never exposed via API, you can't remove it - the checks are already in place for it.
>
> 2) For users of "admin" account, currently there is no direct way to tell if the user was added by the system, or using API call. We can't rely on name "admin" as it's not reserved name and renaming is also allowed.
>
> I think for upgrade we can rely on the cloud.user db id - expect it to be "system_user_db_id + 1" as we know that 2 users come with the default cloudStack install.
>
>
> -Alena.
>
>
>
> On 4/9/13 10:02 AM, "Chip Childers" <ch...@sungard.com> wrote:
>
> >On Tue, Apr 09, 2013 at 09:56:37AM -0700, Alena Prokharchyk wrote:
> >> We should allow to delete any CS users except for ones that came as a
> >>part of cloudStack installation ("system" and "admin" users). The
> >>users you've created using API, should be allowed to be removed no
> >>matter of their types.
> >
> >+1 to this in general terms. Not sure about requiring a change like
> >this for 4.1.0 though.
> >
> >>
> >> The right way to distinguish between system generated users, and
> >> users created using APIs would be introducing the flag in the cloud.users DB.
> >
> >Do you have any thoughts on how we would correctly identify these
> >account in existing installs?
> >
> >
>
>
>
RE: [DISCUSS] - Deletion of Users within the Admin account
Posted by Pranav Saxena <pr...@citrix.com>.
Hi Chip ,
This issue has been fixed in asf/master at both the UI and API layers (CLOUDSTACK-1941) . Now , if you think that we should support the same functionality in 4.1 as well , then myself and Alena can back-port our fixes to 4.1 from master.
Thanks,
Pranav
-----Original Message-----
From: Alena Prokharchyk
Sent: Tuesday, April 09, 2013 11:12 PM
To: dev@cloudstack.apache.org
Cc: Pranav Saxena
Subject: Re: [DISCUSS] - Deletion of Users within the Admin account
Chip,
1) "System" user is always identified by the cloud.user DB id=1 (hardcoded in User.java interface). This user is never exposed via API, you can't remove it - the checks are already in place for it.
2) For users of "admin" account, currently there is no direct way to tell if the user was added by the system, or using API call. We can't rely on name "admin" as it's not reserved name and renaming is also allowed.
I think for upgrade we can rely on the cloud.user db id - expect it to be "system_user_db_id + 1" as we know that 2 users come with the default cloudStack install.
-Alena.
On 4/9/13 10:02 AM, "Chip Childers" <ch...@sungard.com> wrote:
>On Tue, Apr 09, 2013 at 09:56:37AM -0700, Alena Prokharchyk wrote:
>> We should allow to delete any CS users except for ones that came as a
>>part of cloudStack installation ("system" and "admin" users). The
>>users you've created using API, should be allowed to be removed no
>>matter of their types.
>
>+1 to this in general terms. Not sure about requiring a change like
>this for 4.1.0 though.
>
>>
>> The right way to distinguish between system generated users, and
>> users created using APIs would be introducing the flag in the cloud.users DB.
>
>Do you have any thoughts on how we would correctly identify these
>account in existing installs?
>
>
RE: [DISCUSS] - Deletion of Users within the Admin account
Posted by Pranav Saxena <pr...@citrix.com>.
Hi Chip ,
This issue has been fixed in asf/master at both the UI and API layers (CLOUDSTACK-1941) . Now , if you think that we should support the same functionality in 4.1 as well , then myself and Alena can back-port our fixes to 4.1 from master.
Thanks,
Pranav
-----Original Message-----
From: Alena Prokharchyk
Sent: Tuesday, April 09, 2013 11:12 PM
To: dev@cloudstack.apache.org
Cc: Pranav Saxena
Subject: Re: [DISCUSS] - Deletion of Users within the Admin account
Chip,
1) "System" user is always identified by the cloud.user DB id=1 (hardcoded in User.java interface). This user is never exposed via API, you can't remove it - the checks are already in place for it.
2) For users of "admin" account, currently there is no direct way to tell if the user was added by the system, or using API call. We can't rely on name "admin" as it's not reserved name and renaming is also allowed.
I think for upgrade we can rely on the cloud.user db id - expect it to be "system_user_db_id + 1" as we know that 2 users come with the default cloudStack install.
-Alena.
On 4/9/13 10:02 AM, "Chip Childers" <ch...@sungard.com> wrote:
>On Tue, Apr 09, 2013 at 09:56:37AM -0700, Alena Prokharchyk wrote:
>> We should allow to delete any CS users except for ones that came as a
>>part of cloudStack installation ("system" and "admin" users). The
>>users you've created using API, should be allowed to be removed no
>>matter of their types.
>
>+1 to this in general terms. Not sure about requiring a change like
>this for 4.1.0 though.
>
>>
>> The right way to distinguish between system generated users, and
>> users created using APIs would be introducing the flag in the cloud.users DB.
>
>Do you have any thoughts on how we would correctly identify these
>account in existing installs?
>
>
Re: [DISCUSS] - Deletion of Users within the Admin account
Posted by Alena Prokharchyk <Al...@citrix.com>.
Chip,
1) "System" user is always identified by the cloud.user DB id=1 (hardcoded
in User.java interface). This user is never exposed via API, you can't
remove it - the checks are already in place for it.
2) For users of "admin" account, currently there is no direct way to tell
if the user was added by the system, or using API call. We can't rely on
name "admin" as it's not reserved name and renaming is also allowed.
I think for upgrade we can rely on the cloud.user db id - expect it to be
"system_user_db_id + 1" as we know that 2 users come with the default
cloudStack install.
-Alena.
On 4/9/13 10:02 AM, "Chip Childers" <ch...@sungard.com> wrote:
>On Tue, Apr 09, 2013 at 09:56:37AM -0700, Alena Prokharchyk wrote:
>> We should allow to delete any CS users except for ones that came as a
>>part
>> of cloudStack installation ("system" and "admin" users). The users
>>you've
>> created using API, should be allowed to be removed no matter of their
>> types.
>
>+1 to this in general terms. Not sure about requiring a change like
>this for 4.1.0 though.
>
>>
>> The right way to distinguish between system generated users, and users
>> created using APIs would be introducing the flag in the cloud.users DB.
>
>Do you have any thoughts on how we would correctly identify these
>account in existing installs?
>
>
Re: [DISCUSS] - Deletion of Users within the Admin account
Posted by Chip Childers <ch...@sungard.com>.
On Tue, Apr 09, 2013 at 09:56:37AM -0700, Alena Prokharchyk wrote:
> We should allow to delete any CS users except for ones that came as a part
> of cloudStack installation ("system" and "admin" users). The users you've
> created using API, should be allowed to be removed no matter of their
> types.
+1 to this in general terms. Not sure about requiring a change like
this for 4.1.0 though.
>
> The right way to distinguish between system generated users, and users
> created using APIs would be introducing the flag in the cloud.users DB.
Do you have any thoughts on how we would correctly identify these
account in existing installs?
Re: [DISCUSS] - Deletion of Users within the Admin account
Posted by Chip Childers <ch...@sungard.com>.
On Tue, Apr 09, 2013 at 06:51:34PM +0000, Pranav Saxena wrote:
> Definitely , we'll fix it in 4.2 timeframe but I would still suggest that we backport the changes which we'll be doing to 4.1 as well . There would be modifications at both the API and the UI layers .
Yeah, backport for a 4.1.x makes sense to me. I'm just trying to make a
call for this being a 4.1.0 blocker or not.
RE: [DISCUSS] - Deletion of Users within the Admin account
Posted by Pranav Saxena <pr...@citrix.com>.
Definitely , we'll fix it in 4.2 timeframe but I would still suggest that we backport the changes which we'll be doing to 4.1 as well . There would be modifications at both the API and the UI layers .
-----Original Message-----
From: Chip Childers [mailto:chip.childers@sungard.com]
Sent: Tuesday, April 09, 2013 11:09 PM
To: dev@cloudstack.apache.org
Cc: Alena Prokharchyk
Subject: Re: [DISCUSS] - Deletion of Users within the Admin account
On Tue, Apr 09, 2013 at 05:33:28PM +0000, Pranav Saxena wrote:
> More of a modification of an existing functionality . Probably a new feature in a sense by giving flexibility to the admin to delete users from the UI within the admin account.
Good clarification!
OK, so I'm going to move this to a fix-version of 4.2 (but we could consider releasing a fix within a 4.1.1 bug-fix release). If someone strongly disagrees, now's the time to shout.
Re: [DISCUSS] - Deletion of Users within the Admin account
Posted by Chip Childers <ch...@sungard.com>.
On Tue, Apr 09, 2013 at 05:33:28PM +0000, Pranav Saxena wrote:
> More of a modification of an existing functionality . Probably a new feature in a sense by giving flexibility to the admin to delete users from the UI within the admin account.
Good clarification!
OK, so I'm going to move this to a fix-version of 4.2 (but we could
consider releasing a fix within a 4.1.1 bug-fix release). If someone
strongly disagrees, now's the time to shout.
RE: [DISCUSS] - Deletion of Users within the Admin account
Posted by Pranav Saxena <pr...@citrix.com>.
More of a modification of an existing functionality . Probably a new feature in a sense by giving flexibility to the admin to delete users from the UI within the admin account.
-----Original Message-----
From: Chip Childers [mailto:chip.childers@sungard.com]
Sent: Tuesday, April 09, 2013 10:50 PM
To: dev@cloudstack.apache.org
Cc: Alena Prokharchyk
Subject: Re: [DISCUSS] - Deletion of Users within the Admin account
On Tue, Apr 09, 2013 at 05:12:58PM +0000, Pranav Saxena wrote:
> If you think that the admin should not have the flexibility to delete a user within the admin account from the UI ( one has to use the API's to do such tasks then) , we can go ahead without this change for 4.1 and incorporate this change for 4.2 .
>
I'm actually trying to understand if this is a *feature change*, regardless of whether we want it to behave this way or not. Make sense?
> Thanks,
> Pranav
>
> -----Original Message-----
> From: Chip Childers [mailto:chip.childers@sungard.com]
> Sent: Tuesday, April 09, 2013 10:34 PM
> To: dev@cloudstack.apache.org
> Cc: Alena Prokharchyk
> Subject: Re: [DISCUSS] - Deletion of Users within the Admin account
>
> On Tue, Apr 09, 2013 at 04:53:38PM +0000, Pranav Saxena wrote:
> > Is the current state of 4.1 and master a change in behaviour from 4.0.0?
> > [Pranav] - I didn't check 4.0 but the behavior in 4.1 and master seem to be exactly the same .
> >
> > If it isn't a change, I'd like to propose that we set the fix
> > version to
> > 4.2.0 at a minimum. Pending the outcome of this discussion thread, perhaps it will be closed with "won't fix", or perhaps it gets fixed.
> > [Pranav] - Since the bug was marked as Critical for 4.1 , we can fix it in both . It is definitely an API bug which needs to be fixed as admin account should not be allowed to be deleted . Moreover from the UI perspective , I need a condition to distinguish between the two types of users to showcase delete options on the UI accordingly.
> >
> >
> > If it *is* a change, can we implement a fix that restores past behaviour as a first step?
> > [Pranav] - I believe , it should be a "demanding" change if at all 4.0 is also having a similar behavior ( which I am not sure of right now) since conceptually and technically we should not be following the current behavior in any version .
>
> As far as 4.1.0 goes, I'd like to release without this change... unless we know that it behaved more appropriately in 4.0.0.
>
> Thoughts?
>
Re: [DISCUSS] - Deletion of Users within the Admin account
Posted by Chip Childers <ch...@sungard.com>.
On Tue, Apr 09, 2013 at 05:12:58PM +0000, Pranav Saxena wrote:
> If you think that the admin should not have the flexibility to delete a user within the admin account from the UI ( one has to use the API's to do such tasks then) , we can go ahead without this change for 4.1 and incorporate this change for 4.2 .
>
I'm actually trying to understand if this is a *feature change*,
regardless of whether we want it to behave this way or not. Make sense?
> Thanks,
> Pranav
>
> -----Original Message-----
> From: Chip Childers [mailto:chip.childers@sungard.com]
> Sent: Tuesday, April 09, 2013 10:34 PM
> To: dev@cloudstack.apache.org
> Cc: Alena Prokharchyk
> Subject: Re: [DISCUSS] - Deletion of Users within the Admin account
>
> On Tue, Apr 09, 2013 at 04:53:38PM +0000, Pranav Saxena wrote:
> > Is the current state of 4.1 and master a change in behaviour from 4.0.0?
> > [Pranav] - I didn't check 4.0 but the behavior in 4.1 and master seem to be exactly the same .
> >
> > If it isn't a change, I'd like to propose that we set the fix version
> > to
> > 4.2.0 at a minimum. Pending the outcome of this discussion thread, perhaps it will be closed with "won't fix", or perhaps it gets fixed.
> > [Pranav] - Since the bug was marked as Critical for 4.1 , we can fix it in both . It is definitely an API bug which needs to be fixed as admin account should not be allowed to be deleted . Moreover from the UI perspective , I need a condition to distinguish between the two types of users to showcase delete options on the UI accordingly.
> >
> >
> > If it *is* a change, can we implement a fix that restores past behaviour as a first step?
> > [Pranav] - I believe , it should be a "demanding" change if at all 4.0 is also having a similar behavior ( which I am not sure of right now) since conceptually and technically we should not be following the current behavior in any version .
>
> As far as 4.1.0 goes, I'd like to release without this change... unless we know that it behaved more appropriately in 4.0.0.
>
> Thoughts?
>
RE: [DISCUSS] - Deletion of Users within the Admin account
Posted by Pranav Saxena <pr...@citrix.com>.
If you think that the admin should not have the flexibility to delete a user within the admin account from the UI ( one has to use the API's to do such tasks then) , we can go ahead without this change for 4.1 and incorporate this change for 4.2 .
Thanks,
Pranav
-----Original Message-----
From: Chip Childers [mailto:chip.childers@sungard.com]
Sent: Tuesday, April 09, 2013 10:34 PM
To: dev@cloudstack.apache.org
Cc: Alena Prokharchyk
Subject: Re: [DISCUSS] - Deletion of Users within the Admin account
On Tue, Apr 09, 2013 at 04:53:38PM +0000, Pranav Saxena wrote:
> Is the current state of 4.1 and master a change in behaviour from 4.0.0?
> [Pranav] - I didn't check 4.0 but the behavior in 4.1 and master seem to be exactly the same .
>
> If it isn't a change, I'd like to propose that we set the fix version
> to
> 4.2.0 at a minimum. Pending the outcome of this discussion thread, perhaps it will be closed with "won't fix", or perhaps it gets fixed.
> [Pranav] - Since the bug was marked as Critical for 4.1 , we can fix it in both . It is definitely an API bug which needs to be fixed as admin account should not be allowed to be deleted . Moreover from the UI perspective , I need a condition to distinguish between the two types of users to showcase delete options on the UI accordingly.
>
>
> If it *is* a change, can we implement a fix that restores past behaviour as a first step?
> [Pranav] - I believe , it should be a "demanding" change if at all 4.0 is also having a similar behavior ( which I am not sure of right now) since conceptually and technically we should not be following the current behavior in any version .
As far as 4.1.0 goes, I'd like to release without this change... unless we know that it behaved more appropriately in 4.0.0.
Thoughts?
Re: [DISCUSS] - Deletion of Users within the Admin account
Posted by Chip Childers <ch...@sungard.com>.
On Tue, Apr 09, 2013 at 04:53:38PM +0000, Pranav Saxena wrote:
> Is the current state of 4.1 and master a change in behaviour from 4.0.0?
> [Pranav] - I didn't check 4.0 but the behavior in 4.1 and master seem to be exactly the same .
>
> If it isn't a change, I'd like to propose that we set the fix version to
> 4.2.0 at a minimum. Pending the outcome of this discussion thread, perhaps it will be closed with "won't fix", or perhaps it gets fixed.
> [Pranav] - Since the bug was marked as Critical for 4.1 , we can fix it in both . It is definitely an API bug which needs to be fixed as admin account should not be allowed to be deleted . Moreover from the UI perspective , I need a condition to distinguish between the two types of users to showcase delete options on the UI accordingly.
>
>
> If it *is* a change, can we implement a fix that restores past behaviour as a first step?
> [Pranav] - I believe , it should be a "demanding" change if at all 4.0 is also having a similar behavior ( which I am not sure of right now) since conceptually and technically we should not be following the current behavior in any version .
As far as 4.1.0 goes, I'd like to release without this change... unless
we know that it behaved more appropriately in 4.0.0.
Thoughts?
Re: [DISCUSS] - Deletion of Users within the Admin account
Posted by Alena Prokharchyk <Al...@citrix.com>.
We should allow to delete any CS users except for ones that came as a part
of cloudStack installation ("system" and "admin" users). The users you've
created using API, should be allowed to be removed no matter of their
types.
The right way to distinguish between system generated users, and users
created using APIs would be introducing the flag in the cloud.users DB.
-Alena.
On 4/9/13 9:53 AM, "Pranav Saxena" <pr...@citrix.com> wrote:
>
>
>-----Original Message-----
>From: Chip Childers [mailto:chip.childers@sungard.com]
>Sent: Tuesday, April 09, 2013 10:18 PM
>To: dev@cloudstack.apache.org
>Cc: Alena Prokharchyk
>Subject: Re: [DISCUSS] - Deletion of Users within the Admin account
>
>On Tue, Apr 09, 2013 at 04:31:41PM +0000, Pranav Saxena wrote:
>> HI,
>>
>> Do we allow deletion of users created by the admin within the admin
>>account ? Currently if we see the UI (4.1 /master) and create a User
>>within the admin account you won't be able to delete any user . Now when
>>you create a user , its account type is 1 , account is Admin and domain
>>is ROOT . With this in mind , how do you distinguish between the system
>>generated Admin user and a manual generated user .
>>
>> Also , the delete User API if invoked for the admin himself will
>>delete the admin account leading to a big problem , since the admin
>>won't be able to login to the UI as his credentials will be deleted from
>>the db. So first of all we should have a check at the API layer to
>>disallow such an action .
>>
>> Next , If I need to put a check at the UI layer to hide/show delete
>>options , what would be the right conditions needed to be checked to
>>distinguish between the system generated user and admin generated manual
>>users ?
>>
>> Thanks,
>> Pranav
>
>Is this discussion tied to CLOUDSTACK-1941?
>[Pranav] - yes , it is
>
>Is the current state of 4.1 and master a change in behaviour from 4.0.0?
>[Pranav] - I didn't check 4.0 but the behavior in 4.1 and master seem to
>be exactly the same .
>
>If it isn't a change, I'd like to propose that we set the fix version to
>4.2.0 at a minimum. Pending the outcome of this discussion thread,
>perhaps it will be closed with "won't fix", or perhaps it gets fixed.
>[Pranav] - Since the bug was marked as Critical for 4.1 , we can fix it
>in both . It is definitely an API bug which needs to be fixed as admin
>account should not be allowed to be deleted . Moreover from the UI
>perspective , I need a condition to distinguish between the two types of
>users to showcase delete options on the UI accordingly.
>
>
>If it *is* a change, can we implement a fix that restores past behaviour
>as a first step?
>[Pranav] - I believe , it should be a "demanding" change if at all 4.0 is
>also having a similar behavior ( which I am not sure of right now) since
>conceptually and technically we should not be following the current
>behavior in any version .
>
>-chip
>
RE: [DISCUSS] - Deletion of Users within the Admin account
Posted by Pranav Saxena <pr...@citrix.com>.
-----Original Message-----
From: Chip Childers [mailto:chip.childers@sungard.com]
Sent: Tuesday, April 09, 2013 10:18 PM
To: dev@cloudstack.apache.org
Cc: Alena Prokharchyk
Subject: Re: [DISCUSS] - Deletion of Users within the Admin account
On Tue, Apr 09, 2013 at 04:31:41PM +0000, Pranav Saxena wrote:
> HI,
>
> Do we allow deletion of users created by the admin within the admin account ? Currently if we see the UI (4.1 /master) and create a User within the admin account you won't be able to delete any user . Now when you create a user , its account type is 1 , account is Admin and domain is ROOT . With this in mind , how do you distinguish between the system generated Admin user and a manual generated user .
>
> Also , the delete User API if invoked for the admin himself will delete the admin account leading to a big problem , since the admin won't be able to login to the UI as his credentials will be deleted from the db. So first of all we should have a check at the API layer to disallow such an action .
>
> Next , If I need to put a check at the UI layer to hide/show delete options , what would be the right conditions needed to be checked to distinguish between the system generated user and admin generated manual users ?
>
> Thanks,
> Pranav
Is this discussion tied to CLOUDSTACK-1941?
[Pranav] - yes , it is
Is the current state of 4.1 and master a change in behaviour from 4.0.0?
[Pranav] - I didn't check 4.0 but the behavior in 4.1 and master seem to be exactly the same .
If it isn't a change, I'd like to propose that we set the fix version to
4.2.0 at a minimum. Pending the outcome of this discussion thread, perhaps it will be closed with "won't fix", or perhaps it gets fixed.
[Pranav] - Since the bug was marked as Critical for 4.1 , we can fix it in both . It is definitely an API bug which needs to be fixed as admin account should not be allowed to be deleted . Moreover from the UI perspective , I need a condition to distinguish between the two types of users to showcase delete options on the UI accordingly.
If it *is* a change, can we implement a fix that restores past behaviour as a first step?
[Pranav] - I believe , it should be a "demanding" change if at all 4.0 is also having a similar behavior ( which I am not sure of right now) since conceptually and technically we should not be following the current behavior in any version .
-chip
Re: [DISCUSS] - Deletion of Users within the Admin account
Posted by Chip Childers <ch...@sungard.com>.
On Tue, Apr 09, 2013 at 04:31:41PM +0000, Pranav Saxena wrote:
> HI,
>
> Do we allow deletion of users created by the admin within the admin account ? Currently if we see the UI (4.1 /master) and create a User within the admin account you won't be able to delete any user . Now when you create a user , its account type is 1 , account is Admin and domain is ROOT . With this in mind , how do you distinguish between the system generated Admin user and a manual generated user .
>
> Also , the delete User API if invoked for the admin himself will delete the admin account leading to a big problem , since the admin won't be able to login to the UI as his credentials will be deleted from the db. So first of all we should have a check at the API layer to disallow such an action .
>
> Next , If I need to put a check at the UI layer to hide/show delete options , what would be the right conditions needed to be checked to distinguish between the system generated user and admin generated manual users ?
>
> Thanks,
> Pranav
Is this discussion tied to CLOUDSTACK-1941?
Is the current state of 4.1 and master a change in behaviour from 4.0.0?
If it isn't a change, I'd like to propose that we set the fix version to
4.2.0 at a minimum. Pending the outcome of this discussion thread,
perhaps it will be closed with "won't fix", or perhaps it gets fixed.
If it *is* a change, can we implement a fix that restores past behaviour
as a first step?
-chip