How to make Domain Admin having the right adding account？

[sx chen <cl...@gmail.com>]

hi，all
     I'm a CloudStack API developer,I want to know How to make Domain Admin
having the right adding account？
We know that only root user has the right to excute createAccount API,So
what should I do?

RE: How to make Domain Admin having the right adding account？

[Nitin Mehta <Ni...@citrix.com>]

Answers inline

-----Original Message-----
From: sx chen [mailto:cloudchen0620@gmail.com] 
Sent: Tuesday, September 18, 2012 8:28 PM
To: cloudstack-dev@incubator.apache.org
Subject: Re: How to make Domain Admin having the right adding account？

"You then might have to go into CreateAccountCmd implementation and check if there is some ACL for restricting domain admin in using this api as well."

    public void execute(){
        UserContext.current().setEventDetails("Account Name:
"+getAccountName()+", Domain Id:"+getDomainId());
        UserAccount userAccount =
_accountService.createUserAccount(getUsername(), getPassword(), getFirstName(), getLastName(), getEmail(), getTimeZone(), getAccountName(), getAccountType(), getDomainId(), getNetworkDomain(), getDetails());
        if (userAccount != null) {
            AccountResponse response =
_responseGenerator.createUserAccountResponse(userAccount);
            response.setResponseName(getCommandName());
            this.setResponseObject(response);
        } else {
            throw new ServerApiException(BaseCmd.INTERNAL_ERROR, "Failed to create a user account");
        }
    }

I don't see any acl for restricting domain admin in using this api.
I will modify commands.properties.in and test it later.

Nitin>> This is the starting point of the code. You need to go through the code flow (specifically in the function _accountService.createUserAccount(...) )

"domain admin to execute this api (change 3 to 7)."
and what is 3 and 7 stand for?

Nitin>> It’s a bit map of permissions(Look at the top of the file for documentation). 1 = ADMIN, 2 = RESOURCE_DOMAIN_ADMIN, 4 = DOMAIN_ADMIN, 8 = USER. So 3 means only admin and resource domain admin are allowed to use the api and 7 meang admin, resource domain admin and domain admin and 15 meaning all can invoke the api.

"I think there was discussion/work planned to make ACL more fine grained in the future releases as well"
you mean the CloudStack will have a UI to set the ACL for user and admin?
my use case is quite simple,admin customize some templates and serviceoffings, user can create a vm via these templates and serviceoffings, user has to apply disk,and admin create disk and attach disk for user.
thanks a lot.

Nitin>> Yes. Why do you want to restrict the user creating a disk for himself and attaching it to his vm?
 http://mail-archives.apache.org/mod_mbox/incubator-cloudstack-users/201208.mbox/%3CCADwPi+GP7DzR8yPW-gNkDoYNjiGdw6QK0JXBWpYB9Z4B6zSYoA@mail.gmail.com%3E 

2012/9/18 Nitin Mehta <Ni...@citrix.com>

> I am not sure if there is any documentation around for this but I 
> think you will need to proceed in a similar fashion as I suggested for 
> createAccount api.
> Or you can use another account type RESOURCE_DOMAIN_ADMIN which has 
> permissions to do this. More info @ 
> http://confluence.cloudstack.org/display/gen/Resource+Domain+Admin
>
> Also, FYI I think there was discussion/work planned to make ACL more 
> fine grained in the future releases as well, but I suggest you to 
> state your use case so that it could be kept in mind while designing it.
>
> Thanks,
> -Nitin
>
> -----Original Message-----
> From: sx chen [mailto:cloudchen0620@gmail.com]
> Sent: Tuesday, September 18, 2012 2:56 PM
> To: cloudstack-dev@incubator.apache.org
> Subject: Re: How to make Domain Admin having the right adding account？
>
> Centainly I want to authorize domain admin to use the 
> api:createAccount deleteAccount, updateAccount, createUser, deleteUser 
> and updateUser within its domain as well .I also want to disable the 
> user attach storage and let the domain admin do this.
>
> so, is there a document about this?or any suggestion?
>
>
>
> 2012/9/18 Nitin Mehta <Ni...@citrix.com>
>
> > Change the bitmap in the file commands.properties.in to 7 to allow 
> > domain admin to execute this api (change 3 to 7).
> > createAccount=com.cloud.api.commands.CreateAccountCmd;3
> >
> > You then might have to go into CreateAccountCmd implementation and 
> > check if there is some ACL for restricting domain admin in using 
> > this
> api as well.
> >
> > But, do you want to authorize domain admin only to use this api or 
> > other account/user apis like deleteAccount, updateAccount, 
> > createUser, deleteUser and updateUser as well ?
> >
> > Thanks,
> > -Nitin
> >
> > -----Original Message-----
> > From: sx chen [mailto:cloudchen0620@gmail.com]
> > Sent: Tuesday, September 18, 2012 12:58 PM
> > To: cloudstack-users@incubator.apache.org
> > Subject: How to make Domain Admin having the right adding account？
> >
> > hi，all
> >      I'm a CloudStack API developer,I want to know How to make 
> > Domain Admin having the right adding account？
> > We know that only root user has the right to excute createAccount 
> > API,So what should I do?
> >
>

Re: How to make Domain Admin having the right adding account？

[sx chen <cl...@gmail.com>]

"You then might have to go into CreateAccountCmd implementation and check
if there is some ACL for restricting domain admin in using this api as
well."

    public void execute(){
        UserContext.current().setEventDetails("Account Name:
"+getAccountName()+", Domain Id:"+getDomainId());
        UserAccount userAccount =
_accountService.createUserAccount(getUsername(), getPassword(),
getFirstName(), getLastName(), getEmail(), getTimeZone(), getAccountName(),
getAccountType(), getDomainId(), getNetworkDomain(), getDetails());
        if (userAccount != null) {
            AccountResponse response =
_responseGenerator.createUserAccountResponse(userAccount);
            response.setResponseName(getCommandName());
            this.setResponseObject(response);
        } else {
            throw new ServerApiException(BaseCmd.INTERNAL_ERROR, "Failed to
create a user account");
        }
    }

I don't see any acl for restricting domain admin in using this api.
I will modify commands.properties.in and test it later.

"domain admin to execute this api (change 3 to 7)."
and what is 3 and 7 stand for?

"I think there was discussion/work planned to make ACL more fine grained in
the future releases as well"
you mean the CloudStack will have a UI to set the ACL for user and admin?
my use case is quite simple,admin customize some templates and
serviceoffings, user can create a vm via these templates and serviceoffings,
user has to apply disk,and admin create disk and attach disk for user.
thanks a lot.


2012/9/18 Nitin Mehta <Ni...@citrix.com>

> I am not sure if there is any documentation around for this but I think
> you will need to proceed in a similar fashion as I suggested for
> createAccount api.
> Or you can use another account type RESOURCE_DOMAIN_ADMIN which has
> permissions to do this. More info @
> http://confluence.cloudstack.org/display/gen/Resource+Domain+Admin
>
> Also, FYI I think there was discussion/work planned to make ACL more fine
> grained in the future releases as well, but I suggest you to state your use
> case so that it could be kept in mind while designing it.
>
> Thanks,
> -Nitin
>
> -----Original Message-----
> From: sx chen [mailto:cloudchen0620@gmail.com]
> Sent: Tuesday, September 18, 2012 2:56 PM
> To: cloudstack-dev@incubator.apache.org
> Subject: Re: How to make Domain Admin having the right adding account？
>
> Centainly I want to authorize domain admin to use the api:createAccount
> deleteAccount, updateAccount, createUser, deleteUser and updateUser within
> its domain as well .I also want to disable the user attach storage and let
> the domain admin do this.
>
> so, is there a document about this?or any suggestion?
>
>
>
> 2012/9/18 Nitin Mehta <Ni...@citrix.com>
>
> > Change the bitmap in the file commands.properties.in to 7 to allow
> > domain admin to execute this api (change 3 to 7).
> > createAccount=com.cloud.api.commands.CreateAccountCmd;3
> >
> > You then might have to go into CreateAccountCmd implementation and
> > check if there is some ACL for restricting domain admin in using this
> api as well.
> >
> > But, do you want to authorize domain admin only to use this api or
> > other account/user apis like deleteAccount, updateAccount, createUser,
> > deleteUser and updateUser as well ?
> >
> > Thanks,
> > -Nitin
> >
> > -----Original Message-----
> > From: sx chen [mailto:cloudchen0620@gmail.com]
> > Sent: Tuesday, September 18, 2012 12:58 PM
> > To: cloudstack-users@incubator.apache.org
> > Subject: How to make Domain Admin having the right adding account？
> >
> > hi，all
> >      I'm a CloudStack API developer,I want to know How to make Domain
> > Admin having the right adding account？
> > We know that only root user has the right to excute createAccount
> > API,So what should I do?
> >
>

RE: How to make Domain Admin having the right adding account？

[Nitin Mehta <Ni...@citrix.com>]

I am not sure if there is any documentation around for this but I think you will need to proceed in a similar fashion as I suggested for createAccount api. 
Or you can use another account type RESOURCE_DOMAIN_ADMIN which has permissions to do this. More info @ http://confluence.cloudstack.org/display/gen/Resource+Domain+Admin 

Also, FYI I think there was discussion/work planned to make ACL more fine grained in the future releases as well, but I suggest you to state your use case so that it could be kept in mind while designing it.

Thanks,
-Nitin

-----Original Message-----
From: sx chen [mailto:cloudchen0620@gmail.com] 
Sent: Tuesday, September 18, 2012 2:56 PM
To: cloudstack-dev@incubator.apache.org
Subject: Re: How to make Domain Admin having the right adding account？

Centainly I want to authorize domain admin to use the api:createAccount deleteAccount, updateAccount, createUser, deleteUser and updateUser within its domain as well .I also want to disable the user attach storage and let the domain admin do this.

so, is there a document about this?or any suggestion?



2012/9/18 Nitin Mehta <Ni...@citrix.com>

> Change the bitmap in the file commands.properties.in to 7 to allow 
> domain admin to execute this api (change 3 to 7).
> createAccount=com.cloud.api.commands.CreateAccountCmd;3
>
> You then might have to go into CreateAccountCmd implementation and 
> check if there is some ACL for restricting domain admin in using this api as well.
>
> But, do you want to authorize domain admin only to use this api or 
> other account/user apis like deleteAccount, updateAccount, createUser, 
> deleteUser and updateUser as well ?
>
> Thanks,
> -Nitin
>
> -----Original Message-----
> From: sx chen [mailto:cloudchen0620@gmail.com]
> Sent: Tuesday, September 18, 2012 12:58 PM
> To: cloudstack-users@incubator.apache.org
> Subject: How to make Domain Admin having the right adding account？
>
> hi，all
>      I'm a CloudStack API developer,I want to know How to make Domain 
> Admin having the right adding account？
> We know that only root user has the right to excute createAccount 
> API,So what should I do?
>

Re: How to make Domain Admin having the right adding account？

[sx chen <cl...@gmail.com>]

Centainly I want to authorize domain admin to use the api:createAccount
deleteAccount, updateAccount, createUser, deleteUser and updateUser within
its domain as well .I also want to disable the user attach storage and let
the domain admin do this.

so, is there a document about this?or any suggestion?



2012/9/18 Nitin Mehta <Ni...@citrix.com>

> Change the bitmap in the file commands.properties.in to 7 to allow domain
> admin to execute this api (change 3 to 7).
> createAccount=com.cloud.api.commands.CreateAccountCmd;3
>
> You then might have to go into CreateAccountCmd implementation and check
> if there is some ACL for restricting domain admin in using this api as well.
>
> But, do you want to authorize domain admin only to use this api or other
> account/user apis like deleteAccount, updateAccount, createUser, deleteUser
> and updateUser as well ?
>
> Thanks,
> -Nitin
>
> -----Original Message-----
> From: sx chen [mailto:cloudchen0620@gmail.com]
> Sent: Tuesday, September 18, 2012 12:58 PM
> To: cloudstack-users@incubator.apache.org
> Subject: How to make Domain Admin having the right adding account？
>
> hi，all
>      I'm a CloudStack API developer,I want to know How to make Domain
> Admin having the right adding account？
> We know that only root user has the right to excute createAccount API,So
> what should I do?
>

RE: How to make Domain Admin having the right adding account？

[Nitin Mehta <Ni...@citrix.com>]

Change the bitmap in the file commands.properties.in to 7 to allow domain admin to execute this api (change 3 to 7).
createAccount=com.cloud.api.commands.CreateAccountCmd;3

You then might have to go into CreateAccountCmd implementation and check if there is some ACL for restricting domain admin in using this api as well.

But, do you want to authorize domain admin only to use this api or other account/user apis like deleteAccount, updateAccount, createUser, deleteUser and updateUser as well ?

Thanks,
-Nitin

-----Original Message-----
From: sx chen [mailto:cloudchen0620@gmail.com] 
Sent: Tuesday, September 18, 2012 12:58 PM
To: cloudstack-users@incubator.apache.org
Subject: How to make Domain Admin having the right adding account？

hi，all
     I'm a CloudStack API developer,I want to know How to make Domain Admin having the right adding account？
We know that only root user has the right to excute createAccount API,So what should I do?

RE: How to make Domain Admin having the right adding account？

[Nitin Mehta <Ni...@citrix.com>]

Change the bitmap in the file commands.properties.in to 7 to allow domain admin to execute this api (change 3 to 7).
createAccount=com.cloud.api.commands.CreateAccountCmd;3

You then might have to go into CreateAccountCmd implementation and check if there is some ACL for restricting domain admin in using this api as well.

But, do you want to authorize domain admin only to use this api or other account/user apis like deleteAccount, updateAccount, createUser, deleteUser and updateUser as well ?

Thanks,
-Nitin

-----Original Message-----
From: sx chen [mailto:cloudchen0620@gmail.com] 
Sent: Tuesday, September 18, 2012 12:58 PM
To: cloudstack-users@incubator.apache.org
Subject: How to make Domain Admin having the right adding account？

hi，all
     I'm a CloudStack API developer,I want to know How to make Domain Admin having the right adding account？
We know that only root user has the right to excute createAccount API,So what should I do?