Rohit, If I understood you correctly, the user_id column is only used for listing resources to indicate which user is the real owner/creator of the resource, but you don't want to change CloudStack account-level permission model to user-level permission model, right? If so, the change will be smaller, maybe some Response classes, which should not involve too many business layer change. I will hesitate to really change CloudStack IAM model though.
Thanks -min On 11/14/14 10:35 AM, "Rohit Yadav" <rohit.ya...@shapeblue.com> wrote: >Hi Min, > >Good to know. What do you propose we do moving forward. Do a refactoring >run to fix it or leave it as it is and perhaps add user_id columns to few >resources that are more useful for sysadmins such as vm_instance table. > >> On 14-Nov-2014, at 11:49 pm, Min Chen <min.c...@citrix.com> wrote: >> >> Rohit, >> >> I think that the historic reason for this is that CloudStack is only >> doing IAM access permission check on account level, user is only login >> authentication purpose. That is why we will see that all our CloudStack >> resource owner field is an account, since that is the only information >> used for controlling whether you have some permissions to the resource. >> Thanks >> -min >> >> On 11/14/14 12:53 AM, "Rohit Yadav" <rohit.ya...@shapeblue.com> wrote: >> >>> Hi, >>> >>> All CloudStack DB entities (VM, storage, network etc.) have an owner >>> field which is mostly the account. An account can have multiple users >>>so >>> just by looking at the resource (say VM) it¹s not possible to make out >>> which user in the account (owner or account_id field in the db row of >>>the >>> entity) created it. CloudStack users may want to know this information >>> for at least entities such as VMs and Volumes. >>> >>> Historically, why is the account owner of an entity and not a user? If >>> user were the owner, we could easily get the account Id using the user >>>Id. >>> >>> One solution to fix this problem is to refactor and replace Account >>> (interface) usage with UserAccount (interface) usage, fix the DAO and >>> resource layer, and add columns in the schema. This gets us all the >>> information we need to determine domainId, AccountId and Id (the user >>> ID). Should we do it for all entities or just keep status quo (use >>> account as owners), or just fix it on-demand basis for specific >>>entities >>> such as for user VMs [1]. >>> >>> [1] https://issues.apache.org/jira/browse/CLOUDSTACK-7908 >>> >>> Regards, >>> Rohit Yadav >>> Software Architect, ShapeBlue >>> M. +91 88 262 30892 | rohit.ya...@shapeblue.com >>> Blog: bhaisaab.org | Twitter: @_bhaisaab >>> >>> >>> >>> Find out more about ShapeBlue and our range of CloudStack related >>>services >>> >>> IaaS Cloud Design & >>> Build<http://shapeblue.com/iaas-cloud-design-and-build//> >>> CSForge rapid IaaS deployment >>>framework<http://shapeblue.com/csforge/> >>> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/> >>> CloudStack Software >>> Engineering<http://shapeblue.com/cloudstack-software-engineering/> >>> CloudStack Infrastructure >>> Support<http://shapeblue.com/cloudstack-infrastructure-support/> >>> CloudStack Bootcamp Training >>> Courses<http://shapeblue.com/cloudstack-training/> >>> >>> This email and any attachments to it may be confidential and are >>>intended >>> solely for the use of the individual to whom it is addressed. Any views >>> or opinions expressed are solely those of the author and do not >>> necessarily represent those of Shape Blue Ltd or related companies. If >>> you are not the intended recipient of this email, you must neither take >>> any action based upon its contents, nor copy or show it to anyone. >>>Please >>> contact the sender if you believe you have received this email in >>>error. >>> Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue >>> Services India LLP is a company incorporated in India and is operated >>> under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda >>>is >>> a company incorporated in Brasil and is operated under license from >>>Shape >>> Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic >>>of >>> South Africa and is traded under license from Shape Blue Ltd. ShapeBlue >>> is a registered trademark. >> > >Regards, >Rohit Yadav >Software Architect, ShapeBlue >M. +91 88 262 30892 | rohit.ya...@shapeblue.com >Blog: bhaisaab.org | Twitter: @_bhaisaab > > > >Find out more about ShapeBlue and our range of CloudStack related services > >IaaS Cloud Design & >Build<http://shapeblue.com/iaas-cloud-design-and-build//> >CSForge rapid IaaS deployment framework<http://shapeblue.com/csforge/> >CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/> >CloudStack Software >Engineering<http://shapeblue.com/cloudstack-software-engineering/> >CloudStack Infrastructure >Support<http://shapeblue.com/cloudstack-infrastructure-support/> >CloudStack Bootcamp Training >Courses<http://shapeblue.com/cloudstack-training/> > >This email and any attachments to it may be confidential and are intended >solely for the use of the individual to whom it is addressed. Any views >or opinions expressed are solely those of the author and do not >necessarily represent those of Shape Blue Ltd or related companies. If >you are not the intended recipient of this email, you must neither take >any action based upon its contents, nor copy or show it to anyone. Please >contact the sender if you believe you have received this email in error. >Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue >Services India LLP is a company incorporated in India and is operated >under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is >a company incorporated in Brasil and is operated under license from Shape >Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of >South Africa and is traded under license from Shape Blue Ltd. ShapeBlue >is a registered trademark.
