On 02/26/2012 03:04 PM, Itamar Heim wrote: > On 02/26/2012 02:38 PM, Yair Zaslavsky wrote: >> On 02/26/2012 02:05 PM, Itamar Heim wrote: >>> On 02/14/2012 10:06 AM, Yair Zaslavsky wrote: >>>> Hi all, >>>> I modified the Wiki pages of this feature: >>>> >>>> http://www.ovirt.org/wiki/Features/CloneVmFromSnapshot >>>> >>>> http://www.ovirt.org/wiki/Features/DetailedCloneVmFromSnapshot >>>> >>>> Comments are more than welcome >>> >>> 1. "Shared disks and direct LUN diskes behavior - For shared disks and >>> direct LUN based disks, the user who performs the snapshot will specify >>> during snapshot creation whether the disk should be plugged or unplugged >>> upon performing the clone." >>> >>> direct lun - if it is not already in shared mode, cannot be used by more >>> than one VM, hence should not be cloned, unless already flagged as >>> shared. >> Understood. What should be the behavior if shared flag is set to false? > > warning to audit log that the disk isn't part of the clone. > >> >>> >>> 2. it sounds like there should be some general code shared for import vm >>> and clone vm for handling items which can't be duplicate by default >>> (say, mac addresses). >> True, I will revisit this. Aren't we facing actually this issue also in >> creating a VM from template? > > I assume it already has such logic. I'm suggesting to check how > redundant it is across the various commands (if it is), before creating > another care. Just checked, and you're correct. We do have such logic at AddVmCommand (adding network of new VM part).
> >>> >>> 3. MLA - are you cloning the permissions on the VM as well, or only >>> creating an owner permission on the new entity? >>> >>> 4. MLA - what permission does one need to have on source VM/snapsot to >>> clone it? >>> if a non-owner can clone a VM/snapshot, and become owner of the new >>> entity, need to make sure no privilege escalation flows exist. >>> is the intent to share the code of clone VM with AddVm (which is what >>> clone is), with a task to clone the disks rather than create them >>> (otherwise you need to duplicate the code for quota and permission >>> handling?) >> If I understand you correctly - Cloning images commands >> (AddVmFromTemplate, cloning vm from snapshot, etc..) will invoke a >> CopyImage internal command. > > iiuc, internal commands don't perform permission checks? Correct, they do not. _______________________________________________ Engine-devel mailing list Engine-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-devel