On 15/03/12 07:25, Itamar Heim wrote: > On 03/14/2012 02:20 AM, Moti Asayag wrote: >> Hi all, >> >> Disk Permissions feature description Wiki page: >> http://www.ovirt.org/wiki/Features/DiskPermissions >> >> Please share your comments. > > I think you are lacking a paragraph explaining some of the issues around > this: > - are disks part of storage domains or VMs wrt permissions inheritance? > - what about direct luns (are not part of storage domains)? > - what about shared disks (multiple inheritance if from VM)? > - what if tomorrow we allow disks to span multiple storage domains? > - quota's are already a concept of permissions to create disks at > storage domain level, does user need both (cumbersome) > - when do we must have this (to filter shared, floating or direct lun > disks we would show to power users when not attached to VMs) - or these > won't be available for now via the power user portal, only via admin. > > 1. "Create disk - requires permissions on the Storage Domain, (can't > assume Quota is sufficient to permit user creating the disk on the > Storage Domain, as Quota might be disabled)" > > I'd also specify create disk for regular disks is at storage domain > level?, while direct lun disks require system level permission of add disk. > > so, if quota is disabled, how important is it to prevent creation of > disks (other than direct lun ones, which would require a permission > similar to storage domain creation)? > > if this is added, it has to be implicitly added / not needed if user has > quota (i.e., having a quota should be similar to having a permission as > far as the check goes). >
We should look into it, how complicate is it to validate if user has either quota or permission, and allow creating a disk on a SD if either exists. > 2. "Attach disk to VM - requires permissions on the Disk and on the VM > (applies for shared disk as well). " > > which permission at disk is required? (disk access?) > The user should have attach_disk permission on the disk and on the VM (same action on two objects). > 3. "Detach disk from VM - requires permissions on the VM only. (Unlike > > attach disk that requires permissions on the VM and on the Disk). " > > will detaching a disk copy the permission it so far inherited from the VM? > No, inheritance is never translated into explicit permission on the objects in the hierarchy . > 4. UI changes > an edit permissions button from VM disks subtab seems appropriate (will > open a dialog i guess) I think we need permissions subtab in the floating disk main tab. I'll ask Einav to add the UI part as well to the wiki. > ________________________ _______________________ > Engine-devel mailing list > Engine-devel@ovirt.org > http://lists.ovirt.org/mailman/listinfo/engine-devel _______________________________________________ Engine-devel mailing list Engine-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-devel
