Re: [one-users] How to protect a virtual network from being used by users?
Yes, the recommended approach is to update the ACLs to wathever fits your use-case. Note that users may have access to the API, and nothing would prevent them manage the VNET objects, even though you disable the Sunstone button Cheers On Tue, Oct 28, 2014 at 10:20 PM, Hamada, Ondrej ondrej.ham...@acision.com wrote: I see. Well if the users are controlling the VMs only via sunstone, you can disable the 'add nic' function for the 'user/cloud' view. But I suppose that replacing the default ACLs is the best option. -Original Message- From: Pavel Tankov [mailto:pavel.tan...@strategyobject.com] Sent: Tuesday, October 28, 2014 12:59 PM To: Hamada, Ondrej; users@lists.opennebula.org Subject: Re: [one-users] How to protect a virtual network from being used by users? That's exactly what I had done. The problem is that users are able to change the network when they instantiate the template. They can add/remove networks at will. Pavel Tankov On 10/27/2014 11:11 PM, Hamada, Ondrej wrote: Hi Pavel, Create two templates - first one uses the public network and all users are allowed to instantiate this template. The second template uses the restricted network and is allowed to be used only by admins. Ondra -Original Message- From: Pavel Tankov [mailto:pavel.tan...@strategyobject.com] Sent: Monday, October 27, 2014 11:16 AM To: Hamada, Ondrej; users@lists.opennebula.org Subject: Re: [one-users] How to protect a virtual network from being used by users? I don't understand what is to solve the network separation on template level. Could you, please, clarify? Pavel Tankov On 10/24/2014 05:18 PM, Hamada, Ondrej wrote: Hi Pavel, Well, I suppose it is the default. I was also struggling with it and finally I had to replace the default ACLs with more strict ones. You can try to solve the network separation on template level if you don't want to play with ACLs. Ondra -Original Message- From: Pavel Tankov [mailto:pavel.tan...@strategyobject.com] Sent: Friday, October 24, 2014 4:01 PM To: Hamada, Ondrej; users@lists.opennebula.org Subject: Re: [one-users] How to protect a virtual network from being used by users? Hello Ondra, You are right, I just saw the ACLs. They are by default created like this: $ oneacl list ID USER RES_VHNIUTGDCOZ RID OPE_UMAC ZONE 0 @1 V-NI-T---O- * ---c#0 1* --Z * u--- * 2 @1 -H- * -m--#0 3 @1 --ND--- * u---#0 (or see the attached screen shot) The group named users is denoted by @1. So, it looks like in the very first ALC (ID 0) the group @1 (users) is granted a CREATE permission on all Virtual Networks (Resource ID *). Which may be OK or not, it depends what you want. But then ACL (ID 3) grants the group @1 (users) the permission to use any Virtual Network (RID *). The ACLs have permissive nature so once granted I can't restrict it with a later rule. I could only re-write the default ACLs completely, which I am not quite willing to try. The documentation says ( http://docs.opennebula.org/4.8/administration/users_and_groups/manage_acl.html ): Please note: the ACL rules is an advanced mechanism. For most use cases, you should be able to rely on the built-in resource permissions and the ACL Rules created automatically when a group is created, and when a resource provider is added. But it looks like *all* Vritual Networks are meant to be used by *anyone* by default and there is not much I can do about it with the normal means, namely with the resource permissions. Is that so, indeed, or where am I wrong? Pavel Tankov On 10/24/2014 04:33 PM, Hamada, Ondrej wrote: Hi Pavel, Have you checked ACLs as well? I guess that one of the default ACL grants all users the 'use' permission for all 'networks'. Ondra -Original Message- From: Users [mailto:users-boun...@lists.opennebula.org] On Behalf Of Pavel Tankov Sent: Friday, October 24, 2014 12:09 PM To: users@lists.opennebula.org Subject: [one-users] How to protect a virtual network from being used by users? Hello, I (as oneadmin) have configured two virtual networks: - one named default for use by regular users to deploy disposable test VMs - one named SPECIAL for use by the admin to create servers that will not be disposable but will stay always ON Both networks have different IP ranges so that you could easily tell whether it's a server or a disposable test VM by looking at it's IP address. I have set up Opennebula with LDAP authentication. LDAP users authenticate just fine and are able to create themselves VMs using those templates that the admin has allowed for them. Now, I'd like to make so that only default virtual network is exposed to regular users, and SPECIAL
Re: [one-users] How to protect a virtual network from being used by users?
That's exactly what I had done. The problem is that users are able to change the network when they instantiate the template. They can add/remove networks at will. Pavel Tankov On 10/27/2014 11:11 PM, Hamada, Ondrej wrote: Hi Pavel, Create two templates - first one uses the public network and all users are allowed to instantiate this template. The second template uses the restricted network and is allowed to be used only by admins. Ondra -Original Message- From: Pavel Tankov [mailto:pavel.tan...@strategyobject.com] Sent: Monday, October 27, 2014 11:16 AM To: Hamada, Ondrej; users@lists.opennebula.org Subject: Re: [one-users] How to protect a virtual network from being used by users? I don't understand what is to solve the network separation on template level. Could you, please, clarify? Pavel Tankov On 10/24/2014 05:18 PM, Hamada, Ondrej wrote: Hi Pavel, Well, I suppose it is the default. I was also struggling with it and finally I had to replace the default ACLs with more strict ones. You can try to solve the network separation on template level if you don't want to play with ACLs. Ondra -Original Message- From: Pavel Tankov [mailto:pavel.tan...@strategyobject.com] Sent: Friday, October 24, 2014 4:01 PM To: Hamada, Ondrej; users@lists.opennebula.org Subject: Re: [one-users] How to protect a virtual network from being used by users? Hello Ondra, You are right, I just saw the ACLs. They are by default created like this: $ oneacl list ID USER RES_VHNIUTGDCOZ RID OPE_UMAC ZONE 0 @1 V-NI-T---O- * ---c#0 1* --Z * u--- * 2 @1 -H- * -m--#0 3 @1 --ND--- * u---#0 (or see the attached screen shot) The group named users is denoted by @1. So, it looks like in the very first ALC (ID 0) the group @1 (users) is granted a CREATE permission on all Virtual Networks (Resource ID *). Which may be OK or not, it depends what you want. But then ACL (ID 3) grants the group @1 (users) the permission to use any Virtual Network (RID *). The ACLs have permissive nature so once granted I can't restrict it with a later rule. I could only re-write the default ACLs completely, which I am not quite willing to try. The documentation says (http://docs.opennebula.org/4.8/administration/users_and_groups/manage_acl.html): Please note: the ACL rules is an advanced mechanism. For most use cases, you should be able to rely on the built-in resource permissions and the ACL Rules created automatically when a group is created, and when a resource provider is added. But it looks like *all* Vritual Networks are meant to be used by *anyone* by default and there is not much I can do about it with the normal means, namely with the resource permissions. Is that so, indeed, or where am I wrong? Pavel Tankov On 10/24/2014 04:33 PM, Hamada, Ondrej wrote: Hi Pavel, Have you checked ACLs as well? I guess that one of the default ACL grants all users the 'use' permission for all 'networks'. Ondra -Original Message- From: Users [mailto:users-boun...@lists.opennebula.org] On Behalf Of Pavel Tankov Sent: Friday, October 24, 2014 12:09 PM To: users@lists.opennebula.org Subject: [one-users] How to protect a virtual network from being used by users? Hello, I (as oneadmin) have configured two virtual networks: - one named default for use by regular users to deploy disposable test VMs - one named SPECIAL for use by the admin to create servers that will not be disposable but will stay always ON Both networks have different IP ranges so that you could easily tell whether it's a server or a disposable test VM by looking at it's IP address. I have set up Opennebula with LDAP authentication. LDAP users authenticate just fine and are able to create themselves VMs using those templates that the admin has allowed for them. Now, I'd like to make so that only default virtual network is exposed to regular users, and SPECIAL is not seen by them. Currently, both networks have the following permissions: - Owner: use, manage - Group none - Other: none Users still can use both of these when they deploy a test VM although permissions clearly state they shouldn't be able to see any of them. What is wrong with the permissions? -- Pavel Tankov ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you for understanding
Re: [one-users] How to protect a virtual network from being used by users?
I see. Well if the users are controlling the VMs only via sunstone, you can disable the 'add nic' function for the 'user/cloud' view. But I suppose that replacing the default ACLs is the best option. -Original Message- From: Pavel Tankov [mailto:pavel.tan...@strategyobject.com] Sent: Tuesday, October 28, 2014 12:59 PM To: Hamada, Ondrej; users@lists.opennebula.org Subject: Re: [one-users] How to protect a virtual network from being used by users? That's exactly what I had done. The problem is that users are able to change the network when they instantiate the template. They can add/remove networks at will. Pavel Tankov On 10/27/2014 11:11 PM, Hamada, Ondrej wrote: Hi Pavel, Create two templates - first one uses the public network and all users are allowed to instantiate this template. The second template uses the restricted network and is allowed to be used only by admins. Ondra -Original Message- From: Pavel Tankov [mailto:pavel.tan...@strategyobject.com] Sent: Monday, October 27, 2014 11:16 AM To: Hamada, Ondrej; users@lists.opennebula.org Subject: Re: [one-users] How to protect a virtual network from being used by users? I don't understand what is to solve the network separation on template level. Could you, please, clarify? Pavel Tankov On 10/24/2014 05:18 PM, Hamada, Ondrej wrote: Hi Pavel, Well, I suppose it is the default. I was also struggling with it and finally I had to replace the default ACLs with more strict ones. You can try to solve the network separation on template level if you don't want to play with ACLs. Ondra -Original Message- From: Pavel Tankov [mailto:pavel.tan...@strategyobject.com] Sent: Friday, October 24, 2014 4:01 PM To: Hamada, Ondrej; users@lists.opennebula.org Subject: Re: [one-users] How to protect a virtual network from being used by users? Hello Ondra, You are right, I just saw the ACLs. They are by default created like this: $ oneacl list ID USER RES_VHNIUTGDCOZ RID OPE_UMAC ZONE 0 @1 V-NI-T---O- * ---c#0 1* --Z * u--- * 2 @1 -H- * -m--#0 3 @1 --ND--- * u---#0 (or see the attached screen shot) The group named users is denoted by @1. So, it looks like in the very first ALC (ID 0) the group @1 (users) is granted a CREATE permission on all Virtual Networks (Resource ID *). Which may be OK or not, it depends what you want. But then ACL (ID 3) grants the group @1 (users) the permission to use any Virtual Network (RID *). The ACLs have permissive nature so once granted I can't restrict it with a later rule. I could only re-write the default ACLs completely, which I am not quite willing to try. The documentation says (http://docs.opennebula.org/4.8/administration/users_and_groups/manage_acl.html): Please note: the ACL rules is an advanced mechanism. For most use cases, you should be able to rely on the built-in resource permissions and the ACL Rules created automatically when a group is created, and when a resource provider is added. But it looks like *all* Vritual Networks are meant to be used by *anyone* by default and there is not much I can do about it with the normal means, namely with the resource permissions. Is that so, indeed, or where am I wrong? Pavel Tankov On 10/24/2014 04:33 PM, Hamada, Ondrej wrote: Hi Pavel, Have you checked ACLs as well? I guess that one of the default ACL grants all users the 'use' permission for all 'networks'. Ondra -Original Message- From: Users [mailto:users-boun...@lists.opennebula.org] On Behalf Of Pavel Tankov Sent: Friday, October 24, 2014 12:09 PM To: users@lists.opennebula.org Subject: [one-users] How to protect a virtual network from being used by users? Hello, I (as oneadmin) have configured two virtual networks: - one named default for use by regular users to deploy disposable test VMs - one named SPECIAL for use by the admin to create servers that will not be disposable but will stay always ON Both networks have different IP ranges so that you could easily tell whether it's a server or a disposable test VM by looking at it's IP address. I have set up Opennebula with LDAP authentication. LDAP users authenticate just fine and are able to create themselves VMs using those templates that the admin has allowed for them. Now, I'd like to make so that only default virtual network is exposed to regular users, and SPECIAL is not seen by them. Currently, both networks have the following permissions: - Owner: use, manage - Group none - Other: none Users still can use both of these when they deploy a test VM although permissions clearly state they shouldn't be able to see any of them. What is wrong with the permissions? -- Pavel Tankov ___ Users mailing list
Re: [one-users] How to protect a virtual network from being used by users?
I don't understand what is to solve the network separation on template level. Could you, please, clarify? Pavel Tankov On 10/24/2014 05:18 PM, Hamada, Ondrej wrote: Hi Pavel, Well, I suppose it is the default. I was also struggling with it and finally I had to replace the default ACLs with more strict ones. You can try to solve the network separation on template level if you don't want to play with ACLs. Ondra -Original Message- From: Pavel Tankov [mailto:pavel.tan...@strategyobject.com] Sent: Friday, October 24, 2014 4:01 PM To: Hamada, Ondrej; users@lists.opennebula.org Subject: Re: [one-users] How to protect a virtual network from being used by users? Hello Ondra, You are right, I just saw the ACLs. They are by default created like this: $ oneacl list ID USER RES_VHNIUTGDCOZ RID OPE_UMAC ZONE 0 @1 V-NI-T---O- * ---c#0 1* --Z * u--- * 2 @1 -H- * -m--#0 3 @1 --ND--- * u---#0 (or see the attached screen shot) The group named users is denoted by @1. So, it looks like in the very first ALC (ID 0) the group @1 (users) is granted a CREATE permission on all Virtual Networks (Resource ID *). Which may be OK or not, it depends what you want. But then ACL (ID 3) grants the group @1 (users) the permission to use any Virtual Network (RID *). The ACLs have permissive nature so once granted I can't restrict it with a later rule. I could only re-write the default ACLs completely, which I am not quite willing to try. The documentation says (http://docs.opennebula.org/4.8/administration/users_and_groups/manage_acl.html): Please note: the ACL rules is an advanced mechanism. For most use cases, you should be able to rely on the built-in resource permissions and the ACL Rules created automatically when a group is created, and when a resource provider is added. But it looks like *all* Vritual Networks are meant to be used by *anyone* by default and there is not much I can do about it with the normal means, namely with the resource permissions. Is that so, indeed, or where am I wrong? Pavel Tankov On 10/24/2014 04:33 PM, Hamada, Ondrej wrote: Hi Pavel, Have you checked ACLs as well? I guess that one of the default ACL grants all users the 'use' permission for all 'networks'. Ondra -Original Message- From: Users [mailto:users-boun...@lists.opennebula.org] On Behalf Of Pavel Tankov Sent: Friday, October 24, 2014 12:09 PM To: users@lists.opennebula.org Subject: [one-users] How to protect a virtual network from being used by users? Hello, I (as oneadmin) have configured two virtual networks: - one named default for use by regular users to deploy disposable test VMs - one named SPECIAL for use by the admin to create servers that will not be disposable but will stay always ON Both networks have different IP ranges so that you could easily tell whether it's a server or a disposable test VM by looking at it's IP address. I have set up Opennebula with LDAP authentication. LDAP users authenticate just fine and are able to create themselves VMs using those templates that the admin has allowed for them. Now, I'd like to make so that only default virtual network is exposed to regular users, and SPECIAL is not seen by them. Currently, both networks have the following permissions: - Owner: use, manage - Group none - Other: none Users still can use both of these when they deploy a test VM although permissions clearly state they shouldn't be able to see any of them. What is wrong with the permissions? -- Pavel Tankov ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you for understanding. ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you for understanding. ___ Users mailing list Users
Re: [one-users] How to protect a virtual network from being used by users?
Hi Pavel, Create two templates - first one uses the public network and all users are allowed to instantiate this template. The second template uses the restricted network and is allowed to be used only by admins. Ondra -Original Message- From: Pavel Tankov [mailto:pavel.tan...@strategyobject.com] Sent: Monday, October 27, 2014 11:16 AM To: Hamada, Ondrej; users@lists.opennebula.org Subject: Re: [one-users] How to protect a virtual network from being used by users? I don't understand what is to solve the network separation on template level. Could you, please, clarify? Pavel Tankov On 10/24/2014 05:18 PM, Hamada, Ondrej wrote: Hi Pavel, Well, I suppose it is the default. I was also struggling with it and finally I had to replace the default ACLs with more strict ones. You can try to solve the network separation on template level if you don't want to play with ACLs. Ondra -Original Message- From: Pavel Tankov [mailto:pavel.tan...@strategyobject.com] Sent: Friday, October 24, 2014 4:01 PM To: Hamada, Ondrej; users@lists.opennebula.org Subject: Re: [one-users] How to protect a virtual network from being used by users? Hello Ondra, You are right, I just saw the ACLs. They are by default created like this: $ oneacl list ID USER RES_VHNIUTGDCOZ RID OPE_UMAC ZONE 0 @1 V-NI-T---O- * ---c#0 1* --Z * u--- * 2 @1 -H- * -m--#0 3 @1 --ND--- * u---#0 (or see the attached screen shot) The group named users is denoted by @1. So, it looks like in the very first ALC (ID 0) the group @1 (users) is granted a CREATE permission on all Virtual Networks (Resource ID *). Which may be OK or not, it depends what you want. But then ACL (ID 3) grants the group @1 (users) the permission to use any Virtual Network (RID *). The ACLs have permissive nature so once granted I can't restrict it with a later rule. I could only re-write the default ACLs completely, which I am not quite willing to try. The documentation says (http://docs.opennebula.org/4.8/administration/users_and_groups/manage_acl.html): Please note: the ACL rules is an advanced mechanism. For most use cases, you should be able to rely on the built-in resource permissions and the ACL Rules created automatically when a group is created, and when a resource provider is added. But it looks like *all* Vritual Networks are meant to be used by *anyone* by default and there is not much I can do about it with the normal means, namely with the resource permissions. Is that so, indeed, or where am I wrong? Pavel Tankov On 10/24/2014 04:33 PM, Hamada, Ondrej wrote: Hi Pavel, Have you checked ACLs as well? I guess that one of the default ACL grants all users the 'use' permission for all 'networks'. Ondra -Original Message- From: Users [mailto:users-boun...@lists.opennebula.org] On Behalf Of Pavel Tankov Sent: Friday, October 24, 2014 12:09 PM To: users@lists.opennebula.org Subject: [one-users] How to protect a virtual network from being used by users? Hello, I (as oneadmin) have configured two virtual networks: - one named default for use by regular users to deploy disposable test VMs - one named SPECIAL for use by the admin to create servers that will not be disposable but will stay always ON Both networks have different IP ranges so that you could easily tell whether it's a server or a disposable test VM by looking at it's IP address. I have set up Opennebula with LDAP authentication. LDAP users authenticate just fine and are able to create themselves VMs using those templates that the admin has allowed for them. Now, I'd like to make so that only default virtual network is exposed to regular users, and SPECIAL is not seen by them. Currently, both networks have the following permissions: - Owner: use, manage - Group none - Other: none Users still can use both of these when they deploy a test VM although permissions clearly state they shouldn't be able to see any of them. What is wrong with the permissions? -- Pavel Tankov ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you for understanding. ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users
[one-users] How to protect a virtual network from being used by users?
Hello, I (as oneadmin) have configured two virtual networks: - one named default for use by regular users to deploy disposable test VMs - one named SPECIAL for use by the admin to create servers that will not be disposable but will stay always ON Both networks have different IP ranges so that you could easily tell whether it's a server or a disposable test VM by looking at it's IP address. I have set up Opennebula with LDAP authentication. LDAP users authenticate just fine and are able to create themselves VMs using those templates that the admin has allowed for them. Now, I'd like to make so that only default virtual network is exposed to regular users, and SPECIAL is not seen by them. Currently, both networks have the following permissions: - Owner: use, manage - Group none - Other: none Users still can use both of these when they deploy a test VM although permissions clearly state they shouldn't be able to see any of them. What is wrong with the permissions? -- Pavel Tankov ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
Re: [one-users] How to protect a virtual network from being used by users?
Hello Ondra, You are right, I just saw the ACLs. They are by default created like this: $ oneacl list ID USER RES_VHNIUTGDCOZ RID OPE_UMAC ZONE 0 @1 V-NI-T---O- * ---c#0 1* --Z * u--- * 2 @1 -H- * -m--#0 3 @1 --ND--- * u---#0 (or see the attached screen shot) The group named users is denoted by @1. So, it looks like in the very first ALC (ID 0) the group @1 (users) is granted a CREATE permission on all Virtual Networks (Resource ID *). Which may be OK or not, it depends what you want. But then ACL (ID 3) grants the group @1 (users) the permission to use any Virtual Network (RID *). The ACLs have permissive nature so once granted I can't restrict it with a later rule. I could only re-write the default ACLs completely, which I am not quite willing to try. The documentation says (http://docs.opennebula.org/4.8/administration/users_and_groups/manage_acl.html): Please note: the ACL rules is an advanced mechanism. For most use cases, you should be able to rely on the built-in resource permissions and the ACL Rules created automatically when a group is created, and when a resource provider is added. But it looks like *all* Vritual Networks are meant to be used by *anyone* by default and there is not much I can do about it with the normal means, namely with the resource permissions. Is that so, indeed, or where am I wrong? Pavel Tankov On 10/24/2014 04:33 PM, Hamada, Ondrej wrote: Hi Pavel, Have you checked ACLs as well? I guess that one of the default ACL grants all users the 'use' permission for all 'networks'. Ondra -Original Message- From: Users [mailto:users-boun...@lists.opennebula.org] On Behalf Of Pavel Tankov Sent: Friday, October 24, 2014 12:09 PM To: users@lists.opennebula.org Subject: [one-users] How to protect a virtual network from being used by users? Hello, I (as oneadmin) have configured two virtual networks: - one named default for use by regular users to deploy disposable test VMs - one named SPECIAL for use by the admin to create servers that will not be disposable but will stay always ON Both networks have different IP ranges so that you could easily tell whether it's a server or a disposable test VM by looking at it's IP address. I have set up Opennebula with LDAP authentication. LDAP users authenticate just fine and are able to create themselves VMs using those templates that the admin has allowed for them. Now, I'd like to make so that only default virtual network is exposed to regular users, and SPECIAL is not seen by them. Currently, both networks have the following permissions: - Owner: use, manage - Group none - Other: none Users still can use both of these when they deploy a test VM although permissions clearly state they shouldn't be able to see any of them. What is wrong with the permissions? -- Pavel Tankov ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you for understanding. ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
Re: [one-users] How to protect a virtual network from being used by users?
Hi Pavel, Well, I suppose it is the default. I was also struggling with it and finally I had to replace the default ACLs with more strict ones. You can try to solve the network separation on template level if you don't want to play with ACLs. Ondra -Original Message- From: Pavel Tankov [mailto:pavel.tan...@strategyobject.com] Sent: Friday, October 24, 2014 4:01 PM To: Hamada, Ondrej; users@lists.opennebula.org Subject: Re: [one-users] How to protect a virtual network from being used by users? Hello Ondra, You are right, I just saw the ACLs. They are by default created like this: $ oneacl list ID USER RES_VHNIUTGDCOZ RID OPE_UMAC ZONE 0 @1 V-NI-T---O- * ---c#0 1* --Z * u--- * 2 @1 -H- * -m--#0 3 @1 --ND--- * u---#0 (or see the attached screen shot) The group named users is denoted by @1. So, it looks like in the very first ALC (ID 0) the group @1 (users) is granted a CREATE permission on all Virtual Networks (Resource ID *). Which may be OK or not, it depends what you want. But then ACL (ID 3) grants the group @1 (users) the permission to use any Virtual Network (RID *). The ACLs have permissive nature so once granted I can't restrict it with a later rule. I could only re-write the default ACLs completely, which I am not quite willing to try. The documentation says (http://docs.opennebula.org/4.8/administration/users_and_groups/manage_acl.html): Please note: the ACL rules is an advanced mechanism. For most use cases, you should be able to rely on the built-in resource permissions and the ACL Rules created automatically when a group is created, and when a resource provider is added. But it looks like *all* Vritual Networks are meant to be used by *anyone* by default and there is not much I can do about it with the normal means, namely with the resource permissions. Is that so, indeed, or where am I wrong? Pavel Tankov On 10/24/2014 04:33 PM, Hamada, Ondrej wrote: Hi Pavel, Have you checked ACLs as well? I guess that one of the default ACL grants all users the 'use' permission for all 'networks'. Ondra -Original Message- From: Users [mailto:users-boun...@lists.opennebula.org] On Behalf Of Pavel Tankov Sent: Friday, October 24, 2014 12:09 PM To: users@lists.opennebula.org Subject: [one-users] How to protect a virtual network from being used by users? Hello, I (as oneadmin) have configured two virtual networks: - one named default for use by regular users to deploy disposable test VMs - one named SPECIAL for use by the admin to create servers that will not be disposable but will stay always ON Both networks have different IP ranges so that you could easily tell whether it's a server or a disposable test VM by looking at it's IP address. I have set up Opennebula with LDAP authentication. LDAP users authenticate just fine and are able to create themselves VMs using those templates that the admin has allowed for them. Now, I'd like to make so that only default virtual network is exposed to regular users, and SPECIAL is not seen by them. Currently, both networks have the following permissions: - Owner: use, manage - Group none - Other: none Users still can use both of these when they deploy a test VM although permissions clearly state they shouldn't be able to see any of them. What is wrong with the permissions? -- Pavel Tankov ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you for understanding. ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you for understanding. ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
