Re: [ovirt-users] Users seeing all vm's
On 06/06/2014 05:52 AM, Artur Sarkisyan wrote: Thanks for replay, I have an IPA server for authentication. I am trying some scenarios, but I would like to setup pools of vm's for users, actually one pool for one user. why one pool for one user? a pool allows you to give multiple users access to it, and, specify how many VMs each user can get from the pool. Kind regards, Artur On Thu, Jun 5, 2014 at 8:30 PM, Jeff Clay jeffc...@gmail.com mailto:jeffc...@gmail.com wrote: Yes, I have resolved this issue. It was due to my lack of understanding in how Ovirt expected things to be configured and setup. Are you using active directory for authentication and setting up pools of vm's for users to access? On Thu, Jun 5, 2014 at 1:10 PM, Artur Sarkisyan s.ar...@gmail.com mailto:s.ar...@gmail.com wrote: Hi Jeff, I would like to know if you have resolved this issue? At this moment i'm building a poc and i have the same problem like yours: All users can see all vm's. Do you have some suggestions for me ? Thanks in advanced. Kind regards, Artur On Tue, May 6, 2014 at 10:32 PM, Jeff Clay jeffc...@gmail.com mailto:jeffc...@gmail.com wrote: For some reason, when logged in as a user with a modifed copy role of UserRole (only has login permssion and VM - Basic Operations - Remote Log In permission) the user can see all of the VM's and has the ability to open a console, start, shutdown or suspend any of the VM's. I have verified that all of the VM's only show the SuperUser role in their permissions. I went through all of the roles and verified that the user is only a member of the Copy_of_UserRole. The only thing I can think of is that the user is inheriting permissions from something, but I can't find what it is or where. Any suggestions? Thanks. ___ Users mailing list Users@ovirt.org mailto:Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Users seeing all vm's
It sounds line you're adding the permissions to ovirt through the Users tab on the top right. Thats the same thing I did at first. However, the user's tab is not where you manage all settings for users. Its a bit counterintuitive. When you add a user in that tab, it adds them to the system object and not to a particular VM or pool which is why the user has more than desired permissions. What you need to do is remove the users or groups from the Users tab and add them to the specific pool or VM by selecting the pool, then select the permissions sub-tab and then select add. This will grant the permissions to only that specific resource. On Jun 12, 2014 3:08 AM, Itamar Heim ih...@redhat.com wrote: On 06/06/2014 05:52 AM, Artur Sarkisyan wrote: Thanks for replay, I have an IPA server for authentication. I am trying some scenarios, but I would like to setup pools of vm's for users, actually one pool for one user. why one pool for one user? a pool allows you to give multiple users access to it, and, specify how many VMs each user can get from the pool. Kind regards, Artur On Thu, Jun 5, 2014 at 8:30 PM, Jeff Clay jeffc...@gmail.com mailto:jeffc...@gmail.com wrote: Yes, I have resolved this issue. It was due to my lack of understanding in how Ovirt expected things to be configured and setup. Are you using active directory for authentication and setting up pools of vm's for users to access? On Thu, Jun 5, 2014 at 1:10 PM, Artur Sarkisyan s.ar...@gmail.com mailto:s.ar...@gmail.com wrote: Hi Jeff, I would like to know if you have resolved this issue? At this moment i'm building a poc and i have the same problem like yours: All users can see all vm's. Do you have some suggestions for me ? Thanks in advanced. Kind regards, Artur On Tue, May 6, 2014 at 10:32 PM, Jeff Clay jeffc...@gmail.com mailto:jeffc...@gmail.com wrote: For some reason, when logged in as a user with a modifed copy role of UserRole (only has login permssion and VM - Basic Operations - Remote Log In permission) the user can see all of the VM's and has the ability to open a console, start, shutdown or suspend any of the VM's. I have verified that all of the VM's only show the SuperUser role in their permissions. I went through all of the roles and verified that the user is only a member of the Copy_of_UserRole. The only thing I can think of is that the user is inheriting permissions from something, but I can't find what it is or where. Any suggestions? Thanks. ___ Users mailing list Users@ovirt.org mailto:Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Users seeing all vm's
Thanks for replay, I have an IPA server for authentication. I am trying some scenarios, but I would like to setup pools of vm's for users, actually one pool for one user. Kind regards, Artur On Thu, Jun 5, 2014 at 8:30 PM, Jeff Clay jeffc...@gmail.com wrote: Yes, I have resolved this issue. It was due to my lack of understanding in how Ovirt expected things to be configured and setup. Are you using active directory for authentication and setting up pools of vm's for users to access? On Thu, Jun 5, 2014 at 1:10 PM, Artur Sarkisyan s.ar...@gmail.com wrote: Hi Jeff, I would like to know if you have resolved this issue? At this moment i'm building a poc and i have the same problem like yours: All users can see all vm's. Do you have some suggestions for me ? Thanks in advanced. Kind regards, Artur On Tue, May 6, 2014 at 10:32 PM, Jeff Clay jeffc...@gmail.com wrote: For some reason, when logged in as a user with a modifed copy role of UserRole (only has login permssion and VM - Basic Operations - Remote Log In permission) the user can see all of the VM's and has the ability to open a console, start, shutdown or suspend any of the VM's. I have verified that all of the VM's only show the SuperUser role in their permissions. I went through all of the roles and verified that the user is only a member of the Copy_of_UserRole. The only thing I can think of is that the user is inheriting permissions from something, but I can't find what it is or where. Any suggestions? Thanks. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Users seeing all vm's
Yes, I have resolved this issue. It was due to my lack of understanding in how Ovirt expected things to be configured and setup. Are you using active directory for authentication and setting up pools of vm's for users to access? On Thu, Jun 5, 2014 at 1:10 PM, Artur Sarkisyan s.ar...@gmail.com wrote: Hi Jeff, I would like to know if you have resolved this issue? At this moment i'm building a poc and i have the same problem like yours: All users can see all vm's. Do you have some suggestions for me ? Thanks in advanced. Kind regards, Artur On Tue, May 6, 2014 at 10:32 PM, Jeff Clay jeffc...@gmail.com wrote: For some reason, when logged in as a user with a modifed copy role of UserRole (only has login permssion and VM - Basic Operations - Remote Log In permission) the user can see all of the VM's and has the ability to open a console, start, shutdown or suspend any of the VM's. I have verified that all of the VM's only show the SuperUser role in their permissions. I went through all of the roles and verified that the user is only a member of the Copy_of_UserRole. The only thing I can think of is that the user is inheriting permissions from something, but I can't find what it is or where. Any suggestions? Thanks. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] Users seeing all vm's
For some reason, when logged in as a user with a modifed copy role of UserRole (only has login permssion and VM - Basic Operations - Remote Log In permission) the user can see all of the VM's and has the ability to open a console, start, shutdown or suspend any of the VM's. I have verified that all of the VM's only show the SuperUser role in their permissions. I went through all of the roles and verified that the user is only a member of the Copy_of_UserRole. The only thing I can think of is that the user is inheriting permissions from something, but I can't find what it is or where. Any suggestions? Thanks. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Users seeing all vm's
Hi Jeff, * I assume that we are talking about the User Portal, not the web-admin (to which the user cannot even log into, according to the permissions that you specified). * a permission is a triplet of role, user and object. according to what you are saying, the user's permission is: - role: Copy_of_UserRole [contains Remote Log only (???)] - user: user - object: ??? what is the object with which the user's permission is associated? I suspect it is System, which would explain why the users sees all of the VMs in his user- portal (permissions inheritance, as you suspected: all VMs are descendants of System, therefore permissions on System are propagated to the VMs within the system) * are there any additional permissions for this user? a screen-shot of the user's Permissions sub-tab in the User's main tab in the web-admin would be helpful. * does the user belong to any group that has permissions on the system? if so, this user could be inheriting these permissions from that group. * are you sure that the Copy_of_UserRole role contains only the Remote Log action? if not - that can explain why the user is able to perform actions on the VMs other than Remote Log. Thanks, Einav - Original Message - From: Jeff Clay jeffc...@gmail.com To: users@ovirt.org Sent: Tuesday, May 6, 2014 4:32:28 PM Subject: [ovirt-users] Users seeing all vm's For some reason, when logged in as a user with a modifed copy role of UserRole (only has login permssion and VM - Basic Operations - Remote Log In permission) the user can see all of the VM's and has the ability to open a console, start, shutdown or suspend any of the VM's. I have verified that all of the VM's only show the SuperUser role in their permissions. I went through all of the roles and verified that the user is only a member of the Copy_of_UserRole. The only thing I can think of is that the user is inheriting permissions from something, but I can't find what it is or where. Any suggestions? Thanks. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users