Re: [ovirt-users] ISO uploading from GUI/REST with user permissions
Dear Michal, you wrote: > it does sound like a bug to me. Can you open one with those details? > https://bugzilla.redhat.com/enter_bug.cgi?product=ovirt-engine Duly done as Bug 1564509. https://bugzilla.redhat.com/show_bug.cgi?id=1564509 Best wishes, Lloyd Kamara ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] ISO uploading from GUI/REST with user permissions
Dear Sir/Madam, The ability to upload ISOs through the web interface and boot VMs from them is a welcome addition in oVirt release 4.2.2. I am grateful to the people behind the implementation of this. Consider a scenario in which you wish to allow *end-users* to upload ISOs to one or more Data Domains. The users can then use the uploaded ISOs to boot their VMs. Is it possible to grant a user permission to upload ISOs through the web interface? I tried to to this under oVirt release 4.2.2 by doing the following: - adding the 'SuperUser' role to a target user for a specific Data Domain, which enables the user to log onto the Administration Portal. - adding the 'DiskCreator' role to the same target user for the same Data Domain, which, I would hope, would allow the user to both create disks and upload ISOs within that Data Domain. Disk creation in the Data Domain for the target user works as expected; ISO upload does not. A dialog appears with the message: 'Operation Canceled Error while executing action: User is not authorized to perform this action.' Here is the message that appears in /var/log/ovirt-engine/engine.log when an attempt at uploading an ISO is made by the target user: INFO [org.ovirt.engine.core.bll.storage.disk.image.TransferImageStatusCommand] (default task-40) [5b3fef06-49c8-4c34-81a3-a20fa691709a] No permission found for user 'a9fde4c3-97a3-4494-84f8-08041a16710c' or one of the groups he is member of, when running action 'TransferImageStatus', Required permissions are: Action type: 'USER' Action group: 'CREATE_DISK' Object type: 'System' Object ID: 'aaa0----123456789aaa'. If one assigns the DiskCreator role System permission for the target user then that user can upload ISOs without problem. Unfortunately, the user can upload ISOs - and create disks - in *all* data domains. To re-iterate, is it possible to grant an end-user permission to upload ISOs to specific data domains through the web interface without granting an all-encompassing System permission? Best wishes, Lloyd Kamara References: [The first two are included insofar as they concern ISO upload via web] https://bugzilla.redhat.com/show_bug.cgi?id=1530730 https://bugzilla.redhat.com/show_bug.cgi?id=1536826 [This one is included because I wonder if the testing requests includes the ability for users to upload ISOs via the web GUI, not just attach existing ISOs in data domains to VMs] https://bugzilla.redhat.com/show_bug.cgi?id=1058798 ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] oVirt, LDAP & SSO: authentication domain/profile consolidation
Hi, Martin, you wrote: > there is no reason to have different authz providers for both authn > providers, because authz part is the same for both kerberos and LDAP. > Just edit for example kerberos authn configuration file in > /etc/ovirt-engine/extension.d/ and change > 'ovirt.engine.aaa.authn.authz.plugin' option to the name of your LDAP > authz provider. > When done please restart ovirt-engine to apply changes. Thank you for the above succinct and clear explanation. I changed the configuration accordingly and can confirm that it resolved the issue. When I log in via a Kerberos Ticket Granting Ticket and interactively via the LDAP-backed oVirt login web form, I am mapped to a single authentication domain. Best wishes, Lloyd ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] oVirt, LDAP & SSO: authentication domain/profile consolidation
Hello, I have installed ovirt-engine version 4.1.1.8 on CentOS Linux release 7.3.1611 and have configured authentication against Active Directory with the ovirt-engine-extension-aaa-ldap-setup version 1.3.1. I have also configured single-sign-on (SSO) via ovirt-engine-extension-aaa-misc version 1.0.1. We use MIT Kerberos in our organisation for Linux authentication. After configuring appropriate System Permissions in the oVirt Engine web interface, end-users can successfully authenticate: - without additional input if they have a valid Kerberos ticket-granting-ticket (TGT). - by entering their Active Directory login and password in the oVirt log-in page if they do not have a valid TGT. The problem is that oVirt sees the Active Directory and SSO log-ins as two distinct Authentication Domains. In more detail: - ovirt.engine.extension.name = Kerberos in the authz.properties file for our SSO configuration. If a user authenticates via a Kerberos TGT, their user-name appears as usern...@our.ad.domain@Kerberos within oVirt engine. - ovirt.engine.extension.name = LDAP in the authz.properties file for our Active Directory configuration. If a user authenticates by entering the relevant Active Directory login and password in the oVirt web-form log-in, their user-name appears as u...@our.ad.domain@LDAP within oVirt engine. Is there a way to configure both authentication methods to map to the same user irrespective of the Authentication domain? That is, is there a way in oVirt to say that user1@domain1 and user1@domain2 are to be treated as being equivalent? Best wishes, Lloyd Kamara ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
