subject:"\[ovirt\-users\] Re\: Preventing users to see other VMs"

[ovirt-users] Re: Preventing users to see other VMs

2018-05-21 Thread Roy Golan

On Wed, 16 May 2018 at 17:21 Peter Hudec  wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> Hi all,
>
> works !! ;) Seems that there is some caching in User Portal.
> But there is still a question how could I remove user from the role
> everyone ? For example I want to assign only specific vNIC Profiles,
> Storage Domains, ...
>
>
All users belong to 'everyone', it is a group. A *role* is bunch of
*actions* you can perform on an *Object*
Maybe this will help: create new role, assign only the actions you want for
it. Then assign this role to your user, *on the specific objects* you want
him to manage.

Peter
>
> On 16/05/2018 14:57, Aziz wrote:
> > Hi All,
> >
> > Thank you Roy, this is working now as expected, however, I think
> > the Edit button, should  be removed for this user, there is no need
> > to display the edit button if the user cannot use it to perform
> > any operation, am I missing something ?
> >
> >
> > Best regards
> >
> > On Wed, May 16, 2018 at 9:12 AM, Peter Hudec  > > wrote:
> >
> > I have found 2 related bug, a little bit older
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=1209505
> > 
> > https://bugzilla.redhat.com/show_bug.cgi?id=1225274
> > 
> >
> > But these are related only to DiskProfile.
> >
> > I haven't found any work about 'Everyone' group in documentation,
> > so I'm little bit confused why there is such a group.
> >
> > Peter
> >
> > On 15/05/2018 23:02, Peter Hudec wrote:
> >> Hi,
> >
> >> I'm fancing the same problem.
> >
> >> The steps are - create user /tester/ using the
> >> ovirt-aaa-jdbc-tool - login as admin into admin portal - add
> >> tester user in Administation -> Users - choose one VM and add
> >> UserRole role
> >
> >> - login as testr into User Potal - user could see all VM..
> >
> >> The problem could be, that the user is part of the group
> >> Everyone and this group could be found in Administration ->
> >> Configure > System Permissions. When you check the group
> >> permisson, it seems to be automatically populated by engine.
> >
> >> In  my case I[m using default DC, default cluster and 'internal'
> >> profile .
> >
> >> Seems that all engine object is included in Everyone group.
> >
> >> regards Peter
> >
> >> On 15/05/2018 22:03, Roy Golan wrote:
> >
> >
> >>> On Tue, 15 May 2018 at 21:47 Aziz  > 
> >>> >>
> >>> wrote:
> >
> >>> Hi Roy,
> >
> >>> Thanks for your feedback, I'm unable to remove the user from
> >>> the cluster, I used the command "|ovirt-aaa-jdbc-tool user
> >>> add|" to add the new user, and it seems that by default it took
> >>> all permissions over the cluster. Is there any document
> >>> describing this feature in details ?
> >
> >
> >
> >>> In the webadmin go to Administration -> Configure > System
> >>> Permissions. If the user is there, remove him. Then search for
> >>> the VM and add permissions to the user on the VM Check your
> >>> end result in the 'permisions' section of the VM to see who
> >>> has permissions on it.
> >
> >>> This should be helpful, quite long though
> >>>
> > https://www.ovirt.org/documentation/admin-guide/chap-Users_and_Roles/
> >  >
> >
> >
> >>>
> >>>
> >
> >> This is for the tool itself
> >>>
> > https://www.ovirt.org/develop/release-management/features/infra/aaa-j
> >  >
> >
> >
> d
> >
> >>>
> >>>
> > bc/
> >
> >
> >
> >
> >>> Thanks
> >
> >>> On Tue, May 15, 2018 at 6:31 PM, Roy Golan  > 
> >>> >> wrote:
> >
> >>> 1. Make sure your users use the VM portal 2. Assign permission
> >>> on VM to a certain user to make sure it apears in the portal.
> >>> The Role should be VmOperator afaik.
> >
> >>> Permission set on objects higher in the hierarchy are
> >>> cascading, i.e a user with permission on a cluster would have
> >>> the permission on the all the vm in cluster.
> >
> >
> >>> On Tue, 15 May 2018 at 20:59 Aziz  > 
> >>> >>
> >>> wrote:
> >
> >>> Hi list,
> >
> >>> I'm trying to remove the default "everyone" user from Ovirt,
> >>> so that each user can have access to its own interface to
> >>> manage a unique VM. I wonder if this is possible, because so
> >>> far I'm unable to remove everyone user.
> >
> >>> Thank you
> >
> >
> >>> ___ Users mailing
> >>> list -- users@ovirt.org 
> > > To unsubscribe
> >>> send an email to users-le...@ovirt.org
> >

[ovirt-users] Re: Preventing users to see other VMs

2018-05-16 Thread Aziz

Hi All,

@Roy, yes, that's excatly what I'm referring to. It's "ugly" to show the
unauthorized message each time a user will try to edit the VM, better to
hide it or put it as Grayed.

Thank you Greg.

Best regards


On Wed, May 16, 2018 at 1:14 PM, Greg Sheremeta  wrote:

>
>
> On Wed, May 16, 2018 at 9:09 AM, Roy Golan  wrote:
>
>> On Wed, 16 May 2018 at 16:01 Aziz  wrote:
>>
>>> Hi All,
>>>
>>> Thank you Roy, this is working now as expected, however, I think the
>>> Edit button, should  be removed for this user, there is no need to display
>>> the edit button if the user cannot use it to perform any operation, am I
>>> missing something ?
>>>
>>> You mean in the VM portal the user sees  he can edit a VM when he
>> doesn't have permission to? I assume we don't go to a resolution of button
>> per permission ( +Greg Sheremeta   right? )
>> Instead the user would get and error from the engine that he isn't
>> authorized to perform this action.
>>
>
> In both Administration Portal and VM Portal, we generally don't have
> pre-flight checks to see if users have access to buttons. There is an
> existing RFE,
> Bug 1221694 – [RFE] Role based views in webui
> https://bugzilla.redhat.com/show_bug.cgi?id=1221694
>
> Greg
>
>
>> 
>>
>>>
>>> Best regards
>>>
>>> On Wed, May 16, 2018 at 9:12 AM, Peter Hudec  wrote:
>>>
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA512

 I have found 2 related bug, a little bit older

 https://bugzilla.redhat.com/show_bug.cgi?id=1209505
 https://bugzilla.redhat.com/show_bug.cgi?id=1225274

 But these are related only to DiskProfile.

 I haven't found any work about 'Everyone' group in documentation, so
 I'm little bit confused why there is such a group.

 Peter

 On 15/05/2018 23:02, Peter Hudec wrote:
 > Hi,
 >
 > I'm fancing the same problem.
 >
 > The steps are - create user /tester/ using the ovirt-aaa-jdbc-tool
 >  - login as admin into admin portal - add tester user in
 > Administation -> Users - choose one VM and add UserRole role
 >
 > - login as testr into User Potal - user could see all VM..
 >
 > The problem could be, that the user is part of the group Everyone
 > and this group could be found in Administration -> Configure >
 > System Permissions. When you check the group permisson, it seems
 > to be automatically populated by engine.
 >
 > In  my case I[m using default DC, default cluster and 'internal'
 > profile .
 >
 > Seems that all engine object is included in Everyone group.
 >
 > regards Peter
 >
 > On 15/05/2018 22:03, Roy Golan wrote:
 >
 >
 >> On Tue, 15 May 2018 at 21:47 Aziz > > wrote:
 >
 >> Hi Roy,
 >
 >> Thanks for your feedback, I'm unable to remove the user from the
 >> cluster, I used the command "|ovirt-aaa-jdbc-tool user add|" to
 >> add the new user, and it seems that by default it took all
 >> permissions over the cluster. Is there any document describing
 >> this feature in details ?
 >
 >
 >
 >> In the webadmin go to Administration -> Configure > System
 >> Permissions. If the user is there, remove him. Then search for
 >> the VM and add permissions to the user on the VM Check your end
 >> result in the 'permisions' section of the VM to see who has
 >> permissions on it.
 >
 >> This should be helpful, quite long though
 >> https://www.ovirt.org/documentation/admin-guide/chap-Users_
 and_Roles/
 >
 >>
 >>
 >
 > This is for the tool itself
 >> https://www.ovirt.org/develop/release-management/features/in
 fra/aaa-j
 d
 >
 >>
 >>
 bc/
 >
 >
 >
 >
 >> Thanks
 >
 >> On Tue, May 15, 2018 at 6:31 PM, Roy Golan > > wrote:
 >
 >> 1. Make sure your users use the VM portal 2. Assign permission on
 >> VM to a certain user to make sure it apears in the portal. The
 >> Role should be VmOperator afaik.
 >
 >> Permission set on objects higher in the hierarchy are cascading,
 >> i.e a user with permission on a cluster would have the permission
 >> on the all the vm in cluster.
 >
 >
 >> On Tue, 15 May 2018 at 20:59 Aziz > > wrote:
 >
 >> Hi list,
 >
 >> I'm trying to remove the default "everyone" user from Ovirt, so
 >> that each user can have access to its own interface to manage a
 >> unique VM. I wonder if this is possible, because so far I'm
 >> unable to remove everyone user.
 >
 >> Thank you
 >
 >
 >> ___ Users mailing
 >> list --

[ovirt-users] Re: Preventing users to see other VMs

2018-05-16 Thread Peter Hudec

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi all,

works !! ;) Seems that there is some caching in User Portal.
But there is still a question how could I remove user from the role
everyone ? For example I want to assign only specific vNIC Profiles,
Storage Domains, ...

Peter

On 16/05/2018 14:57, Aziz wrote:
> Hi All,
> 
> Thank you Roy, this is working now as expected, however, I think
> the Edit button, should  be removed for this user, there is no need
> to display the edit button if the user cannot use it to perform
> any operation, am I missing something ?
> 
> 
> Best regards
> 
> On Wed, May 16, 2018 at 9:12 AM, Peter Hudec  > wrote:
> 
> I have found 2 related bug, a little bit older
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1209505 
>  
> https://bugzilla.redhat.com/show_bug.cgi?id=1225274 
> 
> 
> But these are related only to DiskProfile.
> 
> I haven't found any work about 'Everyone' group in documentation,
> so I'm little bit confused why there is such a group.
> 
> Peter
> 
> On 15/05/2018 23:02, Peter Hudec wrote:
>> Hi,
> 
>> I'm fancing the same problem.
> 
>> The steps are - create user /tester/ using the
>> ovirt-aaa-jdbc-tool - login as admin into admin portal - add
>> tester user in Administation -> Users - choose one VM and add
>> UserRole role
> 
>> - login as testr into User Potal - user could see all VM..
> 
>> The problem could be, that the user is part of the group
>> Everyone and this group could be found in Administration ->
>> Configure > System Permissions. When you check the group
>> permisson, it seems to be automatically populated by engine.
> 
>> In  my case I[m using default DC, default cluster and 'internal' 
>> profile .
> 
>> Seems that all engine object is included in Everyone group.
> 
>> regards Peter
> 
>> On 15/05/2018 22:03, Roy Golan wrote:
> 
> 
>>> On Tue, 15 May 2018 at 21:47 Aziz  
>>> >>
>>> wrote:
> 
>>> Hi Roy,
> 
>>> Thanks for your feedback, I'm unable to remove the user from
>>> the cluster, I used the command "|ovirt-aaa-jdbc-tool user
>>> add|" to add the new user, and it seems that by default it took
>>> all permissions over the cluster. Is there any document
>>> describing this feature in details ?
> 
> 
> 
>>> In the webadmin go to Administration -> Configure > System 
>>> Permissions. If the user is there, remove him. Then search for 
>>> the VM and add permissions to the user on the VM Check your
>>> end result in the 'permisions' section of the VM to see who
>>> has permissions on it.
> 
>>> This should be helpful, quite long though
>>> 
> https://www.ovirt.org/documentation/admin-guide/chap-Users_and_Roles/
> 
>
> 
>>> 
>>> 
> 
>> This is for the tool itself
>>> 
> https://www.ovirt.org/develop/release-management/features/infra/aaa-j
> 
>
> 
d
> 
>>> 
>>> 
> bc/
> 
> 
> 
> 
>>> Thanks
> 
>>> On Tue, May 15, 2018 at 6:31 PM, Roy Golan  
>>> >> wrote:
> 
>>> 1. Make sure your users use the VM portal 2. Assign permission
>>> on VM to a certain user to make sure it apears in the portal.
>>> The Role should be VmOperator afaik.
> 
>>> Permission set on objects higher in the hierarchy are
>>> cascading, i.e a user with permission on a cluster would have
>>> the permission on the all the vm in cluster.
> 
> 
>>> On Tue, 15 May 2018 at 20:59 Aziz  
>>> >>
>>> wrote:
> 
>>> Hi list,
> 
>>> I'm trying to remove the default "everyone" user from Ovirt,
>>> so that each user can have access to its own interface to
>>> manage a unique VM. I wonder if this is possible, because so
>>> far I'm unable to remove everyone user.
> 
>>> Thank you
> 
> 
>>> ___ Users mailing 
>>> list -- users@ovirt.org 
> > To unsubscribe
>>> send an email to users-le...@ovirt.org
> 
>>> >
> 
> 
> 
> 
>>> ___ Users mailing 
>>> list -- users@ovirt.org  To
>>> unsubscribe
> send an email to
>>> users-le...@ovirt.org 
> 
> 
> 
> 
> 
> ___ Users mailing list
> -- users@ovirt.org  To unsubscribe send an
> email to users-le...@ovirt.org 
> 
> 

- -- 
*Peter Hudec*

[ovirt-users] Re: Preventing users to see other VMs

2018-05-16 Thread Greg Sheremeta

On Wed, May 16, 2018 at 9:09 AM, Roy Golan  wrote:

> On Wed, 16 May 2018 at 16:01 Aziz  wrote:
>
>> Hi All,
>>
>> Thank you Roy, this is working now as expected, however, I think the Edit
>> button, should  be removed for this user, there is no need to display the
>> edit button if the user cannot use it to perform any operation, am I
>> missing something ?
>>
>> You mean in the VM portal the user sees  he can edit a VM when he doesn't
> have permission to? I assume we don't go to a resolution of button per
> permission ( +Greg Sheremeta   right? )
> Instead the user would get and error from the engine that he isn't
> authorized to perform this action.
>

In both Administration Portal and VM Portal, we generally don't have
pre-flight checks to see if users have access to buttons. There is an
existing RFE,
Bug 1221694 – [RFE] Role based views in webui
https://bugzilla.redhat.com/show_bug.cgi?id=1221694

Greg


> 
>
>>
>> Best regards
>>
>> On Wed, May 16, 2018 at 9:12 AM, Peter Hudec  wrote:
>>
>>> -BEGIN PGP SIGNED MESSAGE-
>>> Hash: SHA512
>>>
>>> I have found 2 related bug, a little bit older
>>>
>>> https://bugzilla.redhat.com/show_bug.cgi?id=1209505
>>> https://bugzilla.redhat.com/show_bug.cgi?id=1225274
>>>
>>> But these are related only to DiskProfile.
>>>
>>> I haven't found any work about 'Everyone' group in documentation, so
>>> I'm little bit confused why there is such a group.
>>>
>>> Peter
>>>
>>> On 15/05/2018 23:02, Peter Hudec wrote:
>>> > Hi,
>>> >
>>> > I'm fancing the same problem.
>>> >
>>> > The steps are - create user /tester/ using the ovirt-aaa-jdbc-tool
>>> >  - login as admin into admin portal - add tester user in
>>> > Administation -> Users - choose one VM and add UserRole role
>>> >
>>> > - login as testr into User Potal - user could see all VM..
>>> >
>>> > The problem could be, that the user is part of the group Everyone
>>> > and this group could be found in Administration -> Configure >
>>> > System Permissions. When you check the group permisson, it seems
>>> > to be automatically populated by engine.
>>> >
>>> > In  my case I[m using default DC, default cluster and 'internal'
>>> > profile .
>>> >
>>> > Seems that all engine object is included in Everyone group.
>>> >
>>> > regards Peter
>>> >
>>> > On 15/05/2018 22:03, Roy Golan wrote:
>>> >
>>> >
>>> >> On Tue, 15 May 2018 at 21:47 Aziz >> >> > wrote:
>>> >
>>> >> Hi Roy,
>>> >
>>> >> Thanks for your feedback, I'm unable to remove the user from the
>>> >> cluster, I used the command "|ovirt-aaa-jdbc-tool user add|" to
>>> >> add the new user, and it seems that by default it took all
>>> >> permissions over the cluster. Is there any document describing
>>> >> this feature in details ?
>>> >
>>> >
>>> >
>>> >> In the webadmin go to Administration -> Configure > System
>>> >> Permissions. If the user is there, remove him. Then search for
>>> >> the VM and add permissions to the user on the VM Check your end
>>> >> result in the 'permisions' section of the VM to see who has
>>> >> permissions on it.
>>> >
>>> >> This should be helpful, quite long though
>>> >> https://www.ovirt.org/documentation/admin-guide/chap-Users_and_Roles/
>>> >
>>> >>
>>> >>
>>> >
>>> > This is for the tool itself
>>> >> https://www.ovirt.org/develop/release-management/features/infra/aaa-j
>>> d
>>> >
>>> >>
>>> >>
>>> bc/
>>> >
>>> >
>>> >
>>> >
>>> >> Thanks
>>> >
>>> >> On Tue, May 15, 2018 at 6:31 PM, Roy Golan >> >> > wrote:
>>> >
>>> >> 1. Make sure your users use the VM portal 2. Assign permission on
>>> >> VM to a certain user to make sure it apears in the portal. The
>>> >> Role should be VmOperator afaik.
>>> >
>>> >> Permission set on objects higher in the hierarchy are cascading,
>>> >> i.e a user with permission on a cluster would have the permission
>>> >> on the all the vm in cluster.
>>> >
>>> >
>>> >> On Tue, 15 May 2018 at 20:59 Aziz >> >> > wrote:
>>> >
>>> >> Hi list,
>>> >
>>> >> I'm trying to remove the default "everyone" user from Ovirt, so
>>> >> that each user can have access to its own interface to manage a
>>> >> unique VM. I wonder if this is possible, because so far I'm
>>> >> unable to remove everyone user.
>>> >
>>> >> Thank you
>>> >
>>> >
>>> >> ___ Users mailing
>>> >> list -- users@ovirt.org  To unsubscribe
>>> >> send an email to users-le...@ovirt.org
>>> >> 
>>> >
>>> >
>>> >
>>> >
>>> >> ___ Users mailing
>>> >> list -- users@ovirt.org To unsubscribe send an email to
>>> >> users-le...@ovirt.org
>>> >
>>> >
>>> >
>>> >
>>>
>>> - --
>>> *Peter Hudec*
>>> Infraštruktúrny architekt
>>> phu...@cnc.sk 
>>>
>>> *CNC,

[ovirt-users] Re: Preventing users to see other VMs

2018-05-16 Thread Roy Golan

On Wed, 16 May 2018 at 16:01 Aziz  wrote:

> Hi All,
>
> Thank you Roy, this is working now as expected, however, I think the Edit
> button, should  be removed for this user, there is no need to display the
> edit button if the user cannot use it to perform any operation, am I
> missing something ?
>
> You mean in the VM portal the user sees  he can edit a VM when he doesn't
have permission to? I assume we don't go to a resolution of button per
permission ( +Greg Sheremeta   right? )
Instead the user would get and error from the engine that he isn't
authorized to perform this action.


>
> Best regards
>
> On Wed, May 16, 2018 at 9:12 AM, Peter Hudec  wrote:
>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA512
>>
>> I have found 2 related bug, a little bit older
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=1209505
>> https://bugzilla.redhat.com/show_bug.cgi?id=1225274
>>
>> But these are related only to DiskProfile.
>>
>> I haven't found any work about 'Everyone' group in documentation, so
>> I'm little bit confused why there is such a group.
>>
>> Peter
>>
>> On 15/05/2018 23:02, Peter Hudec wrote:
>> > Hi,
>> >
>> > I'm fancing the same problem.
>> >
>> > The steps are - create user /tester/ using the ovirt-aaa-jdbc-tool
>> >  - login as admin into admin portal - add tester user in
>> > Administation -> Users - choose one VM and add UserRole role
>> >
>> > - login as testr into User Potal - user could see all VM..
>> >
>> > The problem could be, that the user is part of the group Everyone
>> > and this group could be found in Administration -> Configure >
>> > System Permissions. When you check the group permisson, it seems
>> > to be automatically populated by engine.
>> >
>> > In  my case I[m using default DC, default cluster and 'internal'
>> > profile .
>> >
>> > Seems that all engine object is included in Everyone group.
>> >
>> > regards Peter
>> >
>> > On 15/05/2018 22:03, Roy Golan wrote:
>> >
>> >
>> >> On Tue, 15 May 2018 at 21:47 Aziz > >> > wrote:
>> >
>> >> Hi Roy,
>> >
>> >> Thanks for your feedback, I'm unable to remove the user from the
>> >> cluster, I used the command "|ovirt-aaa-jdbc-tool user add|" to
>> >> add the new user, and it seems that by default it took all
>> >> permissions over the cluster. Is there any document describing
>> >> this feature in details ?
>> >
>> >
>> >
>> >> In the webadmin go to Administration -> Configure > System
>> >> Permissions. If the user is there, remove him. Then search for
>> >> the VM and add permissions to the user on the VM Check your end
>> >> result in the 'permisions' section of the VM to see who has
>> >> permissions on it.
>> >
>> >> This should be helpful, quite long though
>> >> https://www.ovirt.org/documentation/admin-guide/chap-Users_and_Roles/
>> >
>> >>
>> >>
>> >
>> > This is for the tool itself
>> >> https://www.ovirt.org/develop/release-management/features/infra/aaa-j
>> d
>> >
>> >>
>> >>
>> bc/
>> >
>> >
>> >
>> >
>> >> Thanks
>> >
>> >> On Tue, May 15, 2018 at 6:31 PM, Roy Golan > >> > wrote:
>> >
>> >> 1. Make sure your users use the VM portal 2. Assign permission on
>> >> VM to a certain user to make sure it apears in the portal. The
>> >> Role should be VmOperator afaik.
>> >
>> >> Permission set on objects higher in the hierarchy are cascading,
>> >> i.e a user with permission on a cluster would have the permission
>> >> on the all the vm in cluster.
>> >
>> >
>> >> On Tue, 15 May 2018 at 20:59 Aziz > >> > wrote:
>> >
>> >> Hi list,
>> >
>> >> I'm trying to remove the default "everyone" user from Ovirt, so
>> >> that each user can have access to its own interface to manage a
>> >> unique VM. I wonder if this is possible, because so far I'm
>> >> unable to remove everyone user.
>> >
>> >> Thank you
>> >
>> >
>> >> ___ Users mailing
>> >> list -- users@ovirt.org  To unsubscribe
>> >> send an email to users-le...@ovirt.org
>> >> 
>> >
>> >
>> >
>> >
>> >> ___ Users mailing
>> >> list -- users@ovirt.org To unsubscribe send an email to
>> >> users-le...@ovirt.org
>> >
>> >
>> >
>> >
>>
>> - --
>> *Peter Hudec*
>> Infraštruktúrny architekt
>> phu...@cnc.sk 
>>
>> *CNC, a.s.*
>> Borská 6, 841 04 Bratislava
>> Recepcia: +421 2  35 000 100
>>
>> Mobil:+421 905 997 203 <+421%20905%20997%20203>
>> *www.cnc.sk* 
>>
>> -BEGIN PGP SIGNATURE-
>>
>> iQIzBAEBCgAdFiEEqSUbhuEwhryifNeVQnvVWOJ35BAFAlr79fIACgkQQnvVWOJ3
>> 5BBGXxAAsa0Rhs+bCisRfnD665bvRpA81yoRRJQFVYSnDZOqWVZzzTsnY4CtBAOM
>> MG4CTvbvHXHCL304O0a4xBqpwINzcXSieyx2Vqbcxe2Fq+VRqRgq+z+3wm1L26Eb
>> 6KraPpTlieXmbvYD2Wfu8PcGS1JFwS37FnV98EadiPCahPO7JQUBRLaErQZvi986
>>

[ovirt-users] Re: Preventing users to see other VMs

2018-05-16 Thread Aziz

Hi All,

Thank you Roy, this is working now as expected, however, I think the Edit
button, should  be removed for this user, there is no need to display the
edit button if the user cannot use it to perform any operation, am I
missing something ?


Best regards

On Wed, May 16, 2018 at 9:12 AM, Peter Hudec  wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> I have found 2 related bug, a little bit older
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1209505
> https://bugzilla.redhat.com/show_bug.cgi?id=1225274
>
> But these are related only to DiskProfile.
>
> I haven't found any work about 'Everyone' group in documentation, so
> I'm little bit confused why there is such a group.
>
> Peter
>
> On 15/05/2018 23:02, Peter Hudec wrote:
> > Hi,
> >
> > I'm fancing the same problem.
> >
> > The steps are - create user /tester/ using the ovirt-aaa-jdbc-tool
> >  - login as admin into admin portal - add tester user in
> > Administation -> Users - choose one VM and add UserRole role
> >
> > - login as testr into User Potal - user could see all VM..
> >
> > The problem could be, that the user is part of the group Everyone
> > and this group could be found in Administration -> Configure >
> > System Permissions. When you check the group permisson, it seems
> > to be automatically populated by engine.
> >
> > In  my case I[m using default DC, default cluster and 'internal'
> > profile .
> >
> > Seems that all engine object is included in Everyone group.
> >
> > regards Peter
> >
> > On 15/05/2018 22:03, Roy Golan wrote:
> >
> >
> >> On Tue, 15 May 2018 at 21:47 Aziz  >> > wrote:
> >
> >> Hi Roy,
> >
> >> Thanks for your feedback, I'm unable to remove the user from the
> >> cluster, I used the command "|ovirt-aaa-jdbc-tool user add|" to
> >> add the new user, and it seems that by default it took all
> >> permissions over the cluster. Is there any document describing
> >> this feature in details ?
> >
> >
> >
> >> In the webadmin go to Administration -> Configure > System
> >> Permissions. If the user is there, remove him. Then search for
> >> the VM and add permissions to the user on the VM Check your end
> >> result in the 'permisions' section of the VM to see who has
> >> permissions on it.
> >
> >> This should be helpful, quite long though
> >> https://www.ovirt.org/documentation/admin-guide/chap-Users_and_Roles/
> >
> >>
> >>
> >
> > This is for the tool itself
> >> https://www.ovirt.org/develop/release-management/features/infra/aaa-j
> d
> >
> >>
> >>
> bc/
> >
> >
> >
> >
> >> Thanks
> >
> >> On Tue, May 15, 2018 at 6:31 PM, Roy Golan  >> > wrote:
> >
> >> 1. Make sure your users use the VM portal 2. Assign permission on
> >> VM to a certain user to make sure it apears in the portal. The
> >> Role should be VmOperator afaik.
> >
> >> Permission set on objects higher in the hierarchy are cascading,
> >> i.e a user with permission on a cluster would have the permission
> >> on the all the vm in cluster.
> >
> >
> >> On Tue, 15 May 2018 at 20:59 Aziz  >> > wrote:
> >
> >> Hi list,
> >
> >> I'm trying to remove the default "everyone" user from Ovirt, so
> >> that each user can have access to its own interface to manage a
> >> unique VM. I wonder if this is possible, because so far I'm
> >> unable to remove everyone user.
> >
> >> Thank you
> >
> >
> >> ___ Users mailing
> >> list -- users@ovirt.org  To unsubscribe
> >> send an email to users-le...@ovirt.org
> >> 
> >
> >
> >
> >
> >> ___ Users mailing
> >> list -- users@ovirt.org To unsubscribe send an email to
> >> users-le...@ovirt.org
> >
> >
> >
> >
>
> - --
> *Peter Hudec*
> Infraštruktúrny architekt
> phu...@cnc.sk 
>
> *CNC, a.s.*
> Borská 6, 841 04 Bratislava
> Recepcia: +421 2  35 000 100
>
> Mobil:+421 905 997 203
> *www.cnc.sk* 
>
> -BEGIN PGP SIGNATURE-
>
> iQIzBAEBCgAdFiEEqSUbhuEwhryifNeVQnvVWOJ35BAFAlr79fIACgkQQnvVWOJ3
> 5BBGXxAAsa0Rhs+bCisRfnD665bvRpA81yoRRJQFVYSnDZOqWVZzzTsnY4CtBAOM
> MG4CTvbvHXHCL304O0a4xBqpwINzcXSieyx2Vqbcxe2Fq+VRqRgq+z+3wm1L26Eb
> 6KraPpTlieXmbvYD2Wfu8PcGS1JFwS37FnV98EadiPCahPO7JQUBRLaErQZvi986
> BZ7x/qUZWk5C4sEkP+eCM/94u3ZaMB4LSLXJqvHLpRYEGs1aOc4xhrxWVO2HLc4t
> aaVveS40rufogjjHzV0E++fx9XFpHpIHwfG8DsVZsIz5yyq9qQz+mt0gmvM7A81m
> myJQit/bQ/9j/ew/7pJNKtmv4fOB4hkCrn9tgLyhc9JIvRGmG9zymMloXdSAWvqr
> eKSsVOcInmgb+gsKS0upIR+Ow3zGeUzwkHdqTJAtNtyg66DpNKvT2B010t86vO9z
> 4ggTVcMG/+Y2c3Zu78yCSSI+0rO/R+kSTL/v8QlCk5ke4OW5iXNEIFhuUZY8905U
> OesB27XqXdJtZibaL6YGNG3f8GcaQgNhkGPmzVxIge+KQNwLOyV4VIJaYEFAiJgz
> H2OIGzKKk97OhWmRm68NUYebdyG6Pi6SL2M3fhzb0Qn/YiUCr/GygQfd455ok81e
> tF5UxMz1mHSN9UQV30GaPy+pR70bh3AF83E4vmjznKAmhspBB68=
> =7qJi
> -END PGP SIGNATURE-
>

[ovirt-users] Re: Preventing users to see other VMs

2018-05-16 Thread Peter Hudec

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

I have found 2 related bug, a little bit older

https://bugzilla.redhat.com/show_bug.cgi?id=1209505
https://bugzilla.redhat.com/show_bug.cgi?id=1225274

But these are related only to DiskProfile.

I haven't found any work about 'Everyone' group in documentation, so
I'm little bit confused why there is such a group.

Peter

On 15/05/2018 23:02, Peter Hudec wrote:
> Hi,
> 
> I'm fancing the same problem.
> 
> The steps are - create user /tester/ using the ovirt-aaa-jdbc-tool
>  - login as admin into admin portal - add tester user in 
> Administation -> Users - choose one VM and add UserRole role
> 
> - login as testr into User Potal - user could see all VM..
> 
> The problem could be, that the user is part of the group Everyone 
> and this group could be found in Administration -> Configure > 
> System Permissions. When you check the group permisson, it seems
> to be automatically populated by engine.
> 
> In  my case I[m using default DC, default cluster and 'internal' 
> profile .
> 
> Seems that all engine object is included in Everyone group.
> 
> regards Peter
> 
> On 15/05/2018 22:03, Roy Golan wrote:
> 
> 
>> On Tue, 15 May 2018 at 21:47 Aziz > > wrote:
> 
>> Hi Roy,
> 
>> Thanks for your feedback, I'm unable to remove the user from the 
>> cluster, I used the command "|ovirt-aaa-jdbc-tool user add|" to 
>> add the new user, and it seems that by default it took all 
>> permissions over the cluster. Is there any document describing 
>> this feature in details ?
> 
> 
> 
>> In the webadmin go to Administration -> Configure > System 
>> Permissions. If the user is there, remove him. Then search for 
>> the VM and add permissions to the user on the VM Check your end 
>> result in the 'permisions' section of the VM to see who has 
>> permissions on it.
> 
>> This should be helpful, quite long though 
>> https://www.ovirt.org/documentation/admin-guide/chap-Users_and_Roles/
>
>>
>> 
> 
> This is for the tool itself
>> https://www.ovirt.org/develop/release-management/features/infra/aaa-j
d
>
>>
>> 
bc/
> 
> 
> 
> 
>> Thanks
> 
>> On Tue, May 15, 2018 at 6:31 PM, Roy Golan > > wrote:
> 
>> 1. Make sure your users use the VM portal 2. Assign permission on
>> VM to a certain user to make sure it apears in the portal. The 
>> Role should be VmOperator afaik.
> 
>> Permission set on objects higher in the hierarchy are cascading, 
>> i.e a user with permission on a cluster would have the permission
>> on the all the vm in cluster.
> 
> 
>> On Tue, 15 May 2018 at 20:59 Aziz > > wrote:
> 
>> Hi list,
> 
>> I'm trying to remove the default "everyone" user from Ovirt, so 
>> that each user can have access to its own interface to manage a 
>> unique VM. I wonder if this is possible, because so far I'm 
>> unable to remove everyone user.
> 
>> Thank you
> 
> 
>> ___ Users mailing 
>> list -- users@ovirt.org  To unsubscribe 
>> send an email to users-le...@ovirt.org 
>> 
> 
> 
> 
> 
>> ___ Users mailing 
>> list -- users@ovirt.org To unsubscribe send an email to 
>> users-le...@ovirt.org
> 
> 
> 
> 

- -- 
*Peter Hudec*
Infraštruktúrny architekt
phu...@cnc.sk 

*CNC, a.s.*
Borská 6, 841 04 Bratislava
Recepcia: +421 2  35 000 100

Mobil:+421 905 997 203
*www.cnc.sk* 

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEqSUbhuEwhryifNeVQnvVWOJ35BAFAlr79fIACgkQQnvVWOJ3
5BBGXxAAsa0Rhs+bCisRfnD665bvRpA81yoRRJQFVYSnDZOqWVZzzTsnY4CtBAOM
MG4CTvbvHXHCL304O0a4xBqpwINzcXSieyx2Vqbcxe2Fq+VRqRgq+z+3wm1L26Eb
6KraPpTlieXmbvYD2Wfu8PcGS1JFwS37FnV98EadiPCahPO7JQUBRLaErQZvi986
BZ7x/qUZWk5C4sEkP+eCM/94u3ZaMB4LSLXJqvHLpRYEGs1aOc4xhrxWVO2HLc4t
aaVveS40rufogjjHzV0E++fx9XFpHpIHwfG8DsVZsIz5yyq9qQz+mt0gmvM7A81m
myJQit/bQ/9j/ew/7pJNKtmv4fOB4hkCrn9tgLyhc9JIvRGmG9zymMloXdSAWvqr
eKSsVOcInmgb+gsKS0upIR+Ow3zGeUzwkHdqTJAtNtyg66DpNKvT2B010t86vO9z
4ggTVcMG/+Y2c3Zu78yCSSI+0rO/R+kSTL/v8QlCk5ke4OW5iXNEIFhuUZY8905U
OesB27XqXdJtZibaL6YGNG3f8GcaQgNhkGPmzVxIge+KQNwLOyV4VIJaYEFAiJgz
H2OIGzKKk97OhWmRm68NUYebdyG6Pi6SL2M3fhzb0Qn/YiUCr/GygQfd455ok81e
tF5UxMz1mHSN9UQV30GaPy+pR70bh3AF83E4vmjznKAmhspBB68=
=7qJi
-END PGP SIGNATURE-
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org

[ovirt-users] Re: Preventing users to see other VMs

2018-05-15 Thread Peter Hudec

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi,

I'm fancing the same problem.

The steps are
- - create user /tester/ using the ovirt-aaa-jdbc-tool
- - login as admin into admin portal
- - add tester user in Administation -> Users
- - choose one VM and add UserRole role

- - login as testr into User Potal
- - user could see all VM..

The problem could be, that the user is part of the group Everyone and
this group could be found in Administration -> Configure > System
Permissions. When you check the group permisson, it seems to be
automatically populated by engine.

In  my case I[m using default DC, default cluster and 'internal' profile
.

Seems that all engine object is included in Everyone group.

regards
Peter

On 15/05/2018 22:03, Roy Golan wrote:
> 
> 
> On Tue, 15 May 2018 at 21:47 Aziz  > wrote:
> 
> Hi Roy,
> 
> Thanks for your feedback, I'm unable to remove the user from the 
> cluster, I used the command "|ovirt-aaa-jdbc-tool user add|" to
> add the new user, and it seems that by default it took all
> permissions over the cluster. Is there any document describing this
> feature in details ?
> 
> 
> 
> In the webadmin go to Administration -> Configure > System
> Permissions. If the user is there, remove him. Then search for the
> VM and add permissions to the user on the VM Check your end result
> in the 'permisions' section of the VM to see who has permissions on
> it.
> 
> This should be helpful, quite long though 
> https://www.ovirt.org/documentation/admin-guide/chap-Users_and_Roles/
>
> 
This is for the tool itself
> https://www.ovirt.org/develop/release-management/features/infra/aaa-jd
bc/
>
> 
> 
> 
> Thanks
> 
> On Tue, May 15, 2018 at 6:31 PM, Roy Golan  > wrote:
> 
> 1. Make sure your users use the VM portal 2. Assign permission on
> VM to a certain user to make sure it apears in the portal. The Role
> should be VmOperator afaik.
> 
> Permission set on objects higher in the hierarchy are cascading, 
> i.e a user with permission on a cluster would have the permission
> on the all the vm in cluster.
> 
> 
> On Tue, 15 May 2018 at 20:59 Aziz  > wrote:
> 
> Hi list,
> 
> I'm trying to remove the default "everyone" user from Ovirt, so
> that each user can have access to its own interface to manage a
> unique VM. I wonder if this is possible, because so far I'm unable
> to remove everyone user.
> 
> Thank you
> 
> 
> ___ Users mailing list
> -- users@ovirt.org  To unsubscribe send an
> email to users-le...@ovirt.org 
> 
> 
> 
> 
> ___ Users mailing list
> -- users@ovirt.org To unsubscribe send an email to
> users-le...@ovirt.org
> 


- -- 
*Peter Hudec*
Infraštruktúrny architekt
phu...@cnc.sk 

*CNC, a.s.*
Borská 6, 841 04 Bratislava
Recepcia: +421 2  35 000 100

Mobil:+421 905 997 203
*www.cnc.sk* 

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEqSUbhuEwhryifNeVQnvVWOJ35BAFAlr7StYACgkQQnvVWOJ3
5BCYbQ//WiZTpgyHY6eD3kjtoomYu6UiuKCXYD0uhezUVFV7zROk85jp7BcoU847
MVRMKcu/5YOMBWyXpVy27OtQwCcquz5aChreYUH8zaPlH3O3qkf2ohziKsXlMAol
/75g+Ha+Zyueuv7afx+UIxgaDv7tkGWEnrXn5LBxuQjZqq1NLDMueQaD/fPwPlw+
SRXo4nGnvnsKIZGjsX+Otd73l8JlCr0apzYYC2KOHhM1Tfw2fRphPDk/zLOvjv2X
sxKrIWsK7OgBt5lDG0rzVj/qdf4SnsxXgbgvo03yc0MwBBX+NLRmwOLUjFiovze+
NwPuos87Iwo3Dv+wJ1oxYkAGgjl0t+TxbJP6SMwAH1g7T1jvA/aCeC/Bk7RXPldL
pI+cAqvNtNfidxx7CyKjgKn4MA3dT9lq95FOV1CgMP4xQcliqofOeZrW93dvDnE8
LBlni7okv1xjw3rj6MTjdkSCN+Hh8L5GY+WbZbx5An5aCVdkYjTNw0K5UWbBNxua
fAJKBf5UidYXjxSHxgE21JKscX0wzZUOtGn11qmXp/zAwvfn4yfIQzJiii2XCIZT
J9mcyb1084bGlK86wrRNLRMDAVkN4Rh3cWY2NRhe8hKpjOCqWC88QkmTi4SXjMRy
L/cOC+ea5/by1gCE5xKinaHNZaZDM/3rBYJW2HxJkCzdOBwxxIQ=
=cvu1
-END PGP SIGNATURE-
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org

[ovirt-users] Re: Preventing users to see other VMs

2018-05-15 Thread Roy Golan

On Tue, 15 May 2018 at 21:47 Aziz  wrote:

> Hi Roy,
>
> Thanks for your feedback, I'm unable to remove the user from the cluster,
> I used the command "ovirt-aaa-jdbc-tool user add" to add the new user,
> and it seems that by default it took all permissions over the cluster. Is
> there any document describing this feature in details ?
>
>

In the webadmin go to Administration -> Configure > System Permissions. If
the user is there, remove him. Then search for the VM and add permissions
to the user on the VM
Check your end result in the 'permisions' section of the VM to see who has
permissions on it.

This should be helpful, quite long though
https://www.ovirt.org/documentation/admin-guide/chap-Users_and_Roles/
This is for the tool itself
https://www.ovirt.org/develop/release-management/features/infra/aaa-jdbc/



> Thanks
>
> On Tue, May 15, 2018 at 6:31 PM, Roy Golan  wrote:
>
>> 1. Make sure your users use the VM portal
>> 2. Assign permission on VM to a certain user to make sure it apears in
>> the portal. The Role should be VmOperator afaik.
>>
>> Permission set on objects higher in the hierarchy are cascading, i.e a
>> user with permission on a cluster would have the permission on the all the
>> vm in cluster.
>>
>>
>> On Tue, 15 May 2018 at 20:59 Aziz  wrote:
>>
>>> Hi list,
>>>
>>> I'm trying to remove the default "everyone" user from Ovirt, so that
>>> each user can have access to its own interface to manage a unique VM. I
>>> wonder if this is possible, because so far I'm unable to remove everyone
>>> user.
>>>
>>> Thank you
>>>
>>>
>>> ___
>>> Users mailing list -- users@ovirt.org
>>> To unsubscribe send an email to users-le...@ovirt.org
>>>
>>
>
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org

[ovirt-users] Re: Preventing users to see other VMs

2018-05-15 Thread Aziz

Hi Roy,

Thanks for your feedback, I'm unable to remove the user from the cluster, I
used the command "ovirt-aaa-jdbc-tool user add" to add the new user, and it
seems that by default it took all permissions over the cluster. Is there
any document describing this feature in details ?


Thanks

On Tue, May 15, 2018 at 6:31 PM, Roy Golan  wrote:

> 1. Make sure your users use the VM portal
> 2. Assign permission on VM to a certain user to make sure it apears in the
> portal. The Role should be VmOperator afaik.
>
> Permission set on objects higher in the hierarchy are cascading, i.e a
> user with permission on a cluster would have the permission on the all the
> vm in cluster.
>
>
> On Tue, 15 May 2018 at 20:59 Aziz  wrote:
>
>> Hi list,
>>
>> I'm trying to remove the default "everyone" user from Ovirt, so that each
>> user can have access to its own interface to manage a unique VM. I wonder
>> if this is possible, because so far I'm unable to remove everyone user.
>>
>> Thank you
>>
>>
>> ___
>> Users mailing list -- users@ovirt.org
>> To unsubscribe send an email to users-le...@ovirt.org
>>
>
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org

[ovirt-users] Re: Preventing users to see other VMs

2018-05-15 Thread Roy Golan

1. Make sure your users use the VM portal
2. Assign permission on VM to a certain user to make sure it apears in the
portal. The Role should be VmOperator afaik.

Permission set on objects higher in the hierarchy are cascading, i.e a user
with permission on a cluster would have the permission on the all the vm in
cluster.

On Tue, 15 May 2018 at 20:59 Aziz  wrote:

> Hi list,
>
> I'm trying to remove the default "everyone" user from Ovirt, so that each
> user can have access to its own interface to manage a unique VM. I wonder
> if this is possible, because so far I'm unable to remove everyone user.
>
> Thank you
>
>
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
>
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org

[ovirt-users] Re: Preventing users to see other VMs

[ovirt-users] Re: Preventing users to see other VMs

[ovirt-users] Re: Preventing users to see other VMs

[ovirt-users] Re: Preventing users to see other VMs

[ovirt-users] Re: Preventing users to see other VMs

[ovirt-users] Re: Preventing users to see other VMs

[ovirt-users] Re: Preventing users to see other VMs

[ovirt-users] Re: Preventing users to see other VMs

[ovirt-users] Re: Preventing users to see other VMs

[ovirt-users] Re: Preventing users to see other VMs

[ovirt-users] Re: Preventing users to see other VMs

11 matches

Site Navigation

Mail list logo

Footer information