[ovirt-users] Re: Multitenant scenario in oVirt
Hi Michal, On 4/15/20 10:55 AM, Michal Gutowski wrote: Hi oVirt community, I'm playing with a multitenant use-case in oVirt 3.4.6... My setup is as follows: - I have two working Data Centers (DC1 and DC2) - I created two additional users DC1-admin and DC2-admin - In DC1 permission settings I've added DC1-admin as a user with a builtin DataCenterAdmin Role. - In DC2 permission settings I've added DC2-admin as a user with a builtin DataCenterAdmin Role. Now in terms of permissions all is good: DC1-admin is not able to modify anything in DC2 and DC2-admin is not able to modify anything in DC1. However in both the Admin Portal and the VM Portal DC1-admin and DC2-admin can still see all other datacenter resources. My expectation was that if I login to the Admin Portal as e.g. DC2-admin I will only see DC2 datacenter in the GUI and nothing else. Same with VM Portal. I played with different user settings but I couldn't make it work... DataCenterAdmin is Administrator role and from what I understand these roles can see everything. There is no specific user role similar to this for whole DC. If you use UserVmManager on DC it should be propagated to all VMs in that DC. Also you can specify your own role in Administration - Configure - Roles. I think the problem is that whatever user you create it will always belong to the build-in "everyone" group and inherit permission to see everything in the portal. Is it possible to achieve a scenario where e.g. DC2-admin will login to the Admin Portal and only see resources that belong to DC2 and nothing else? Thanks, Michal ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/KF6PN6WBHPMQ5YKUNI7PU7MSEMIOOXSA/ Best regards, -- Lucie Leistnerova Senior Quality Engineer, QE Cloud, RHVM Red Hat EMEA IRC: lleistne @ #rhev-qe ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/I56U4I7KFHVJCA3OXSIO4TNFK76SCFEG/
[ovirt-users] Re: Multitenant scenario in oVirt
On April 15, 2020 7:57:47 PM GMT+03:00, michal.gutow...@oracle.com wrote: >In the VM Portal the behaviour is simillar - I can still see vms from >both Data Centers and that doesn't help either. > >Michal >___ >Users mailing list -- users@ovirt.org >To unsubscribe send an email to users-le...@ovirt.org >Privacy Statement: https://www.ovirt.org/privacy-policy.html >oVirt Code of Conduct: >https://www.ovirt.org/community/about/community-guidelines/ >List Archives: >https://lists.ovirt.org/archives/list/users@ovirt.org/message/T54HQJGJUODVHSOERO7PBOUL3CIGLITJ/ Have you tried with less a privileged users? Maybe the current role has an issue . Best Regards, Strahil Nikolov ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/XA6SBN4M2HW6EW55MI2KHY4WRP6GQSAG/
[ovirt-users] Re: Multitenant scenario in oVirt
In the VM Portal the behaviour is simillar - I can still see vms from both Data Centers and that doesn't help either. Michal ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/T54HQJGJUODVHSOERO7PBOUL3CIGLITJ/
[ovirt-users] Re: Multitenant scenario in oVirt
On April 15, 2020 11:55:04 AM GMT+03:00, Michal Gutowski wrote: >Hi oVirt community, > >I'm playing with a multitenant use-case in oVirt 3.4.6... My setup is >as follows: >- I have two working Data Centers (DC1 and DC2) >- I created two additional users DC1-admin and DC2-admin >- In DC1 permission settings I've added DC1-admin as a user with a >builtin DataCenterAdmin Role. >- In DC2 permission settings I've added DC2-admin as a user with a >builtin DataCenterAdmin Role. > >Now in terms of permissions all is good: DC1-admin is not able to >modify anything in DC2 and DC2-admin is not able to modify anything in >DC1. > >However in both the Admin Portal and the VM Portal DC1-admin and >DC2-admin can still see all other datacenter resources. >My expectation was that if I login to the Admin Portal as e.g. >DC2-admin I will only see DC2 datacenter in the GUI and nothing else. >Same with VM Portal. I played with different user settings but I >couldn't make it work... > >I think the problem is that whatever user you create it will always >belong to the build-in "everyone" group and inherit permission to see >everything in the portal. >Is it possible to achieve a scenario where e.g. DC2-admin will login to >the Admin Portal and only see resources that belong to DC2 and nothing >else? > >Thanks, >Michal I haven't played alot, but I think this behaviour is only possible in the VM portal. Maybe someone else can correct me. Best Regards, Strahil Nikolov ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/SYHSXO5THW5TDXMNL35MFVHDMJW4HSYH/