[ovirt-users] Re: Multitenant scenario in oVirt

2020-04-16 Thread Lucie Leistnerova

Hi Michal,

On 4/15/20 10:55 AM, Michal Gutowski wrote:

Hi oVirt community,

I'm playing with a multitenant use-case in oVirt 3.4.6... My setup is 
as follows:

- I have two working Data Centers (DC1 and DC2)
- I created two additional users DC1-admin and DC2-admin
- In DC1 permission settings I've added DC1-admin as a user with a 
builtin DataCenterAdmin Role.
- In DC2 permission settings I've added DC2-admin as a user with a 
builtin DataCenterAdmin Role.


Now in terms of permissions all is good: DC1-admin is not able to 
modify anything in DC2 and DC2-admin is not able to modify anything in 
DC1.


However in both the Admin Portal and the VM Portal DC1-admin and 
DC2-admin can still see all other datacenter resources.
My expectation was that if I login to the Admin Portal as e.g. 
DC2-admin I will only see DC2 datacenter in the GUI and nothing else. 
Same with VM Portal. I played with different user settings but I 
couldn't make it work...


DataCenterAdmin is Administrator role and from what I understand these 
roles can see everything. There is no specific user role similar to this 
for whole DC. If you use UserVmManager on DC it should be propagated to 
all VMs in that DC.

Also you can specify your own role in Administration - Configure - Roles.
I think the problem is that whatever user you create it will always 
belong to the build-in "everyone" group and inherit permission to see 
everything in the portal.
Is it possible to achieve a scenario where e.g. DC2-admin will login 
to the Admin Portal and only see resources that belong to DC2 and 
nothing else?


Thanks,
Michal



___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/KF6PN6WBHPMQ5YKUNI7PU7MSEMIOOXSA/

Best regards,

--
Lucie Leistnerova
Senior Quality Engineer, QE Cloud, RHVM
Red Hat EMEA

IRC: lleistne @ #rhev-qe

___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/I56U4I7KFHVJCA3OXSIO4TNFK76SCFEG/


[ovirt-users] Re: Multitenant scenario in oVirt

2020-04-15 Thread Strahil Nikolov
On April 15, 2020 7:57:47 PM GMT+03:00, michal.gutow...@oracle.com wrote:
>In the VM Portal the behaviour is simillar - I can still see vms from
>both Data Centers and that doesn't help either.
>
>Michal
>___
>Users mailing list -- users@ovirt.org
>To unsubscribe send an email to users-le...@ovirt.org
>Privacy Statement: https://www.ovirt.org/privacy-policy.html
>oVirt Code of Conduct:
>https://www.ovirt.org/community/about/community-guidelines/
>List Archives:
>https://lists.ovirt.org/archives/list/users@ovirt.org/message/T54HQJGJUODVHSOERO7PBOUL3CIGLITJ/

Have you tried with less a privileged users?
Maybe the current role has an issue .

Best Regards,
Strahil Nikolov
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/XA6SBN4M2HW6EW55MI2KHY4WRP6GQSAG/


[ovirt-users] Re: Multitenant scenario in oVirt

2020-04-15 Thread michal . gutowski
In the VM Portal the behaviour is simillar - I can still see vms from both Data 
Centers and that doesn't help either.

Michal
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/T54HQJGJUODVHSOERO7PBOUL3CIGLITJ/


[ovirt-users] Re: Multitenant scenario in oVirt

2020-04-15 Thread Strahil Nikolov
On April 15, 2020 11:55:04 AM GMT+03:00, Michal Gutowski 
 wrote:
>Hi oVirt community,
>
>I'm playing with a multitenant use-case in oVirt 3.4.6... My setup is
>as follows:
>- I have two working Data Centers (DC1 and DC2)
>- I created two additional users DC1-admin and DC2-admin
>- In DC1 permission settings I've added DC1-admin as a user with a
>builtin DataCenterAdmin Role.
>- In DC2 permission settings I've added DC2-admin as a user with a
>builtin DataCenterAdmin Role.
>
>Now in terms of permissions all is good: DC1-admin is not able to
>modify anything in DC2 and DC2-admin is not able to modify anything in
>DC1.
>
>However in both the Admin Portal and the VM Portal DC1-admin and
>DC2-admin can still see all other datacenter resources.
>My expectation was that if I login to the Admin Portal as e.g.
>DC2-admin I will only see DC2 datacenter in the GUI and nothing else.
>Same with VM Portal. I played with different user settings but I
>couldn't make it work...
>
>I think the problem is that whatever user you create it will always
>belong to the build-in "everyone" group and inherit permission to see
>everything in the portal.
>Is it possible to achieve a scenario where e.g. DC2-admin will login to
>the Admin Portal and only see resources that belong to DC2 and nothing
>else?
>
>Thanks,
>Michal

I haven't played  alot, but I think this behaviour is only possible in the VM 
portal.

Maybe someone else can correct me.

Best Regards,
Strahil Nikolov
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/SYHSXO5THW5TDXMNL35MFVHDMJW4HSYH/