Hi Wilma, FWIW, in OpenNebula 4.6 we are changing the mechanism to define views for users and groups. The list of valid views will be associated with groups, more precisely in the group's template.
When Sunstone logs in a new user, it will request all her groups (principal and secondary) and add all the views available for those groups. This will have the added benefit of not having to restart Sunstone anytime a group-view association is changed. Regards, -Tino -- OpenNebula - Flexible Enterprise Cloud Made Simple -- Constantino Vázquez Blanco, PhD, MSc Senior Infrastructure Architect at C12G Labs www.c12g.com | @C12G | es.linkedin.com/in/tinova -- Confidentiality Warning: The information contained in this e-mail and any accompanying documents, unless otherwise expressly indicated, is confidential and privileged, and is intended solely for the person and/or entity to whom it is addressed (i.e. those identified in the "To" and "cc" box). They are the property of C12G Labs S.L.. Unauthorized distribution, review, use, disclosure, or copying of this communication, or any part thereof, is strictly prohibited and may be unlawful. If you have received this e-mail in error, please notify us immediately by e-mail at ab...@c12g.com and delete the e-mail and attachments and any copy from your system. C12G thanks you for your cooperation. On 14 April 2014 15:49, Wilma Hermann <wilma.herm...@gmail.com> wrote: > Hi, > > Good idea, but with the admin group as secondary group the admin user gets > the 'user' view in Sunstone, not the 'admin' view. It seems that views > defined for secondary groups do not appear in Sunstone's settings. After > defining the 'admin' view for that particular user, I can select it, but I > find this complicated. This way, adding an admin requires me to edit > sunstone-views.yaml (that's not really the problem) and restarting Sunstone > (which kicks all users out of their sessions). It's not really a big deal (I > don't add admins on a daily basis), but I would have expected that Sunstone > offers me all views that are defined for all groups that I am (primary or > secondary) member of. > > Greetings > Wilma > > 2014-04-10 16:48 GMT+02:00 Carlos Martín Sánchez <cmar...@opennebula.org>: > >> Hi, >> >> On Wed, Apr 9, 2014 at 5:27 PM, Wilma Hermann <wilma.herm...@gmail.com> >> wrote: >>> >>> Hi, >>> >>> To answer my own mail, I could resolve both problems. For the sake of >>> completeness, here's how: >>> >>> I'm using a hook to change a new user's group after creation using the >>> approach from this thread: >>> http://lists.opennebula.org/pipermail/users-opennebula.org/2013-September/024648.html >> >> >> You could also put your admin user in the users group as the primary >> group, and add the admin group as a secondary group. This way it all new >> users will belong to the 'users' group. >> >> Regards >> >> -- >> Carlos Martín, MSc >> Project Engineer >> OpenNebula - Flexible Enterprise Cloud Made Simple >> www.OpenNebula.org | cmar...@opennebula.org | @OpenNebula >> >> >>> >>> >>> The problem here was that I used the vdcadmin view in Sunstone for the >>> user. By debugging I found out that the list of groups in Sunstone is >>> populated by some javascript loaded by the groups panel. In the vdcadmin >>> view, the groups panel is disabled by default, therefore the list of groups >>> is empty. It's arguably either a bug or a strict permission management >>> thing, I can't justice on that. However, if I enable the groups panel and >>> prevent the user from doing changes to the groups, I have everything I >>> wanted to build. >>> >>> Greetings >>> Wilma >>> >>> >>> >>> 2014-04-07 13:35 GMT+02:00 Wilma Hermann <wilma.herm...@gmail.com>: >>> >>>> Hi, >>>> >>>> Thanks for the info, it was very useful. I'm still having two issues: >>>> >>>> The default group of a new user is the same as the creating user's one. >>>> I would like to have new users in the "users" group by default. Is there a >>>> way to change this behavior? >>>> In Sunstone, the user doing the user management does not see the >>>> existing groups even though he ought to. I created an ACL "#<user_id> >>>> GROUP/* USE+MANAGE+ADMIN", but still the list of groups I can assign to a >>>> user through Sunstone is empty (Even the string "Please select" does not >>>> appear). On the command line, a "oneuser chgrp" works flawlessly using this >>>> account, so I guess it's a bug in Sunstone. >>>> >>>> Greetings >>>> Wilma >>>> >>>> 2014-04-04 10:34 GMT+02:00 Carlos Martín Sánchez >>>> <cmar...@opennebula.org>: >>>> >>>> > Hi, >>>> > >>>> > Adding to what Rubén said, the acl modification is only allowed for >>>> > users in >>>> > the oneadmin group. >>>> > >>>> > Make sure you use the reference command-auth tables in the xml-rpc doc >>>> > [1] >>>> > to create your rules. >>>> > >>>> > For example, oneuser passwd requires USER:MANAGE. The rule "#<user_id> >>>> > USER/* USE+MANAGE+ADMIN" will allow your user to change oneadmin's >>>> > password. >>>> > In this case, you will want to create a rule targeting each group >>>> > (excluding >>>> > oneadmin). >>>> > >>>> > Regards >>>> > >>>> > [1] >>>> > >>>> > http://docs.opennebula.org/4.4/integration/system_interfaces/api.html#authorization-requests-reference >>>> > -- >>>> > Carlos Martín, MSc >>>> > Project Engineer >>>> > OpenNebula - Flexible Enterprise Cloud Made Simple >>>> > www.OpenNebula.org | cmar...@opennebula.org | @OpenNebula >>>> > >>>> > >>>> > On Thu, Apr 3, 2014 at 2:19 PM, Ruben S. Montero >>>> > <rsmont...@opennebula.org> >>>> > wrote: >>>> >> >>>> >> Hi >>>> >> >>>> >> Probably, the following may work... >>>> >> >>>> >> oneacl create "#<user_id> USER/* CREATE" >>>> >> oneacl create "#<user_id> USER/* USE+MANAGE+ADMIN" >>>> >> >>>> >> Take a look to the ACL guide for more info: >>>> >> >>>> >> >>>> >> >>>> >> http://docs.opennebula.org/4.4/administration/users_and_groups/manage_acl.html >>>> >> >>>> >> Cheers >>>> >> >>>> >> Ruben >>>> >> >>>> >> >>>> >> >>>> >> On Thu, Apr 3, 2014 at 12:08 PM, Wilma Hermann >>>> >> <wilma.herm...@gmail.com> >>>> >> wrote: >>>> >>> >>>> >>> Hi, >>>> >>> >>>> >>> Is it possible to assign limited admin rights to certain accounts? I >>>> >>> would like to have a user that is allowed to do all the user >>>> >>> management (creating users, adding users to existing groups, etc.) >>>> >>> without adding this user to the oneadmin-group. In particular, I >>>> >>> would >>>> >>> like to deny this user access to all other users' VMs, templates, >>>> >>> images, etc. The user also shouldn't have write-access to the ACLs >>>> >>> (otherwise limits would make no sense obviously). >>>> >>> >>>> >>> Greetings >>>> >>> Wilma >>>> >>> _______________________________________________ >>>> >>> Users mailing list >>>> >>> Users@lists.opennebula.org >>>> >>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org >>>> >> >>>> >> >>>> >> >>>> >> >>>> >> -- >>>> >> -- >>>> >> Ruben S. Montero, PhD >>>> >> Project co-Lead and Chief Architect >>>> >> OpenNebula - Flexible Enterprise Cloud Made Simple >>>> >> www.OpenNebula.org | rsmont...@opennebula.org | @OpenNebula >>>> >> >>>> >> _______________________________________________ >>>> >> Users mailing list >>>> >> Users@lists.opennebula.org >>>> >> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org >>>> >> >>>> > >>>> >>> >> > > > _______________________________________________ > Users mailing list > Users@lists.opennebula.org > http://lists.opennebula.org/listinfo.cgi/users-opennebula.org > _______________________________________________ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
