Hi Pavel, Well, I suppose it is the default. I was also struggling with it and finally I had to replace the default ACLs with more strict ones.
You can try to solve the network separation on template level if you don't want to play with ACLs. Ondra -----Original Message----- From: Pavel Tankov [mailto:[email protected]] Sent: Friday, October 24, 2014 4:01 PM To: Hamada, Ondrej; [email protected] Subject: Re: [one-users] How to protect a virtual network from being used by users? Hello Ondra, You are right, I just saw the ACLs. They are by default created like this: $ oneacl list ID USER RES_VHNIUTGDCOZ RID OPE_UMAC ZONE 0 @1 V-NI-T---O- * ---c #0 1 * ----------Z * u--- * 2 @1 -H--------- * -m-- #0 3 @1 --N----D--- * u--- #0 (or see the attached screen shot) The group named "users" is denoted by @1. So, it looks like in the very first ALC (ID 0) the group @1 (users) is granted a "CREATE" permission on all Virtual Networks (Resource ID *). Which may be OK or not, it depends what you want. But then ACL (ID 3) grants the group @1 (users) the permission to use any Virtual Network (RID *). The ACLs have permissive nature so once granted I can't restrict it with a later rule. I could only re-write the default ACLs completely, which I am not quite willing to try. The documentation says (http://docs.opennebula.org/4.8/administration/users_and_groups/manage_acl.html): Please note: the ACL rules is an advanced mechanism. For most use cases, you should be able to rely on the built-in resource permissions and the ACL Rules created automatically when a group is created, and when a resource provider is added. But it looks like *all* Vritual Networks are meant to be used by *anyone* by default and there is not much I can do about it with the normal means, namely with the resource permissions. Is that so, indeed, or where am I wrong? Pavel Tankov On 10/24/2014 04:33 PM, Hamada, Ondrej wrote: > Hi Pavel, > > Have you checked ACLs as well? I guess that one of the default ACL grants all > users the 'use' permission for all 'networks'. > > Ondra > > -----Original Message----- > From: Users [mailto:[email protected]] On Behalf Of > Pavel Tankov > Sent: Friday, October 24, 2014 12:09 PM > To: [email protected] > Subject: [one-users] How to protect a virtual network from being used by > users? > > Hello, > > I (as oneadmin) have configured two virtual networks: > - one named "default" for use by regular users to deploy disposable > test VMs > - one named "SPECIAL" for use by the admin to create servers that will > not be disposable but will stay always ON > > Both networks have different IP ranges so that you could easily tell whether > it's a server or a disposable test VM by looking at it's IP address. > > I have set up Opennebula with LDAP authentication. LDAP users authenticate > just fine and are able to create themselves VMs using those templates that > the admin has allowed for them. Now, I'd like to make so that only "default" > virtual network is exposed to regular users, and "SPECIAL" is not seen by > them. > > Currently, both networks have the following permissions: > > - Owner: use, manage > - Group <none> > - Other: <none> > > Users still can use both of these when they deploy a test VM although > permissions clearly state they shouldn't be able to see any of them. > > What is wrong with the permissions? > > -- > Pavel Tankov > _______________________________________________ > Users mailing list > [email protected] > http://lists.opennebula.org/listinfo.cgi/users-opennebula.org > ________________________________ > This e-mail and any attachment is for authorised use by the intended > recipient(s) only. It may contain proprietary material, confidential > information and/or be subject to legal privilege. It should not be copied, > disclosed to, retained or used by, any other party. If you are not an > intended recipient then please promptly delete this e-mail and any attachment > and all copies and inform the sender. Thank you for understanding. > _______________________________________________ > Users mailing list > [email protected] > http://lists.opennebula.org/listinfo.cgi/users-opennebula.org > ________________________________ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you for understanding. _______________________________________________ Users mailing list [email protected] http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
