I don't understand what is "to solve the network separation on template
level". Could you, please, clarify?
Pavel Tankov
On 10/24/2014 05:18 PM, Hamada, Ondrej wrote:
Hi Pavel,
Well, I suppose it is the default. I was also struggling with it and finally I
had to replace the default ACLs with more strict ones.
You can try to solve the network separation on template level if you don't want
to play with ACLs.
Ondra
-----Original Message-----
From: Pavel Tankov [mailto:pavel.tan...@strategyobject.com]
Sent: Friday, October 24, 2014 4:01 PM
To: Hamada, Ondrej; users@lists.opennebula.org
Subject: Re: [one-users] How to protect a virtual network from being used by
users?
Hello Ondra,
You are right, I just saw the ACLs. They are by default created like this:
$ oneacl list
ID USER RES_VHNIUTGDCOZ RID OPE_UMAC ZONE
0 @1 V-NI-T---O- * ---c #0
1 * ----------Z * u--- *
2 @1 -H--------- * -m-- #0
3 @1 --N----D--- * u--- #0
(or see the attached screen shot)
The group named "users" is denoted by @1. So, it looks like in the very first ALC (ID 0)
the group @1 (users) is granted a "CREATE" permission on all Virtual Networks (Resource
ID *). Which may be OK or not, it depends what you want.
But then ACL (ID 3) grants the group @1 (users) the permission to use any
Virtual Network (RID *). The ACLs have permissive nature so once granted I
can't restrict it with a later rule. I could only re-write the default ACLs
completely, which I am not quite willing to try.
The documentation says
(http://docs.opennebula.org/4.8/administration/users_and_groups/manage_acl.html):
Please note: the ACL rules is an advanced mechanism. For most use cases, you
should be able to rely on the built-in resource permissions and the ACL Rules
created automatically when a group is created, and when a resource provider is
added.
But it looks like *all* Vritual Networks are meant to be used by
*anyone* by default and there is not much I can do about it with the normal
means, namely with the resource permissions.
Is that so, indeed, or where am I wrong?
Pavel Tankov
On 10/24/2014 04:33 PM, Hamada, Ondrej wrote:
Hi Pavel,
Have you checked ACLs as well? I guess that one of the default ACL grants all
users the 'use' permission for all 'networks'.
Ondra
-----Original Message-----
From: Users [mailto:users-boun...@lists.opennebula.org] On Behalf Of
Pavel Tankov
Sent: Friday, October 24, 2014 12:09 PM
To: users@lists.opennebula.org
Subject: [one-users] How to protect a virtual network from being used by users?
Hello,
I (as oneadmin) have configured two virtual networks:
- one named "default" for use by regular users to deploy disposable
test VMs
- one named "SPECIAL" for use by the admin to create servers that will
not be disposable but will stay always ON
Both networks have different IP ranges so that you could easily tell whether
it's a server or a disposable test VM by looking at it's IP address.
I have set up Opennebula with LDAP authentication. LDAP users authenticate just fine and are able
to create themselves VMs using those templates that the admin has allowed for them. Now, I'd like
to make so that only "default" virtual network is exposed to regular users, and
"SPECIAL" is not seen by them.
Currently, both networks have the following permissions:
- Owner: use, manage
- Group <none>
- Other: <none>
Users still can use both of these when they deploy a test VM although
permissions clearly state they shouldn't be able to see any of them.
What is wrong with the permissions?
--
Pavel Tankov
_______________________________________________
Users mailing list
Users@lists.opennebula.org
http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
________________________________
This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an intended
recipient then please promptly delete this e-mail and any attachment and all
copies and inform the sender. Thank you for understanding.
_______________________________________________
Users mailing list
Users@lists.opennebula.org
http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
________________________________
This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an intended
recipient then please promptly delete this e-mail and any attachment and all
copies and inform the sender. Thank you for understanding.
_______________________________________________
Users mailing list
Users@lists.opennebula.org
http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
