In that link, the referenced permissions don't exist under "configure" when logged in to the admin portal; I must be missing some finer detail. Also the system permissions section in "Configure" doesn't allow you to add the user "everyone"-- and since we're not using LDAP groups, that complicates things.
Before I switched to our corporate LDAP, I used a group in a private LDAP server and everything worked great, permissions were fine as I describe-- but since we switched to Corp LDAP, they don't use the concept of groups, I tried changing to use the "everyone" user to assign permissions, which works great except this one scenario where they have 0 VMs in their name. On Tue, Jun 30, 2015 at 3:19 PM, Donny Davis <[email protected]> wrote: > http://lists.ovirt.org/pipermail/users/2015-January/030981.html > On Jun 30, 2015 6:16 PM, "Donny Davis" <[email protected]> wrote: > >> Add login permissions only at the data center for the group. This allows >> them to login, but not view anything. You have to create custom permission >> to do what you are looking for. >> On Jun 30, 2015 6:13 PM, "David Smith" <[email protected]> wrote: >> >>> Correct, each user has their own VMs. Only a few share VMs (those >>> permissions are assigned manually) >>> >>> The issue is that when they have 0 VMs assigned to them, the system >>> throws the login error that they're not authorized, at least until I add a >>> placeholder VM so they can log in and set themselves up. >>> >>> >>> On Tue, Jun 30, 2015 at 3:09 PM, Donny Davis <[email protected]> wrote: >>> >>>> You are looking for this to look like its multi tenant? >>>> >>>> I setup CloudSpin to do exactly that. Each user can only see their own >>>> VMS. >>>> Do I have your question correct? >>>> >>>> Donny D >>>> On Jun 30, 2015 5:27 PM, "David Smith" <[email protected]> wrote: >>>> >>>>> version 3.5.2-1.el6 >>>>> using ldap authz; this piece is working OK, and verified OK. >>>>> >>>>> I use the "Everyone" user to provide default permissions; that >>>>> includes PowerUserRole for the data center, a bunch of >>>>> usertemplatebasedVMs, some VnicProfileUser, DiskProfileUser, etc. >>>>> >>>>> I add a new user in LDAP; and verify LDAP credentials work (ie, log in >>>>> to another system that uses the same ldap server) >>>>> LDAP confirmed working for *other* ovirt users-- not an LDAP issue as >>>>> far as I can tell. >>>>> >>>>> I do *not* specifically add each LDAP user to oVirt, they're added to >>>>> "groups" in LDAP, so if they have the right group, they should be able to >>>>> authenticate to oVirt and use the system without me adding each user >>>>> individually. >>>>> >>>>> In any case the narrowed down problem is this: >>>>> If the user doesn't have permissions (UserRole, etc) for *any* VMs, >>>>> instead of logging in and getting a blank VM list, they get "User is not >>>>> authorized to perform this action." >>>>> >>>>> If I add that specific user to a test placeholder VM, they can log in. >>>>> Once they have a VM created, I can erase their user-specific permissions >>>>> to >>>>> that initial test VM and everything works as expected. They are able to >>>>> log >>>>> in, create VMs, etc. >>>>> >>>>> If I remove all permissions for VMs from a user, they get this error. >>>>> >>>>> Expected behavior: >>>>> User without any permissions to any VMs should simply get a blank VM >>>>> list on login. That way they can create a VM and go from there. >>>>> >>>>> Thanks for any help/suggestions, >>>>> David >>>>> >>>>> _______________________________________________ >>>>> Users mailing list >>>>> [email protected] >>>>> http://lists.ovirt.org/mailman/listinfo/users >>>>> >>>>> >>>
_______________________________________________ Users mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/users
