Can you assign a specific user the power user role that has no VMS assigned to them? Can that user login? On Jun 30, 2015 6:32 PM, "David Smith" <[email protected]> wrote:
> The users are attempting to log in via the user portal when they get the > error. > > > On Tue, Jun 30, 2015 at 3:28 PM, Donny Davis <[email protected]> wrote: > >> The power user role covers login, so that is not your problem. Is this >> on the user portal or webadmin? >> On Jun 30, 2015 6:20 PM, "David Smith" <[email protected]> wrote: >> >>> I used the "everyone" user at the data center level and added the >>> permissions/role of "PowerUserRole" >>> >>> What other permission/role are you saying I should assign? >>> >>> Unfortunately we aren't using an "ldap group" so there's nothing to >>> assign to an ldap group-- the users are filtered in such a manner that if >>> they auth and get through the filter they should have access. >>> >>> On Tue, Jun 30, 2015 at 3:16 PM, Donny Davis <[email protected]> wrote: >>> >>>> Add login permissions only at the data center for the group. This >>>> allows them to login, but not view anything. You have to create custom >>>> permission to do what you are looking for. >>>> On Jun 30, 2015 6:13 PM, "David Smith" <[email protected]> wrote: >>>> >>>>> Correct, each user has their own VMs. Only a few share VMs (those >>>>> permissions are assigned manually) >>>>> >>>>> The issue is that when they have 0 VMs assigned to them, the system >>>>> throws the login error that they're not authorized, at least until I add a >>>>> placeholder VM so they can log in and set themselves up. >>>>> >>>>> >>>>> On Tue, Jun 30, 2015 at 3:09 PM, Donny Davis <[email protected]> >>>>> wrote: >>>>> >>>>>> You are looking for this to look like its multi tenant? >>>>>> >>>>>> I setup CloudSpin to do exactly that. Each user can only see their >>>>>> own VMS. >>>>>> Do I have your question correct? >>>>>> >>>>>> Donny D >>>>>> On Jun 30, 2015 5:27 PM, "David Smith" <[email protected]> wrote: >>>>>> >>>>>>> version 3.5.2-1.el6 >>>>>>> using ldap authz; this piece is working OK, and verified OK. >>>>>>> >>>>>>> I use the "Everyone" user to provide default permissions; that >>>>>>> includes PowerUserRole for the data center, a bunch of >>>>>>> usertemplatebasedVMs, some VnicProfileUser, DiskProfileUser, etc. >>>>>>> >>>>>>> I add a new user in LDAP; and verify LDAP credentials work (ie, log >>>>>>> in to another system that uses the same ldap server) >>>>>>> LDAP confirmed working for *other* ovirt users-- not an LDAP issue >>>>>>> as far as I can tell. >>>>>>> >>>>>>> I do *not* specifically add each LDAP user to oVirt, they're added >>>>>>> to "groups" in LDAP, so if they have the right group, they should be >>>>>>> able >>>>>>> to authenticate to oVirt and use the system without me adding each user >>>>>>> individually. >>>>>>> >>>>>>> In any case the narrowed down problem is this: >>>>>>> If the user doesn't have permissions (UserRole, etc) for *any* VMs, >>>>>>> instead of logging in and getting a blank VM list, they get "User is not >>>>>>> authorized to perform this action." >>>>>>> >>>>>>> If I add that specific user to a test placeholder VM, they can log >>>>>>> in. Once they have a VM created, I can erase their user-specific >>>>>>> permissions to that initial test VM and everything works as expected. >>>>>>> They >>>>>>> are able to log in, create VMs, etc. >>>>>>> >>>>>>> If I remove all permissions for VMs from a user, they get this error. >>>>>>> >>>>>>> Expected behavior: >>>>>>> User without any permissions to any VMs should simply get a blank VM >>>>>>> list on login. That way they can create a VM and go from there. >>>>>>> >>>>>>> Thanks for any help/suggestions, >>>>>>> David >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Users mailing list >>>>>>> [email protected] >>>>>>> http://lists.ovirt.org/mailman/listinfo/users >>>>>>> >>>>>>> >>>>> >>> >
_______________________________________________ Users mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/users
