Re: [one-users] Fwd: ACLs and users authentification

[Hector Sanjuan]

Hello,

Which browser and version are you using? The username is missing on the  
Welcome: label on top, which indicates there is a problem with the  
sunstone cookie very possibly. This explains why the chown/chgrp buttons  
are not showing either.

Can you delete cookies and cache and reload? Check that your browser or a  
plugin of it is not blocking cookies etc. Check the browser console for  
any errors, specially javascript-related ones. Thanks!

Hector



En Thu, 06 Sep 2012 09:57:12 +0200, Пярн Артур <dekk...@yandex.ru>  
escribió:

Hi Carlos,

Thank you very much, I understood. It seems the problem is that there is  
no
specific tabs in sunstone they should be - to change owner and group of  
specific
resourse (in screenshots). That's what confussed me.

I found how to do it in CLI, but anyway I don't now why Sunstone working  
not
correctly not showing some tabs. Also Sunstone doesn't show user name in
greeting field (i made red circles around it)

I did defualt installation and changed only system settings in  
sunstone.conf (ports,
vnc, ip, etc.).

Screenshots and sunstone log in attach (NO ERRORS FOUND).

--------------------------------------

Server configuration

--------------------------------------

{:auth=>"sunstone",

:vnc_proxy_cert=>nil,

:vnc_proxy_path=>"/srv/cloud/one/share/noVNC/utils/websockify",

:vnc_proxy_key=>nil,

:vnc_proxy_support_wss=>false,

:debug_level=>3,

:host=>"0.0.0.0",

:vnc_proxy_base_port=>29876,

:port=>8888,

:one_xmlrpc=>"http://localhost:2633/RPC2";,

:core_auth=>"cipher",

:lang=>"en_US"}

== Sinatra/1.3.2 has taken the stage on 8888 for development with backup  
from
Thin

Thu Sep 06 03:24:42 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:42] "GET /  
HTTP/1.1"
200 1595 0.0075

Thu Sep 06 03:24:42 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:42] "GET  
/favicon.ico
HTTP/1.1" 401 - 0.0010

Thu Sep 06 03:24:49 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:49] "POST  
/login
HTTP/1.1" 204 - 0.0691

Thu Sep 06 03:24:49 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:49] "GET /  
HTTP/1.1"
200 4630 0.0067

Thu Sep 06 03:24:49 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:49] "GET  
/vendor/noVNC/include/plain.css
HTTP/1.1" 404 466 0.0013

Thu Sep 06 03:24:49 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:49] "GET  
/host/monitor?title=graph1&monitor_resources=cpu_usage%2Cused_cpu%2Cmax_$

Thu Sep 06 03:24:49 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:49] "GET  
/host/monitor?title=graph2&monitor_resources=mem_usage%2Cused_mem%2Cmax_$

Thu Sep 06 03:24:49 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:49] "GET  
/vm/monitor?title=graph3&monitor_resources=total%2Cactive%2Cerror&histor$

Thu Sep 06 03:24:49 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:49] "GET  
/config
HTTP/1.1" 200 40 0.0021

Thu Sep 06 03:24:49 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:49] "GET  
/vm/monitor?title=graph4&monitor_resources=net_tx%2Cnet_rx&history_lengt$

Thu Sep 06 03:24:50 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:50] "GET  
/user?timeout=false
HTTP/1.1" 200 1432 0.0054

Thu Sep 06 03:24:50 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:50] "GET  
/group?timeout=false
HTTP/1.1" 200 554 0.0042

Thu Sep 06 03:24:50 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:50] "GET  
/acl?timeout=false
HTTP/1.1" 200 1057 0.0046

Thu Sep 06 03:24:50 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:50] "GET  
/vm?timeout=false
HTTP/1.1" 200 4255 0.0079

Thu Sep 06 03:24:50 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:50] "GET  
/vmtemplate?timeout=false
HTTP/1.1" 200 2978 0.0072

Thu Sep 06 03:24:50 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:50] "GET  
/image?timeout=false
HTTP/1.1" 200 3632 0.0077

Thu Sep 06 03:24:50 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:50] "GET  
/cluster?timeout=false
HTTP/1.1" 200 27 0.0344

Thu Sep 06 03:24:50 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:50] "GET  
/host?timeout=false
HTTP/1.1" 200 2498 0.0088

Thu Sep 06 03:24:50 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:50] "GET  
/datastore?timeout=false
HTTP/1.1" 200 1580 0.0052

Thu Sep 06 03:24:50 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:50] "GET  
/vnet?timeout=false
HTTP/1.1" 200 1406 0.0051

etc.

05.09.2012, 19:20, "Carlos Martín Sánchez" <cmar...@opennebula.org>:

Hi,

That's not the normal behaviour, you may have changed some configuration  
during
your tests.

ACL rules in OpenNebula only add permissions, there is no option to make  
other
resources invisible, because by default they are.

Users can only list the resources they have USE permissions over. If  
your users
can list VMs from other group, it is because you have an ACL that allows  
it, or
because you changed the VM permissions to allow USE to 'others', see [1].

If you need more specific help, please include the output of oneacl list.

Regards,

Carlos

[1] http://opennebula.org/documentation:rel3.6:chmod

--
Carlos Martín, MSc
Project Engineer
OpenNebula - The Open-source Solution for Data Center Virtualization

www.OpenNebula.org | cmar...@opennebula.org | @OpenNebula


On Wed, Sep 5, 2012 at 3:37 PM, Пярн Артур <dekk...@yandex.ru> wrote:

Hi

I'm testing opennebula in multi-tenant envirements and found an  
upsetting issue.

When i put users in groups (for example company A and company B groups),  
i can't
find anything in options and in documentation (ACLs, etc.) to make  
company A VMs
invisible to company B VMs and opposite.

They just can't do anything with not their own machines, but the still  
see all
the pool of virtual machines. This is not good in such case.

I will be pleased to hear any advice.

Thank you in advance.



--
Hector Sanjuan
OpenNebula Developer
_______________________________________________
Users mailing list
Users@lists.opennebula.org
http://lists.opennebula.org/listinfo.cgi/users-opennebula.org