Hi, I don't know what might be failing here. I just tested it, with these acl rules:
$ oneacl list ID USER RES_VHNIUTGDCO RID OPE_UMAC 0 @1 V-NI-T---- * ---c 1 @1 -H-------- * -m-- 2 * ---------O * ---c 3 @1 V--------- * u--- And when a user tries to perform any manage operation on another user's VM, from the CLI or from sunstone, this error is returned: [VirtualMachineAction] User [2] : Not authorized to perform MANAGE VM [2]. Let's confirm some things first: - Users and VMs are in the 'users' (1) group. - VMs do not have MANAGE permissions set with chmod (onevm show gives this information) - oned.conf does not have an AUTH_MAD/authz defined [1]. Note the Z. - Can you paste the output of 'oneacl list -x'? - Just to be sure, check that the operation is actually requested as the user logged in. In /var/log/one/oned.log, you should see the UID of each request, like Req:1792 UID:2 VirtualMachineAction invoked, "delete", 4 Regards [1] http://opennebula.org/documentation:rel4.0:oned_conf#auth_manager_configuration -- Join us at OpenNebulaConf2013 <http://opennebulaconf.com> in Berlin, 24-26 September, 2013 -- Carlos Martín, MSc Project Engineer OpenNebula - The Open-source Solution for Data Center Virtualization www.OpenNebula.org | cmar...@opennebula.org | @OpenNebula<http://twitter.com/opennebula><cmar...@opennebula.org> On Thu, Jun 13, 2013 at 10:16 AM, Valerio Schiavoni < valerio.schiav...@gmail.com> wrote: > Hello, > i'm running OpenNebula 4.0.1, freshly installed, and I'd like to implement > the following use-case ACL-wise: when users login through the sunstone > interface, they should see if other VMs are currently running and on which > hosts. Clearly, on VMs owned by other users (even if in the same group), no > managing actions should be allowed. > > This is the current set of ACL rules installed ( i believe these are the > default ones): > > ID USER RES_VHNIUTGDCO RID OPE_UMAC > 0 @1 V-NI-T---- * ---c > 11 @1 -H-------- * um-- > 16 * ---------O * ---c > > > If I add this: "@1 VM/* USE" , all users can see all other users' VMs but > all actions seem to be available (at least through the web interface). > > Is this scenario supported somehow? > > Thanks, > Valerio > > _______________________________________________ > Users mailing list > Users@lists.opennebula.org > http://lists.opennebula.org/listinfo.cgi/users-opennebula.org > >
_______________________________________________ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org