Hello Carlos, thanks for your support.
On Thu, Jun 13, 2013 at 11:35 AM, Carlos Martín Sánchez < cmar...@opennebula.org> wrote: > > 3 @1 V--------- * u--- > This now works correctly ! The problem was due to a misunderstanding from my side. I was relaying on the web interface, and I was somehow expecting the buttons of the GUI not be clickable if the corresponding actions are not authorized! As a matter of fact, when the user clicks on such actions for not-owned VMs, the alerts pop out and the action is correctly blocked. Thank you very much for the help. best, valerio > > And when a user tries to perform any manage operation on another user's > VM, from the CLI or from sunstone, this error is returned: > [VirtualMachineAction] User [2] : Not authorized to perform MANAGE VM [2]. > > Let's confirm some things first: > - Users and VMs are in the 'users' (1) group. > - VMs do not have MANAGE permissions set with chmod (onevm show gives this > information) > - oned.conf does not have an AUTH_MAD/authz defined [1]. Note the Z. > - Can you paste the output of 'oneacl list -x'? > - Just to be sure, check that the operation is actually requested as the > user logged in. In /var/log/one/oned.log, you should see the UID of each > request, like > Req:1792 UID:2 VirtualMachineAction invoked, "delete", 4 > > Regards > > [1] > http://opennebula.org/documentation:rel4.0:oned_conf#auth_manager_configuration > > > -- > Join us at OpenNebulaConf2013 <http://opennebulaconf.com> in Berlin, > 24-26 September, 2013 > -- > Carlos Martín, MSc > Project Engineer > OpenNebula - The Open-source Solution for Data Center Virtualization > www.OpenNebula.org | cmar...@opennebula.org | > @OpenNebula<http://twitter.com/opennebula><cmar...@opennebula.org> > > > On Thu, Jun 13, 2013 at 10:16 AM, Valerio Schiavoni < > valerio.schiav...@gmail.com> wrote: > >> Hello, >> i'm running OpenNebula 4.0.1, freshly installed, and I'd like to >> implement the following use-case ACL-wise: when users login through the >> sunstone interface, they should see if other VMs are currently running and >> on which hosts. Clearly, on VMs owned by other users (even if in the same >> group), no managing actions should be allowed. >> >> This is the current set of ACL rules installed ( i believe these are the >> default ones): >> >> ID USER RES_VHNIUTGDCO RID OPE_UMAC >> 0 @1 V-NI-T---- * ---c >> 11 @1 -H-------- * um-- >> 16 * ---------O * ---c >> >> >> If I add this: "@1 VM/* USE" , all users can see all other users' VMs but >> all actions seem to be available (at least through the web interface). >> >> Is this scenario supported somehow? >> >> Thanks, >> Valerio >> >> _______________________________________________ >> Users mailing list >> Users@lists.opennebula.org >> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org >> >> >
_______________________________________________ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org