I see. Well if the users are controlling the VMs only via sunstone, you can disable the 'add nic' function for the 'user/cloud' view. But I suppose that replacing the default ACLs is the best option.
-----Original Message----- From: Pavel Tankov [mailto:pavel.tan...@strategyobject.com] Sent: Tuesday, October 28, 2014 12:59 PM To: Hamada, Ondrej; users@lists.opennebula.org Subject: Re: [one-users] How to protect a virtual network from being used by users? That's exactly what I had done. The problem is that users are able to change the network when they instantiate the template. They can add/remove networks at will. Pavel Tankov On 10/27/2014 11:11 PM, Hamada, Ondrej wrote: > Hi Pavel, > > Create two templates - first one uses the public network and all users are > allowed to instantiate this template. The second template uses the restricted > network and is allowed to be used only by admins. > > Ondra > > -----Original Message----- > From: Pavel Tankov [mailto:pavel.tan...@strategyobject.com] > Sent: Monday, October 27, 2014 11:16 AM > To: Hamada, Ondrej; users@lists.opennebula.org > Subject: Re: [one-users] How to protect a virtual network from being used by > users? > > I don't understand what is "to solve the network separation on template > level". Could you, please, clarify? > > Pavel Tankov > > On 10/24/2014 05:18 PM, Hamada, Ondrej wrote: >> Hi Pavel, >> >> Well, I suppose it is the default. I was also struggling with it and finally >> I had to replace the default ACLs with more strict ones. >> >> You can try to solve the network separation on template level if you don't >> want to play with ACLs. >> >> Ondra >> >> -----Original Message----- >> From: Pavel Tankov [mailto:pavel.tan...@strategyobject.com] >> Sent: Friday, October 24, 2014 4:01 PM >> To: Hamada, Ondrej; users@lists.opennebula.org >> Subject: Re: [one-users] How to protect a virtual network from being used by >> users? >> >> Hello Ondra, >> >> You are right, I just saw the ACLs. They are by default created like this: >> >> $ oneacl list >> ID USER RES_VHNIUTGDCOZ RID OPE_UMAC ZONE >> 0 @1 V-NI-T---O- * ---c #0 >> 1 * ----------Z * u--- * >> 2 @1 -H--------- * -m-- #0 >> 3 @1 --N----D--- * u--- #0 >> >> (or see the attached screen shot) >> >> The group named "users" is denoted by @1. So, it looks like in the very >> first ALC (ID 0) the group @1 (users) is granted a "CREATE" permission on >> all Virtual Networks (Resource ID *). Which may be OK or not, it depends >> what you want. >> >> But then ACL (ID 3) grants the group @1 (users) the permission to use any >> Virtual Network (RID *). The ACLs have permissive nature so once granted I >> can't restrict it with a later rule. I could only re-write the default ACLs >> completely, which I am not quite willing to try. >> >> The documentation says >> (http://docs.opennebula.org/4.8/administration/users_and_groups/manage_acl.html): >> >> Please note: the ACL rules is an advanced mechanism. For most use cases, you >> should be able to rely on the built-in resource permissions and the ACL >> Rules created automatically when a group is created, and when a resource >> provider is added. >> >> But it looks like *all* Vritual Networks are meant to be used by >> *anyone* by default and there is not much I can do about it with the normal >> means, namely with the resource permissions. >> >> Is that so, indeed, or where am I wrong? >> >> Pavel Tankov >> >> On 10/24/2014 04:33 PM, Hamada, Ondrej wrote: >>> Hi Pavel, >>> >>> Have you checked ACLs as well? I guess that one of the default ACL grants >>> all users the 'use' permission for all 'networks'. >>> >>> Ondra >>> >>> -----Original Message----- >>> From: Users [mailto:users-boun...@lists.opennebula.org] On Behalf Of >>> Pavel Tankov >>> Sent: Friday, October 24, 2014 12:09 PM >>> To: users@lists.opennebula.org >>> Subject: [one-users] How to protect a virtual network from being used by >>> users? >>> >>> Hello, >>> >>> I (as oneadmin) have configured two virtual networks: >>> - one named "default" for use by regular users to deploy disposable >>> test VMs >>> - one named "SPECIAL" for use by the admin to create servers that >>> will not be disposable but will stay always ON >>> >>> Both networks have different IP ranges so that you could easily tell >>> whether it's a server or a disposable test VM by looking at it's IP address. >>> >>> I have set up Opennebula with LDAP authentication. LDAP users authenticate >>> just fine and are able to create themselves VMs using those templates that >>> the admin has allowed for them. Now, I'd like to make so that only >>> "default" virtual network is exposed to regular users, and "SPECIAL" is not >>> seen by them. >>> >>> Currently, both networks have the following permissions: >>> >>> - Owner: use, manage >>> - Group <none> >>> - Other: <none> >>> >>> Users still can use both of these when they deploy a test VM although >>> permissions clearly state they shouldn't be able to see any of them. >>> >>> What is wrong with the permissions? >>> >>> -- >>> Pavel Tankov >>> _______________________________________________ >>> Users mailing list >>> Users@lists.opennebula.org >>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org >>> ________________________________ >>> This e-mail and any attachment is for authorised use by the intended >>> recipient(s) only. It may contain proprietary material, confidential >>> information and/or be subject to legal privilege. It should not be copied, >>> disclosed to, retained or used by, any other party. If you are not an >>> intended recipient then please promptly delete this e-mail and any >>> attachment and all copies and inform the sender. Thank you for >>> understanding. >>> _______________________________________________ >>> Users mailing list >>> Users@lists.opennebula.org >>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org >>> >> ________________________________ >> This e-mail and any attachment is for authorised use by the intended >> recipient(s) only. It may contain proprietary material, confidential >> information and/or be subject to legal privilege. It should not be copied, >> disclosed to, retained or used by, any other party. If you are not an >> intended recipient then please promptly delete this e-mail and any >> attachment and all copies and inform the sender. Thank you for understanding. >> > ________________________________ > This e-mail and any attachment is for authorised use by the intended > recipient(s) only. It may contain proprietary material, confidential > information and/or be subject to legal privilege. It should not be copied, > disclosed to, retained or used by, any other party. If you are not an > intended recipient then please promptly delete this e-mail and any attachment > and all copies and inform the sender. Thank you for understanding. > ________________________________ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you for understanding. _______________________________________________ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
