It's getting stranger. I have written code to dump roles and permits for a given user.
./ovcmd user -n rexecutor roles | gsort -V ... has role 'InstanceCreator' on vm 'fa42' has role 'UserInstanceManager' on vm 'fa42' has role 'UserRole' on vm 'fa42' has role 'UserVmManager' on vm 'fa42' has role 'UserVmRunTimeManager' on vm 'fa42' So no super-user role for that VM. ./ovcmd user -n rexecutor permits ... vm/fa42: add_users_and_groups_from_directory assign_cpu_profile attach_disk change_vm_cd configure_vm_network configure_vm_storage connect_to_vm create_disk create_vm delete_disk delete_vm edit_disk_properties edit_vm_properties hibernate_vm login manipulate_permissions reboot_vm run_vm shut_down_vm sparsify_disk stop_vm ./ovcmd -u rexecutor@internal --passwordfile=/tmp/passwordfile vm -n fa42 stop The action "vm stop" failed with: query execution failed due to insufficient permissions. The role has the stop_vm but it can't stop it. Now I add the SuperUser role for that VM. ./ovcmd user -n rexecutor roles | gsort -V ... has role 'InstanceCreator' on vm 'fa42' has role 'SuperUser' on vm 'fa42' has role 'UserInstanceManager' on vm 'fa42' has role 'UserRole' on vm 'fa42' has role 'UserVmManager' on vm 'fa42' has role 'UserVmRunTimeManager' on vm 'fa42' The permits are the same: ./ovcmd user -n rexecutor permits vm/fa42: add_users_and_groups_from_directory assign_cpu_profile attach_disk change_vm_cd configure_vm_network configure_vm_storage connect_to_vm create_disk create_vm delete_disk delete_vm edit_disk_properties edit_vm_properties hibernate_vm login manipulate_permissions reboot_vm run_vm shut_down_vm sparsify_disk stop_vm ./ovcmd -u rexecutor@internal --passwordfile=/tmp/passwordfile vm -n fa42 stop (OK) But now it can stop the vm. Why ? > Le 5 juil. 2017 à 17:55, Fabrice Bacchella <fabrice.bacche...@orange.fr> a > écrit : > > I'm trying to give a user the permissions to stop/start a specific server. > > This user is given the generic UserRole for the System. > > I tried to give him the roles : > UserVmManager > UserVmRunTimeManager > UserInstanceManager > InstanceCreator > UserRole > > for that specific VM, I always get: query execution failed due to > insufficient permissions. > > As soon as I give him the SuperUser role, he can stop/start it. > > What role should I give him for that VM ? I don't want to give the privilege > to destroy the vm, or add disks. But he should be able to change the os > settings too. > _______________________________________________ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users