Bug #813
VDC Admin couldn't run "oneuser list"
| Status: | Closed | Start date: | 09/15/2011 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 0% |
|
| Category: | - | |||
| Target version: | - | |||
| Resolution: | worksforme | Affected Version: | ||
| Story points | - | |||
| Velocity based estimate | - |
Description
Hi there,
As the administration of the VDC, shouldn't I be allowed to run "oneuser list" to show a list of users under this VDC?
Currently, I got permission denied.
[test1@ozoneserver-cogeco templates]$ oneuser list
[UserPoolInfo] User [8] not authorized to perform action on user.
This is running ONE-3.0beta2.
Thanks.
History
Updated by Patrice Lachance 8 months ago
Hi
Same problem for me. To reproduce:
- create zone and vdc using with admin=vdc1adm, password=somepassword
- create unix user account 'vdc1adm'
- su vdc1adm
- mkdir ~vdc1adm/.one
- echo "vdc1adm:somepassword" > ~vdc1adm/.one/one_auth
[vdc1adm@host]$ oneuser list
[UserPoolInfo] User [2] : Not authorized to perform INFO_POOL USER.
[vdc1adm@host]$ onehost list
[UserPoolInfo] User [2] : Not authorized to perform INFO_POOL HOST.
Tested access to sunstone using vdc1adm => no 'users' dashboard. Opening another bug in sunstone.
Updated by Ruben S. Montero 8 months ago
- Status changed from New to Closed
- Resolution set to worksforme
Hi,
Yes this is the way it is suppose to work. VDC admin should not be allowed to check the users of a Zone. Potentially you'll be sharing the zone among multiple VDCs, you may want to keep the users of other VDCs hidden to a VDC admin.
Same with hosts, you can offer a given SLA to a VDC but as a provider which hosts are actually supporting the VDC (that may be even shared) is something you may not want to disclose.
You can user onegroup show to list the IDs the users in the group (i.e. in the VDC)
I'll mark this as worksforme. Any comment is more than welcome
Thanks
Updated by Patrice Lachance 8 months ago
Hi, Thanks for the quick reply. OK with solution provided and I'll wait for sunstone integration in ONE 3.2! (cf bug #821)
Thanks again for your good work!
Patrice
Updated by Shi Jin 8 months ago
Thanks and I agree that the "onehost list" should not work by design.
However, "onegroup list" does not work for me either:
[test1@ozoneserver-cogeco ~]$ onegroup list
[GroupPoolInfo] User [8] not authorized to perform action on group.
I am still confused on how could a vdcadmin find out who are the users in this VDC. Thanks.
Updated by Shi Jin 8 months ago
To be clear, I agree that the vdcadmin should not see users of other VDCs in the same zone therefore we need a way to show a list of users within this VDC only, not within the zone.
Updated by Ruben S. Montero 8 months ago
onegroup show
Shi Jin wrote:
To be clear, I agree that the vdcadmin should not see users of other VDCs in the same zone therefore we need a way to show a list of users within this VDC only, not within the zone.
Updated by Shi Jin 8 months ago
Well, yes I can run
test1@ozoneserver-cogeco ~]$ onegroup show 100 GROUP 100 INFORMATION ID : 100 NAME : vdc1 USERS ID 8 10
provided I know my group ID is 100 as vdcadmin of the VDC called vdc1. But the problem is that I don't know this number and it seems that "onegroup show" does not take group name as an argument
[test1@ozoneserver-cogeco ~]$ onegroup show vdc1 OpenNebula GROUP name not found, use the ID instead command show: argument 0 must be one of groupid,