Feature #1697

User supplied Attributes on one.template.instantiate and VM Template merge

Added by Simon Boulet about 8 years ago. Updated about 8 years ago.

Status:ClosedStart date:12/17/2012
Priority:NormalDue date:
Assignee:Carlos Martín% Done:

0%

Category:-
Target version:Release 4.0
Resolution:fixed Pull request:

Description

This patch adds a forth (optional) parameter to one.template.instantiate that allow the User to pass extra User Attributes. Those User Attributes are checked against the Restricted Attributes before being merged to the chosen template.

It allows users to instantiate an existing template while providing custom attributes such as the CONTEXT or IMAGE_ID, without the need to Clone / create a user template.

It also allows for Administrators to set the MEMORY or CPU attributes to be Restricted and still allowing users to launch custom VMs (something not currently possible, because setting MEMORY or CPU as Restricted Attributes prevent the User from submitting VM with a User provided template).

Ref. http://lists.opennebula.org/pipermail/users-opennebula.org/2012-December/021345.html

This is a fairly recent patch that haven't gone through a lot of testing yet. There is at least one known limitation: when modifying a template that has multiple attributes of the same name (ex. multiple NIC attributes) the merge operation will always applies changes to the first attribute found in the template.

Feedbacks are more than welcome.

Simon

template-instantiate-user-attributes.patch Magnifier (5.67 KB) Simon Boulet, 12/17/2012 05:03 PM

Associated revisions

Revision 3deeec21
Added by Simon Boulet about 8 years ago

Feature #1697: Initial commit for user supplied Attributes on one.template.instantiate

Revision 9280aa36
Added by Carlos Martín about 8 years ago

Feature #1697: Add the new template instantiate param to ruby oca and cli

Revision 60f0d4bf
Added by Carlos Martín about 8 years ago

Feature #1697: Change Template::merge to replace and add attributes

This allows to merge a template with repeated attributes, like
several DISK or NIC atts.

Revision 1d41973d
Added by Carlos Martín about 8 years ago

Feature #1697: Add VM creation options to onetemplate instantiate (--cpu, --memory...)

Revision 83b5b9d1
Added by Carlos Martín about 8 years ago

Feature #1697: Add new template instantiate argument to java oca

Revision 415be14b
Added by Ruben S. Montero about 8 years ago

feature #1697: Added CREATE perms for instantiate. Group user template code.

Revision bac2adb8
Added by Carlos Martín about 8 years ago

Feature #1697: Change the PoolObjectAuth used for the CREATE TEMPLATE

Revision ae5561c2
Added by Carlos Martín about 8 years ago

Feature #1697: Use add_create_auth for the merged template

History

#1 Updated by Ruben S. Montero about 8 years ago

  • Target version set to Release 4.0

#2 Updated by Ruben S. Montero about 8 years ago

  • Status changed from New to Assigned
  • Assignee set to Carlos Martín

#3 Updated by Carlos Martín about 8 years ago

I just applied the patch. The only thing I changed is that Template::merge allows repeated Attributes.

You can now execute something like 'onetemplate instantiate 0 --cpu 2 --memory 512', which is really cool.

Thanks for this great contribution!

#4 Updated by Carlos Martín about 8 years ago

Now that I think of it, we may have broken the following use case:

The admin wants to have absolute control over the VMs created, what can be done denying the operations TEMPLATE:CREATE and VM:CREATE (onetemplate create & onevm create); and only allows users to USE some templates created by him (onetemplate list/show/instantiate).

With this change, the users can now instantiate one of the available templates, and replace any attribute...

Since merging an existing template is basically a shortcut to clone & update, we could change the required permissions for one.template.instantiate to:
  • TEMPLATE:USE if no extra template is provided
  • TEMPLATE:USE + TEMPLATE:CREATE if the extra template is provided

#5 Updated by Simon Boulet about 8 years ago

Hi Carlos

With this change, the users can now instantiate one of the available
templates, and replace any attribute...

Well, yes, the user can replace any attribute, as long as it's not in the VM_RESTRICTED_ATTR list.

I didn't realize there was a TEMPLATE:CREATE permission, I don't currently use the ACLs (other than the default). Checking the TEMPLATE:CREATE permission ACL to allow for extra attributes seems to make a lot of sense!

Thanks for the feedback :)

#6 Updated by Ruben S. Montero about 8 years ago

  • Status changed from Assigned to Closed
  • Resolution set to fixed

Also available in: Atom PDF