User supplied Attributes on one.template.instantiate and VM Template merge
|Assignee:||Carlos Martín||% Done:|
|Target version:||Release 4.0|
This patch adds a forth (optional) parameter to one.template.instantiate that allow the User to pass extra User Attributes. Those User Attributes are checked against the Restricted Attributes before being merged to the chosen template.
It allows users to instantiate an existing template while providing custom attributes such as the CONTEXT or IMAGE_ID, without the need to Clone / create a user template.
It also allows for Administrators to set the MEMORY or CPU attributes to be Restricted and still allowing users to launch custom VMs (something not currently possible, because setting MEMORY or CPU as Restricted Attributes prevent the User from submitting VM with a User provided template).
This is a fairly recent patch that haven't gone through a lot of testing yet. There is at least one known limitation: when modifying a template that has multiple attributes of the same name (ex. multiple NIC attributes) the merge operation will always applies changes to the first attribute found in the template.
Feedbacks are more than welcome.
Feature #1697: Initial commit for user supplied Attributes on one.template.instantiate
Feature #1697: Change Template::merge to replace and add attributes
This allows to merge a template with repeated attributes, like
several DISK or NIC atts.
Feature #1697: Add VM creation options to onetemplate instantiate (--cpu, --memory...)
#4 Updated by Carlos Martín over 8 years ago
Now that I think of it, we may have broken the following use case:
The admin wants to have absolute control over the VMs created, what can be done denying the operations TEMPLATE:CREATE and VM:CREATE (onetemplate create & onevm create); and only allows users to USE some templates created by him (onetemplate list/show/instantiate).
With this change, the users can now instantiate one of the available templates, and replace any attribute...Since merging an existing template is basically a shortcut to clone & update, we could change the required permissions for one.template.instantiate to:
- TEMPLATE:USE if no extra template is provided
- TEMPLATE:USE + TEMPLATE:CREATE if the extra template is provided
#5 Updated by Simon Boulet over 8 years ago
With this change, the users can now instantiate one of the available
templates, and replace any attribute...
Well, yes, the user can replace any attribute, as long as it's not in the VM_RESTRICTED_ATTR list.
I didn't realize there was a TEMPLATE:CREATE permission, I don't currently use the ACLs (other than the default). Checking the TEMPLATE:CREATE permission ACL to allow for extra attributes seems to make a lot of sense!
Thanks for the feedback :)