Bug #3384

Users in Cloud view is able to add vnet even they have no permission to do so

Added by Rachel Chen over 6 years ago. Updated over 6 years ago.

Status:ClosedStart date:11/27/2014
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:-
Target version:-
Resolution:worksforme Pull request:
Affected Versions:OpenNebula 4.10

Description

Presumably if permission is not set up OTHER with USE permission, OTHER should not see it as well

Screen Shot 2014-11-26 at 6.28.18 PM.png - Not granted with "use" permission (90.1 KB) Rachel Chen, 11/27/2014 03:13 AM

Screen Shot 2014-11-26 at 6.29.05 PM.png - Still able to see it (85.4 KB) Rachel Chen, 11/27/2014 03:13 AM

History

#1 Updated by Carlos Martín over 6 years ago

When a cluster is set as a group resource provider, users are able to see the DS and Vnets in that cluster.
Your vnet is in cluster Xeon, probably the user's group has it as a resource provider. Can you check if this is the case?

#2 Updated by Rachel Chen over 6 years ago

Carlos Martín wrote:

When a cluster is set as a group resource provider, users are able to see the DS and Vnets in that cluster.
Your vnet is in cluster Xeon, probably the user's group has it as a resource provider. Can you check if this is the case?

Yes, the vnet is indeed in the cluster, but it does not seem to make sense if I did not delegate permission USE to OTHER but they are still able to see it. Is there a workaround or this is more like a feature?

#3 Updated by Ruben S. Montero over 6 years ago

  • Status changed from Pending to Closed
  • Resolution set to worksforme

Jerry Chen wrote:

Carlos Martín wrote:

When a cluster is set as a group resource provider, users are able to see the DS and Vnets in that cluster.
Your vnet is in cluster Xeon, probably the user's group has it as a resource provider. Can you check if this is the case?

Yes, the vnet is indeed in the cluster, but it does not seem to make sense if I did not delegate permission USE to OTHER but they are still able to see it. Is there a workaround or this is more like a feature?

This is the intended behavior a cluster assigned to a group grants USE permissions to all the users of a group. It seems that in your use case, it'd be better not to use group resource providers and manually assign access to resources by hand setting the corresponding ACLs. Note that for large installations this would not scale and it'd be difficult to debug...

Closing as OpenNebula works as expected

Also available in: Atom PDF