Bug #5098

Can use virtual network though I have no permissions

Added by Christoph Pleger over 3 years ago. Updated over 3 years ago.

Status:ClosedStart date:04/06/2017
Priority:HighDue date:
Assignee:-% Done:

0%

Category:Core & System
Target version:-
Resolution:worksforme Pull request:
Affected Versions:OpenNebula 5.2

Description

Hello,

in Sunstone, as oneadmin I created a new user group 'network' and a new virtual network ''vnetwork'. I set the group of 'vnetwork' to 'network' and gave it permissions "Use, Manage, Admin" for the owner and "Use" for group members. Then, I logged in as another user not belonging to group 'network" and discovered that despite of that I could create VM templates using that virtual network and even start VMs from them with a working network connection.

Regards
Christoph

History

#1 Updated by EOLE Team over 3 years ago

This is due tu default ACLs:

oneacl list
   ID     USER RES_VHNIUTGDCOZSvRMA   RID OPE_UMAC  ZONE
    0       @1     V--I-T---O-S----     *     ---c     *
    1        *     ----------Z-----     *     u---     *
    2        *     --------------MA     *     u---     *
    3       @1     -H--------------     *     -m--    #0
    4       @1     --N----D--------     *     u---    #0

The ACL 4 means group users have USE on all NETWORKS and DATASTORES of zone 0.

I thought there was already an issue to customize default ACLs but I can't find any, I remember speaking with Ruben about this issue at OpenNebulaConf 2016.

Regards.

#2 Updated by Javi Fontan over 3 years ago

  • Category set to Core & System
  • Status changed from Pending to Closed
  • Resolution set to worksforme

This is because the default VDC has all networks. You can edit the default VDC and add only the host resources. That way you'll be able to use standard permissions.

Also available in: Atom PDF