Bug #5098
Can use virtual network though I have no permissions
| Status: | Closed | Start date: | 04/06/2017 | |
|---|---|---|---|---|
| Priority: | High | Due date: | ||
| Assignee: | - | % Done: | 0% | |
| Category: | Core & System | |||
| Target version: | - | |||
| Resolution: | worksforme | Pull request: | ||
| Affected Versions: | OpenNebula 5.2 |
Description
Hello,
in Sunstone, as oneadmin I created a new user group 'network' and a new virtual network ''vnetwork'. I set the group of 'vnetwork' to 'network' and gave it permissions "Use, Manage, Admin" for the owner and "Use" for group members. Then, I logged in as another user not belonging to group 'network" and discovered that despite of that I could create VM templates using that virtual network and even start VMs from them with a working network connection.
Regards
Christoph
History
#1
Updated by EOLE Team about 4 years ago
This is due tu default ACLs:
oneacl list
ID USER RES_VHNIUTGDCOZSvRMA RID OPE_UMAC ZONE
0 @1 V--I-T---O-S---- * ---c *
1 * ----------Z----- * u--- *
2 * --------------MA * u--- *
3 @1 -H-------------- * -m-- #0
4 @1 --N----D-------- * u--- #0
The ACL 4 means group users have USE on all NETWORKS and DATASTORES of zone 0.
I thought there was already an issue to customize default ACLs but I can't find any, I remember speaking with Ruben about this issue at OpenNebulaConf 2016.
Regards.
#2
Updated by Javi Fontan almost 4 years ago
- Category set to Core & System
- Status changed from Pending to Closed
- Resolution set to worksforme
This is because the default VDC has all networks. You can edit the default VDC and add only the host resources. That way you'll be able to use standard permissions.