Bug #813

VDC Admin couldn't run "oneuser list"

Added by Shi Jin almost 10 years ago. Updated almost 10 years ago.

Status:ClosedStart date:09/15/2011
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:-
Target version:-
Resolution:worksforme Pull request:
Affected Versions:

Description

Hi there,

As the administration of the VDC, shouldn't I be allowed to run "oneuser list" to show a list of users under this VDC?
Currently, I got permission denied.

[test1@ozoneserver-cogeco templates]$ oneuser list
[UserPoolInfo] User [8] not authorized to perform action on user.

This is running ONE-3.0beta2.

Thanks.

History

#1 Updated by Patrice Lachance almost 10 years ago

Hi

Same problem for me. To reproduce:
- create zone and vdc using with admin=vdc1adm, password=somepassword
- create unix user account 'vdc1adm'
- su vdc1adm
- mkdir ~vdc1adm/.one
- echo "vdc1adm:somepassword" > ~vdc1adm/.one/one_auth

[vdc1adm@host]$ oneuser list
[UserPoolInfo] User [2] : Not authorized to perform INFO_POOL USER.

[vdc1adm@host]$ onehost list
[UserPoolInfo] User [2] : Not authorized to perform INFO_POOL HOST.

Tested access to sunstone using vdc1adm => no 'users' dashboard. Opening another bug in sunstone.

#2 Updated by Ruben S. Montero almost 10 years ago

  • Status changed from New to Closed
  • Resolution set to worksforme

Hi,

Yes this is the way it is suppose to work. VDC admin should not be allowed to check the users of a Zone. Potentially you'll be sharing the zone among multiple VDCs, you may want to keep the users of other VDCs hidden to a VDC admin.

Same with hosts, you can offer a given SLA to a VDC but as a provider which hosts are actually supporting the VDC (that may be even shared) is something you may not want to disclose.

You can user onegroup show to list the IDs the users in the group (i.e. in the VDC)

I'll mark this as worksforme. Any comment is more than welcome

Thanks

#3 Updated by Patrice Lachance almost 10 years ago

Hi, Thanks for the quick reply. OK with solution provided and I'll wait for sunstone integration in ONE 3.2! (cf bug #821)
Thanks again for your good work!
Patrice

#4 Updated by Shi Jin almost 10 years ago

Thanks and I agree that the "onehost list" should not work by design.

However, "onegroup list" does not work for me either:

[test1@ozoneserver-cogeco ~]$ onegroup list
[GroupPoolInfo] User [8] not authorized to perform action on group.

I am still confused on how could a vdcadmin find out who are the users in this VDC. Thanks.

#5 Updated by Shi Jin almost 10 years ago

To be clear, I agree that the vdcadmin should not see users of other VDCs in the same zone therefore we need a way to show a list of users within this VDC only, not within the zone.

#6 Updated by Ruben S. Montero almost 10 years ago

onegroup show

Shi Jin wrote:

To be clear, I agree that the vdcadmin should not see users of other VDCs in the same zone therefore we need a way to show a list of users within this VDC only, not within the zone.

#7 Updated by Shi Jin almost 10 years ago

Well, yes I can run

test1@ozoneserver-cogeco ~]$ onegroup show 100
GROUP 100 INFORMATION                                                           
ID             : 100                 
NAME           : vdc1                

USERS                                                                           
ID             
8              
10

provided I know my group ID is 100 as vdcadmin of the VDC called vdc1. But the problem is that I don't know this number and it seems that "onegroup show" does not take group name as an argument

[test1@ozoneserver-cogeco ~]$ onegroup show vdc1
OpenNebula GROUP name not found, use the ID instead
command show: argument 0 must be one of groupid,

#8 Updated by Shi Jin almost 10 years ago

Ah, just realized that I should run "onegroup show" without any argument

[test1@ozoneserver-cogeco ~]$ onegroup show 
GROUP 100 INFORMATION                                                           
ID             : 100                 
NAME           : vdc1                

USERS                                                                           
ID             
8              
10   

So this is indeed a workaround. Thanks.

Also available in: Atom PDF