Bug 1287808 - [RFE] Add a new permission for managing all the machines from the User interface
[RFE] Add a new permission for managing all the machines from the User interface
Status: NEW
Product: ovirt-engine
Classification: oVirt
Component: RFEs (Show other bugs)
Unspecified Unspecified
unspecified Severity medium (vote)
: ---
: ---
Assigned To: bugs@ovirt.org
Gil Klein
: FutureFeature
Depends On:
  Show dependency treegraph
Reported: 2015-12-02 13:06 EST by nicolas
Modified: 2016-09-30 16:50 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: Virt
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
michal.skrivanek: ovirt‑future?
rule-engine: planning_ack?
rule-engine: devel_ack?
rule-engine: testing_ack?

Attachments (Terms of Use)

  None (edit)
Description nicolas 2015-12-02 13:06:55 EST
Description of problem:

We've deployed oVirt for granting our teachers a platform for their students. Usually we deploy a Pool and manually add the list of users (students) which should have access to the machines of the Pool (by granting them the UserRole permission), but most teachers also ask for access to ALL the machines of their pool, even to those that already are attached to a student (most of them want to check/evaluate the work of their students by accessing their machines).

I've been testing with the VmPoolAdmin permission, but that one only allows handling the machines from the Admin interface. We'd like to avoid granting access to the Admin interface to non-technical staff (therefore we don't want teachers to access it).

Currently we're doing a workaround to achieve this: We just detach all the machines from the Pool and then we add the 'UserRole' to the teacher on each machine, which is a tedious task when the number of machines is bigger than 15.

Would it be very hard to create a role/permission that would also grant the UserRole permission to all the machines of the Pool to the user it is granted?

At least in our case this would be very useful because we're an educational entity.
Comment 1 Michal Skrivanek 2016-02-22 07:37:52 EST
we can perhaps just redefine the scope of what VmPoolAdmin can do in User Portal. That would be simple.
It would still allow them to log in webadmin, but is that a problem if they don't really have any other permission so can't do much in there other than see stuff?
Comment 2 nicolas 2016-02-22 08:17:09 EST
Well, not an actual problem in terms of breaking something, but rather a possible security issue (for instance, they could leave the admin open when someone is in their office (like a thrill seeker student) and they might see VM IPs, host IPs, storage topology...).

They shouldn't be entering the webadmin more than for a curiosity reason, though, so the above would be a very unlikely casuistry, thus I think this could be a valid implementation if it's easy for you.
Comment 3 Michal Skrivanek 2016-09-07 07:38:13 EDT
another option is to write your own simple user portal with the exact functionality you need. Anything is possible with API. Some inspiration - https://www.ovirt.org/develop/developer-guide/sample-user-portals/
Comment 4 nicolas 2016-09-30 16:50:05 EDT
The problem here is that (AFAIK) a VM inside a pool cannot be granted additional permissions other than the user that currently has the VM.

So if user assigned machine 'foo-1', the 'UserRole' is granted to him and if an additional permission is to be granted manually, oVirt won't allow it, so the own user portal wouldn't fix the problem here.

Note You need to log in before you can comment on or make changes to this bug.