Red Hat Bugzilla – Bug 1287808
[RFE] Add a new permission for managing all the machines from the User interface
Last modified: 2018-02-23 07:35:04 EST
Description of problem:
We've deployed oVirt for granting our teachers a platform for their students. Usually we deploy a Pool and manually add the list of users (students) which should have access to the machines of the Pool (by granting them the UserRole permission), but most teachers also ask for access to ALL the machines of their pool, even to those that already are attached to a student (most of them want to check/evaluate the work of their students by accessing their machines).
I've been testing with the VmPoolAdmin permission, but that one only allows handling the machines from the Admin interface. We'd like to avoid granting access to the Admin interface to non-technical staff (therefore we don't want teachers to access it).
Currently we're doing a workaround to achieve this: We just detach all the machines from the Pool and then we add the 'UserRole' to the teacher on each machine, which is a tedious task when the number of machines is bigger than 15.
Would it be very hard to create a role/permission that would also grant the UserRole permission to all the machines of the Pool to the user it is granted?
At least in our case this would be very useful because we're an educational entity.
we can perhaps just redefine the scope of what VmPoolAdmin can do in User Portal. That would be simple.
It would still allow them to log in webadmin, but is that a problem if they don't really have any other permission so can't do much in there other than see stuff?
Well, not an actual problem in terms of breaking something, but rather a possible security issue (for instance, they could leave the admin open when someone is in their office (like a thrill seeker student) and they might see VM IPs, host IPs, storage topology...).
They shouldn't be entering the webadmin more than for a curiosity reason, though, so the above would be a very unlikely casuistry, thus I think this could be a valid implementation if it's easy for you.
another option is to write your own simple user portal with the exact functionality you need. Anything is possible with API. Some inspiration - https://www.ovirt.org/develop/developer-guide/sample-user-portals/
The problem here is that (AFAIK) a VM inside a pool cannot be granted additional permissions other than the user that currently has the VM.
So if user assigned machine 'foo-1', the 'UserRole' is granted to him and if an additional permission is to be granted manually, oVirt won't allow it, so the own user portal wouldn't fix the problem here.
does the new VM-Portal still work the same way? Can we (maybe) easier solve this issue in the new VM-Portal?
Any thoughts on this?
there's no change in permission handling.
All the VMs in pool need to be the same...but I'm not sure I understand how this should work exactly. A special user with permission to all the VMs in pool? Can you describe it in more detail?
Sorry for the delay in my response.
I meant a permission so everyone that is granted with it on a VmPool can access all the VMs in the pool from within the User Portal.
That's especially useful in our case because teachers requests us for VmPools whose templates already have a username for the teacher (in the guest os), so they can access them by SSH for example. The problem is that they don't know the IP address of each of their students' attached VMs, so they have to go one by one asking them for their IP address and connect that way so they can review their work.
It would be nice to have a permission that would allow them see all the Vms of the pool in the User Portal, just like they had the machine attached, but actually they are attached to a different user (student in our case) and they can do any operation on them just like they had the VM attached (start, shutdown, etc).
can you try to change it at https://github.com/oVirt/ovirt-web-ui/blob/tree/master/src/saga/login.js#L201 to not set the filter for a particular user - then they should see all vms
Sorry for the delay.
I'm trying to access the link you provided but it returns a 404 error. Could you describe what that change makes? If it allows adding a user so he sees all the VMs in the pool as a UserRole then it's more than enough.
Not sure why the link doesn't work, this one should - https://github.com/oVirt/ovirt-web-ui/blob/14358031656a950c6c87dda998cfce193ee4b46a/src/saga/login.js#L201
the test was to try setting setUserFilterPermission(false) for your special users - then they should see everything.
If that works we can see what permission to use or find some way how to differentiate these special users
I'd say it's what the way it should work. I was able to reproduce it and I see all machines.