Red Hat Bugzilla – Bug 1287808
[RFE] Add a new permission for managing all the machines from the User interface
Last modified: 2016-09-30 16:50:05 EDT
Description of problem:
We've deployed oVirt for granting our teachers a platform for their students. Usually we deploy a Pool and manually add the list of users (students) which should have access to the machines of the Pool (by granting them the UserRole permission), but most teachers also ask for access to ALL the machines of their pool, even to those that already are attached to a student (most of them want to check/evaluate the work of their students by accessing their machines).
I've been testing with the VmPoolAdmin permission, but that one only allows handling the machines from the Admin interface. We'd like to avoid granting access to the Admin interface to non-technical staff (therefore we don't want teachers to access it).
Currently we're doing a workaround to achieve this: We just detach all the machines from the Pool and then we add the 'UserRole' to the teacher on each machine, which is a tedious task when the number of machines is bigger than 15.
Would it be very hard to create a role/permission that would also grant the UserRole permission to all the machines of the Pool to the user it is granted?
At least in our case this would be very useful because we're an educational entity.
we can perhaps just redefine the scope of what VmPoolAdmin can do in User Portal. That would be simple.
It would still allow them to log in webadmin, but is that a problem if they don't really have any other permission so can't do much in there other than see stuff?
Well, not an actual problem in terms of breaking something, but rather a possible security issue (for instance, they could leave the admin open when someone is in their office (like a thrill seeker student) and they might see VM IPs, host IPs, storage topology...).
They shouldn't be entering the webadmin more than for a curiosity reason, though, so the above would be a very unlikely casuistry, thus I think this could be a valid implementation if it's easy for you.
another option is to write your own simple user portal with the exact functionality you need. Anything is possible with API. Some inspiration - https://www.ovirt.org/develop/developer-guide/sample-user-portals/
The problem here is that (AFAIK) a VM inside a pool cannot be granted additional permissions other than the user that currently has the VM.
So if user assigned machine 'foo-1', the 'UserRole' is granted to him and if an additional permission is to be granted manually, oVirt won't allow it, so the own user portal wouldn't fix the problem here.