Hide Forgot
Description of problem: I am trying to make a user who can maintain images/applications/catalog for one zone. I have multiple Cloud Resource Providers. I created accounts for Provider. I have create a cloud named 'refarch'. I added the provider accounts to the 'refarch' Cloud. In this cloud I created a zone named 'dev' and made enabled A catalog named 'devcat' was created and associated with zone 'dev' I have created a user named 'sadev'. 'sadev' was given the only roles 'Applicaiton Bluepint Administrator', 'Image Administrator', and 'Profile Global User' (not individually assignable) 'sadev' user was given the 'Cloud User' role to the 'refarch' Cloud. the user 'sadev' was given the Zone Owner role to the 'dev' zone When I log in as sadev, I had no problem launching an existing AppForm. Then I went to attempt to build a new applation, I was able to load a TDL file, but when I save I get the error "Images cannot be built, as no provider accounts are currently enabled" When I log in as an adminstrator I see there are roles associated with providers, but the only option is Provider Owner. This did not seem right, I could see Provider User. Checking under Global Role Grants - I see Provider Administrator and Provider Creator. Since I just want them to be a user, neither of these seem correct either. Version-Release number of selected component (if applicable): [root@cf-cloudforms9 imagefactory]# /pub/scripts/post_install_configuration_scripts/cf-versions Red Hat Enterprise Linux Server release 6.2 (Santiago) Linux cf-cloudforms9.cloud.lab.eng.bos.redhat.com 2.6.32-220.4.2.el6.x86_64 #1 SMP Mon Feb 6 16:39:28 EST 2012 x86_64 x86_64 x86_64 GNU/Linux postgresql-8.4.9-1.el6_1.1.x86_64 mongodb-1.8.2-3.el6.x86_64 euca2ools-1.3.1-4.el6_0.noarch ruby-1.8.7.352-5.el6_2.x86_64 rubygems-1.8.10-1.el6.noarch deltacloud-core-0.5.0-5.el6.noarch rubygem-deltacloud-client-0.5.0-2.el6.noarch package libdeltacloud is not installed hail-0.8-0.2.gf9c5b967.el6_0.x86_64 puppet-2.6.11-1.el6_1.noarch aeolus-configure-2.5.0-14.el6.noarch iwhd-1.2-3.el6.x86_64 imagefactory-1.0.0rc5-1.el6.noarch aeolus-conductor-daemons-0.8.0-28.el6.noarch aeolus-conductor-0.8.0-28.el6.noarch [root@cf-cloudforms9 imagefactory]# How reproducible: I've been able to create the proper role since I've been using CE. However I keep seeming to get closer. Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
So a few comments here: 1) images belong to the cloud, and there will be a "Cloud Image Administrator" role that can upload/build/push images and manage catalogs within the cloud. 2) at the Zone level, it sounds like we need a "Zone Application Blueprint Administrator" that can manage catalogs/app blueprints within the zone 3) Adding provider accounts to the zone will be part of "Cloud Administrator" The assigned Cloud Administrator will also need "Provider Account User" rights to add a given provider account. The Cloud admin will not need any specific rights on the Provider itse.f 4) Regarding Provider Owner and User roles -- this relates to a discussion that Jay and I had -- really "Owner" and "Administrator" grant the same level of rights, but there are subtle differences in implication around numbers of users, etc. basically for Provider Accounts, Instances, Applications we'll keep Owner, but for Zones, Clouds, Providers, we should use Administrator. In any case, the rights conferred are the same -- edit/view/use/delete/etc.
Scott, we'll wait for the roles docs you're working on to make a decision on this bug one way or another.
The fix for 788148 should include everything needed here. Should this be considered a duplicate?
This BZ is still marked as 'NEEDINFO' so checking in on what the final decision is ... In the mean time, Tested rpms: >> rpm -qa |grep aeolus aeolus-configure-2.8.7-1.el6cf.noarch rubygem-aeolus-image-0.3.0-12.el6.noarch rubygem-aeolus-cli-0.7.2-1.el6cf.noarch aeolus-conductor-0.13.14-1.el6cf.noarch aeolus-conductor-daemons-0.13.14-1.el6cf.noarch aeolus-conductor-doc-0.13.14-1.el6cf.noarch aeolus-all-0.13.14-1.el6cf.noarch I can see that Zone specific roles have been added. - As admin user, I could assign another user as a Cloud Resource Zone Application Blueprint Administrator. I could then ... - Log in as that user - Create a new Application Blueprint and save it Considering the above results and the fact thet BZ-788148 is closed ... can we verify this BZ?
Created attachment 618089 [details] Cloud Resource Zone Blueprint Administrator
I think this is sorted now...
Good 2 go with the following rpms: aeolus-conductor-0.13.24-1.el6cf.noarch aeolus-conductor-daemons-0.13.24-1.el6cf.noarch aeolus-conductor-doc-0.13.24-1.el6cf.noarch