Bug #813
VDC Admin couldn't run "oneuser list"
| Status: | Closed | Start date: | 09/15/2011 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 0% | |
| Category: | - | |||
| Target version: | - | |||
| Resolution: | worksforme | Pull request: | ||
| Affected Versions: |
Description
Hi there,
As the administration of the VDC, shouldn't I be allowed to run "oneuser list" to show a list of users under this VDC?
Currently, I got permission denied.
[test1@ozoneserver-cogeco templates]$ oneuser list
[UserPoolInfo] User [8] not authorized to perform action on user.
This is running ONE-3.0beta2.
Thanks.
History
#1
Updated by Patrice Lachance almost 10 years ago
Hi
Same problem for me. To reproduce:
- create zone and vdc using with admin=vdc1adm, password=somepassword
- create unix user account 'vdc1adm'
- su vdc1adm
- mkdir ~vdc1adm/.one
- echo "vdc1adm:somepassword" > ~vdc1adm/.one/one_auth
[vdc1adm@host]$ oneuser list
[UserPoolInfo] User [2] : Not authorized to perform INFO_POOL USER.
[vdc1adm@host]$ onehost list
[UserPoolInfo] User [2] : Not authorized to perform INFO_POOL HOST.
Tested access to sunstone using vdc1adm => no 'users' dashboard. Opening another bug in sunstone.
#2
Updated by Ruben S. Montero almost 10 years ago
- Status changed from New to Closed
- Resolution set to worksforme
Hi,
Yes this is the way it is suppose to work. VDC admin should not be allowed to check the users of a Zone. Potentially you'll be sharing the zone among multiple VDCs, you may want to keep the users of other VDCs hidden to a VDC admin.
Same with hosts, you can offer a given SLA to a VDC but as a provider which hosts are actually supporting the VDC (that may be even shared) is something you may not want to disclose.
You can user onegroup show to list the IDs the users in the group (i.e. in the VDC)
I'll mark this as worksforme. Any comment is more than welcome
Thanks
#3
Updated by Patrice Lachance almost 10 years ago
Hi, Thanks for the quick reply. OK with solution provided and I'll wait for sunstone integration in ONE 3.2! (cf bug #821)
Thanks again for your good work!
Patrice
#4
Updated by Shi Jin almost 10 years ago
Thanks and I agree that the "onehost list" should not work by design.
However, "onegroup list" does not work for me either:
[test1@ozoneserver-cogeco ~]$ onegroup list
[GroupPoolInfo] User [8] not authorized to perform action on group.
I am still confused on how could a vdcadmin find out who are the users in this VDC. Thanks.
#5
Updated by Shi Jin almost 10 years ago
To be clear, I agree that the vdcadmin should not see users of other VDCs in the same zone therefore we need a way to show a list of users within this VDC only, not within the zone.
#6
Updated by Ruben S. Montero almost 10 years ago
onegroup show
Shi Jin wrote:
To be clear, I agree that the vdcadmin should not see users of other VDCs in the same zone therefore we need a way to show a list of users within this VDC only, not within the zone.
#7
Updated by Shi Jin almost 10 years ago
Well, yes I can run
test1@ozoneserver-cogeco ~]$ onegroup show 100 GROUP 100 INFORMATION ID : 100 NAME : vdc1 USERS ID 8 10
provided I know my group ID is 100 as vdcadmin of the VDC called vdc1. But the problem is that I don't know this number and it seems that "onegroup show" does not take group name as an argument
[test1@ozoneserver-cogeco ~]$ onegroup show vdc1 OpenNebula GROUP name not found, use the ID instead command show: argument 0 must be one of groupid,
#8
Updated by Shi Jin almost 10 years ago
Ah, just realized that I should run "onegroup show" without any argument
[test1@ozoneserver-cogeco ~]$ onegroup show GROUP 100 INFORMATION ID : 100 NAME : vdc1 USERS ID 8 10
So this is indeed a workaround. Thanks.