SR permissions

[UAnton]

BUG User can delete snapshots and disks from SR with "Operator" permissions.

Description:

1. Create User1 and User2 in Settings with "User" permissions.
2. In "ACL" create permission for SR with "Operator" permissions for our users. (to be able to create tempates).
3. Go to "Self Service" and create services for our Users called User1 and User2.
4. Login with User1 and User2 and create VMs for User1 and User2.
5. Login with User1 and User2 and create several snaphots of VMs
6. Go to SR and... You see all VDs and can delete it.
7. Also you can see VDs of all templates and can delete it!

[olivierlambert]

This is the point of being Operator on a SR, you can remove VDIs (but not the SR itself). It would be a bug if we got ACLs on the VDI level, which we don't.

If you want your user to create disks or snapshots on a SR, you need to give them rights to do so. And because we don't have ACLs on VDI, that's coherent they can remove VDIs on this SR.

Possibilities:

• don't let users create disks/snapshots on their SR (no "Operator" rights on SR)
• allow only Operator on a dedicated SR for self-service (they only could break their own stuff)

Creating VDI ACLs is more tricky, but doable. In fact, it's in the TODO list, because if it wasn't a big deal before self-service, it's more annoying now.

[olivierlambert]

We have now to decide what is the best way to do that. Here is some questions:

• what permission we should give to a user to be able to create VDIs/snapshots on a SR? "Read" is not good, because eg a snapshot creates something on the SR itself
• why a SR operator wouldn't remove objects?
• is the operator able to only see its own VDIs or all VDIs? (but remove only its own)

It's a kind of "policy" which change from all previous 3 roles (read: only view, operator: edit the object, admin: remove the whole object). I'm open to ideas to keep the same principle.

[UAnton]

I need time to think about it ...

[UAnton]

Maybe remove SR from list in user interface but keep permissions? User Can see\export\delete snapshot in VM interface.

[olivierlambert]

Just removing the view is not really a security, but it could be acceptable if there isn't other cases where user actually need to operate VDIs on SR.

Remember the consequences of creating snapshots or VDIs on a SR: it consumes disk space, so you need to give rights carefully anyway.

[UAnton]

In some cloud control systems I saw limit the number of snapshots. If you can restrict vCPUs, storage capacity and memory? Maybe you can restrict number of snapshots?

[olivierlambert]

Perhaps it's a way, but snapshots diff can grow with time, so it's hard to be sure about the maximum space really used for a user.

This is a tricky question. I'll also discuss with @julien-f about this.

[UAnton]

Also a very strange place "Copy the VM". The users not have permissions for local storages , but can copy his VMs to all stores in the pool. Migrate VM - The user should not be allowed to Migrate VMs! We need to think how to fix it.

[olivierlambert]

We got users asking for migrate VMs, and this is only possible if you have rights on other hosts (otherwise, you shouldn't see any available servers).

Should be the same for copy in theory. If not, open another issue.

[UAnton]

Any news?

[olivierlambert]

That's not something we could fix instantly. I fixed the copy VM and migrate for 4.15.1.

But we currently didn't find a solution satisfying solution for ACLs... I'm open to ideas :)

[UAnton]

Ok, I'm think about possible solutions...

[UAnton]

Hello.

It seems that we have two possible improvements for Xen orchestra:

1. Limit total numbers of snapshots (per VM or per user) with possibility of change this number from Web-interface.
2. Limit total disk space, which is available to user. You can use common disk space limit or add additional space limit for snapshots.

Anyway, we guess that it is very important that you will hide interface of storage management from non-privileged users.

[olivierlambert]

The total disk space is already limited at the self-service level.

Limiting snapshots won't change anything: you need to get the right to "write" on the SR. But today, the right to write is also the right to read and write on the whole object (SR). This is the thing we need to modify/enhance.

[UAnton]

But space does not limited to snapshots. I create resourse 4Gb HDD and create VM with 4GB HDD. Now I created 25 snapshots and use 6GB but have limit 4GB.

[olivierlambert]

The original issue was about possibility to make snapshots without having Operator rights on the SR. Because an operator can remove everything on the SR, people ask a way to make snapshots without having the "real" Operator right.

About the other issue (creating snapshots): we only make limitation during the VM creation, not after.

[UAnton]

Create permission "Snapshot" but don't add SR to user UI. P.S. Temporary solution

[UAnton]

Hi! Do you have Any new solutions?

[olivierlambert]

@julien-f what should we do about that?

[julien-f]

It's normal for an SR operator to be able to delete VDIs.

I think your usage issues will be fixed by self service improvements.