Group permissions for vm instantiation from termplate

Community Support
1

I have a template defined, owned by a user in a group. I get this error when I try to instantiate a VM as the user.

cap1
cap11109×464 23.7 KB

The user can’t “MANAGE GROUP”. Where do I set this?

I granted access to the image in the template:

$ oneimage show 17
IMAGE 17 INFORMATION
ID             : 17
...

PERMISSIONS
OWNER          : um-
GROUP          : um-
OTHER          : um-

The user cloudluser:users owns the template. This is who I try to instantiate the template as from Sunstone:


$ onetemplate show 19
TEMPLATE 19 INFORMATION
ID             : 19
NAME           : centos7-cloud1
USER           : cloudluser
GROUP          : users
LOCK           : None
REGISTER TIME  : 04/09 20:43:25

PERMISSIONS
OWNER          : um-
GROUP          : ---
OTHER          : ---

I’m not sure what group permissions I’m missing:

$ onegroup show 1
GROUP 1 INFORMATION
ID             : 1
NAME           : users

GROUP TEMPLATE
SUNSTONE=[
  DEFAULT_VIEW="cloud",
  GROUP_ADMIN_DEFAULT_VIEW="groupadmin",
  GROUP_ADMIN_VIEWS="cloud,groupadmin",
  VIEWS="cloud,groupadmin" ]

USER ID ADMIN
      2

VMS USAGE & QUOTAS

              VMS               MEMORY                  CPU     SYSTEM_DISK_SIZE
      0 /       -        0M /        -      0.00 /        -        0M /        -

VMS USAGE & QUOTAS - RUNNING

      RUNNING VMS       RUNNING MEMORY          RUNNING CPU
      0 /       -        0M /        -      0.00 /        -

DATASTORE USAGE & QUOTAS

NETWORK USAGE & QUOTAS

IMAGE USAGE & QUOTAS
2

You need to add an specific ACL for the users that should be able to instantiate as another user/group.

Why this is needed? Note that the final accounting/usage quotas will be computed for the target user not the actual user making the instantiation. You need to grant this special permissions for this reason.

Easier way to do it? Usually this functionality is for group admins. When you create a group admin is automatically granted this permissions so you don’t have to do it manually.

To learn how to add ACL rules, check this link.