Hello,
We are an university and we are in the process of deploying opennebula for our fellow computer scientists.
We have a few dozen departements and each will have their own group in which the group admin will manage the ressource allocation. We are planning on providing, for each department, 2 virtual networks, one local to opennebula for their VM interco and one routed to their existing DMZ and that where we are having trouble since we want that a group can only be able to use its own 2 networks.
Indeed, upon creation of a group, opennebula sets 3 default ACL:
105 @124 -H-------------- * -m-- #0
106 @124 --N----D-------- * u--- #0
107 @124 V--I-T---O-S-R-- * ---c *
As you can see, the acl #106 is problematic for us. And, unless we delete it and recreate it just for the datastores we will never be able to script our group/acl/vnet management.
I have been looking around even poking at the source code and I can’t find a way to tell opennebula not to allow a newly created group to access all the vnet. And, of course, we have no prior ACL allowing this on a wider scope (we aren’t using the default users group, and I remote all ACL on virtual networks).
Thanks in advance,
Arnaud