[SOLVED] 5.4 - Prohibit disk-snapshot not working (by moving it to VM_ADMIN_OPERATIONS)

Hi,

I wanted to prohibit the possibility for normal users to create disk-snapshots, by changing the oned.conf file.

VM_ADMIN_OPERATIONS = “migrate, delete, recover, retry, deploy, resched, disk-snapshot

VM_MANAGE_OPERATIONS = “undeploy, release, disk-attach, nic-attach, terminate, disk-resize,
snapshot, updateconf, rename, resize, update, disk-saveas”

VM_USE_OPERATIONS = “hold, stop, suspend, resume, reboot,
poweroff”

These users only have use & manage rights but are still able to create a disk-snapshot in sunstone (Storage Tab -> Camera Symbol). Strangely when they want to delete this Snapshot they get the following message:
[one.vm.disksnapshotdelete] User [6] : Not authorized to perform ADMIN VM [167].

Did I miss anything?

Thanks
Uli

edit: marked as solved in 5.4.2

Hi Uli!

Firstly, these users, What view they use?
You can manage which actions can users view in susntone, in .yaml files for each kind of view.

If you want forbidden the possibility to create disk-snapshot you can disable this action with the key VM.disk_snapshot_create: false

Regards!
Juan Jose

Hi Juan!

Thanks for the hint for disabling this option from the view.
These users are using users view and the CLI.

Still the users can create disk-snapshots from the CLI and just removing this option from the view is in my opinion not a complete solution.

I think by setting the fine grained VM permissions (in my case putting disk-snapshot to the admin section) in oned.conf should disallow the creation of a snapshot completely for non-admin users resulting in a “Non authorized to perform…” message. Or have I missed something about this part of the configuration?

Best Regards
Uli

Hi Uli!

I have seen the problem with more detail and I have found a code bug. I have resolved the problem and early you will have the solution in the repository.

This is the issue: https://dev.opennebula.org/issues/5404

Regards and thanks!
Juan