Understanding restricted attrs

Hello, I try to understand restricted attrs but I have problem with instantiating VMs from predefined templates.

For ex following template owned by user oneadmin and group oneadmin with use permissions set to owner, group and other.

CONTEXT = [
  NETWORK = "YES",
  SSH_PUBLIC_KEY = "$USER[SSH_PUBLIC_KEY]" ]
CPU = "0.5"
DESCRIPTION = "CentOS 7.5 64bit Minimal"
DISK = [
  IMAGE = "CentOS-7-x86_64-1804",
  IMAGE_UNAME = "feldsam",
  TOTAL_BYTES_SEC = "104857600",
  TOTAL_IOPS_SEC = "2000" ]
GRAPHICS = [
  LISTEN = "0.0.0.0",
  TYPE = "VNC" ]
HYPERVISOR = "kvm"
INPUTS_ORDER = ""
LABELS = "Cloud,2000iops"
LOGO = "images/logos/centos.png"
MEMORY = "1024"
MEMORY_UNIT_COST = "MB"
OS = [
  ARCH = "x86_64",
  BOOT = "disk0" ]
SCHED_DS_REQUIREMENTS = "ID=\"0\" | ID=\"110\""
USER_INPUTS = [
  CPU = "M|range-float||0.5..6|0.5",
  MEMORY = "M|range||1024..16384|1024",
  VCPU = "O|range||1..24|1" ]
VCPU = "1"

When I try instantiate VM from this template as normal user I get error User Template includes a restricted attribute USER_INPUTS.. If there are not USER_INPUTS, them I get error about restricted attribute DISK.

What I am doing wrong? Thanks for inputs.

1 Like

Hi Kristian, issue seems to be similar to this one:

basically users which are not part of the oneadmin group are restricted from using those attributes (hence the name).

I believe that most probably in your case you have to (comment, ommit) add a # at the beginning of the line in oned.conf (like below so that users which are not in the oneadmin group can use these attributes). If I am not mistaken you also need to restart opennebula service on the front-end:

#VM_RESTRICTED_ATTR = “USER_INPUTS/CPU”
#VM_RESTRICTED_ATTR = “USER_INPUTS/MEMORY”
#VM_RESTRICTED_ATTR = “USER_INPUTS/VCPU”
#VM_RESTRICTED_ATTR = “DISK/SIZE”

Hope this helps

Hi @luke.camilleri, thank you for reply, I already comment it out, but it is not a solution. I like to have restricted attributes, but in nature, that can be in VM template, but user can not modify them.

I like to understand how opennebula engineers means use of this feature.

1 Like

Hi @feldsam ,I am facing the same issue. I am new to the platform.
Could you please help with the solution in case resolved for you.
Thanks in advance.

Hi, template should be created by user which is in oneadmin group. Check docs

1 Like

Thanks @feldsam,
I like to have restricted attributes, that can be in VM template created by user in oneadmin group, but the field should be disabled for user out of that group to modify them.
The field is editable and I am unable to create VM
[one.template.instantiate] User [2] : User Template includes a restricted attribute
too basic, but somehow blocked.

Did you check vm template user and group?