VM based Access Control Lists

Hi everyone,

We often come across situations where a user wants to share a VM with another user, i.e. give another user manage-rights on a particular VM. We did not find any other trick to cover this other than creating a group containing the two users and assigning the VM to that group. However, this is impractical since groups have to be created by an admin and it leads to an unnecessary large number of groups. And if a VM should be shared among three users, things get even worse :wink:

Of course, we could create ACL entries for these VMs, but this would also involve the admin to create every entry. The user cannot do that alone.

Conceptually, this reminds me of the classic unix file permission problem where you also have to create groups to share a file with a particular user. The solution in this case were file based ACLs. So what we would like to have in OpenNebula is something like VM based ACLs that can be set by a VM’s owner. Is something like this possible?


Right now, you can only either create a common group or do a chown to the
VM to the other user. Something like setfacl for resources would be nice…
but it is not implemented.

If you like, consider it a feature request :wink: