XCP-ng
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Xen Orchestra User ACLs and UI Privileges

    Scheduled Pinned Locked Moved Advanced features
    6 Posts 4 Posters 200 Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • love2scootL Offline
      love2scoot
      last edited by

      Xen Orchestra User ACLs and UI Privileges

      I have been trying to track down how Xen Orchestra ACLs are expressed within the XO UI. While some general guidance exists, I have not found a source of comprehensive documentation on the subject. To resolve this, I built a Xen Orchestra ACL Mapping spreadsheet which walks through the granular application of each ACL privilege and to which UI elements it grants the user access.

      The challenge with the XO UI and ACLs

      When applying an ACL privilege for a specific user (or group), it is not clear to which UI components the user is granted access. This stems from the fact that:

      • Some UI elements are not present for a user without a specific permission
      • Some UI elements are present for a user without a specific permission, but are non functional (like buttons that can be pressed, but result in a "Not enough permissions" popover)
      • Some UI elements only become functional when multiple ACL entries of different types are added for a specific user (or group), leading to cases where dependencies need to be understood.
      • Some UI elements will never appear to non-SuperAdmin users regardless of the ACL granted.

      XO Resource Hierarchy

      Xen Orchestra resources can be local (connected to an XO host directly) or shared across a Pool (and therefore not directly connected with any specific Host). For the purposes of this spreadsheet, it should be assumed that only shared resources are considered (unless otherwise noted). This would mean that items like ISO shares (for example) are accessed via network sharing and do not use local Host resources. These resources are organized into a hierarchy and expressed as:

      • Pool - The collection of resources
        • Host - The hypervisor is a pool member
        • SR - A network connected storage repository
        • VM - A virtual machine built on top of network storage
        • Network - A specific network interface which belongs to the pool

      How to understand this spreadsheet

      Quick summary on how the spreadsheet was designed

      Columns

      XO ACLs can be granted to (5) different object types, each with (3) different levels of access. These ACLs are represented by columns within the spreadsheet, ordered from least permissive to most permissive:

      • Network Object ACL (Viewer - Operator - Admin)
      • SR Object ACL (Viewer - Operator - Admin)
      • VM Object ACL (Viewer - Operator - Admin)
      • Host Object ACL (Viewer - Operator - Admin)
      • Pool Object ACL (Viewer - Operator - Admin)

      (2) additional columns are included which detail which UI components are present by default for:

      • A SuperAdmin user
      • A User without any ACLs granted

      Rows

      The rows of the spreadsheet delineate which UI components are available to the user. This has been ordered to match the hierarchy of the Xen Orchestra GUI. Rows are grouped by their relationship to major UI sections. For example, all rows which allow the user to make changes to Storage Objects use the same cell background color.

      Cells

      The spreadsheet cells express how a given ACL permission allows for access to a specific UI component. There are (5) possible values for these cells:

      • Yes - The UI component is present and the user can manipulate with the given ACL permission.
      • No - The UI component is present but the user cannot manipulate with the given ACL permission.
      • Dependency - The UI component requires additional ACL permissions be granted before the user is capable of manipulating. Cells of this type also include an embedded comment field to detail which additional ACL permission(s) are required.
      • UI Hidden - The UI element is completely hidden from the interface given the specific ACL permissions.
      • Unknown - In some cases I didn't have spare resources which I could use for testing (For example: I didn't want to test out Force Restart of one of my Hosts). In these cases the specific ACL was not tested.

      Housekeeping

      • This spreadsheet refers to the XO5 UI. I have not attempted access of the XO6 UI at the time of creation.
      • These ACL grants can be applied to either a user or group, but the user in question is not specified as a SuperAdmin.
      • Although I have tried to double check my results, it's possible that I have recorded some of these ACL results incorrectly. If that's the case, drop a note in this thread and I will attempt to test and update where applicable.
      lsouai-vatesL 1 Reply Last reply Reply Quote 1
      • olivierlambertO Offline
        olivierlambert Vates 🪐 Co-Founder CEO
        last edited by olivierlambert

        Adding @lsouai-vates and @thomas-dkmt to see what we can take for our documentation.

        Thank you @love2scoot

        1 Reply Last reply Reply Quote 0
        • lsouai-vatesL Offline
          lsouai-vates Vates 🪐 XO Team @love2scoot
          last edited by

          @love2scoot hello and thanks for the huge work you did on this subject! We are working on new ACLs organization for Xen Orchestra 6 and it would be very helpful for us. 🙂

          love2scootL C 2 Replies Last reply Reply Quote 0
          • love2scootL Offline
            love2scoot @lsouai-vates
            last edited by

            @lsouai-vates I'm happy to contribute where I can 👍

            1 Reply Last reply Reply Quote 0
            • C Offline
              cocoon XCP-ng Center Team @lsouai-vates
              last edited by

              @lsouai-vates nice to see that there is work going on.
              Long time ago there was already a draft and I had some questions, maybe it can be picked up?

              https://github.com/vatesfr/xen-orchestra/pull/6450

              https://xcp-ng.org/forum/topic/6644/acl-v2-allow-to-run-specific-job

              julien-f opened this pull request in vatesfr/xen-orchestra

              draft WiP: ACL v2 #6450

              lsouai-vatesL 1 Reply Last reply Reply Quote 0
              • lsouai-vatesL Offline
                lsouai-vates Vates 🪐 XO Team @cocoon
                last edited by

                @cocoon hello! For now we are on reflexion on a refactoring to move towards a system more RBAK based, IAM type.

                We will inform the whole community when we are sure of the direction the new ACL system will take. 🙂

                Stay tuned 😉

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post