RE: Self-service constraints when combined with ACLs

This is essentially why I said in the other thread that "Self Service and ACLs weren't designed to work together"

To keep it simple: Self Service will indeed allow some users to see and use some resources even though they don't have ACLs for them. Then, when they create VMs, it will automatically assign ACLs on the objects under the hood. That's why, even though it's not impossible, most of the time it's not recommended to use them together since you might override ACLs that Self Service assigns automatically.

We're actually starting to think of a redesign (or at least improvements) of those 2 features so feedback is very welcome about any use case that you might have that isn't covered by them at the moment. I already took note of the "dynamic" need for resource set objects.

Hi @olympicgreg, this seems to be the intended behaviour.

Self Service and ACLs weren't designed to work together, so when you create a VM, you either do it under the Self Service feature or thanks to the ACLs you have. So in your case, the user might have Viewer ACLs on the pool, but since they create the VM using Self Service, they will only be able to see the resources available in the Self Service resource set.

Regarding ACLs, "Viewer" is not enough to be able to create a VM on the pool. But if you change it to "Admin", you'll see that the user is now able to create a VM outside of the Self Service feature, simply by selecting the pool. And in that case, they'll be able to see all the pool's networks.

@kagbasi-ngc It's not possible at the moment. How would you expect it to work? Would it try to request the first server and fallback to the second one in case of error? And do that for every single request?

@andrewperry Exactly

Hi @andrewperry, a "server" in XO 5 represents a "connection to a pool". Since you need to enter your physical server's information, that's why we called it that way. But we agree too much vocabulary can be confusing so in XO 6 we'll change that and probably call it something like "Pool connections".

@ph7 Thanks for the report, we'll check that

@olivierlambert @webminster It's in the backlog, we'll try to plan it for March or April.

We're also open to external contributions if anyone wants to give it a try

Yes, we'll have to test the new version before bumping the max supported version.

In the meantime, if anyone wants to test it on a non-sensitive instance of XO, you can disable the version check in xo-server's config:

[netbox]
checkNetboxVersion = false

But I think I'm already seeing something that we'll have to handle:

The site foreign key field on virtualization.Cluster has been replaced by the scope generic foreign key.

@propsoft All clear now, thanks! We'll discuss it and see what we can do, but I think this is indeed something that you need to configure in your browser. There should be an option to force the browser to ask where to save the file.

Thanks for the feedback @propsoft
XO Lite is indeed still a work in progress and there's a lot to come!

@propsoft said in EOL: XCP-ng Center has come to an end (New Maintainer!):

not being able to specify the target of an export (browser ran out of disk space, unsurprisingly)

I'm not sure to understand what you mean by "browser ran out of disk space". Do you mean your computer's disk?

Also, what do you mean by target? You'd like to be able to choose a destination folder on your computer?

Thanks!

Hi @kagbasi-ngc,

To try and figure out what's happening, you can add this to your xo-server config:

[logs]
filter = 'xo:auth-ldap

Then run the plugin test again and see if xo-server's logs give more information.

Thanks for the feedback @fred974 We're aware of this and we're going to add a way to deploy another XOA when one is already deployed and also a way to choose which XOA the button redirects to when there are multiple ones deployed.

Hi @bnerickson, thanks for the detailed feedback!

XO Lite is still in its early development phase, which means that most of your suggestions are actually already planned, including VBD management, editing MAC addresses, creating/deleting VMs and snapshots, and more generally everything that can be done through XAPI calls.

Regarding your other suggestions, keep in mind that XO Lite is running without a server behind. This means that the persistency is only in the browser. For instance, I'm not sure how an LDAP login would work, since the credentials you're entering in XO Lite are your host's credentials, and XO Lite needs that to communicate with XAPI.

Regarding XOA's FQDN, you can already do that by configuring the field publicUrl in your XOA's config:

[http]
# Public URL to connect to this XO
#
# This optional entry is used to communicate to external entities (e.g. XO Lite)
# how to connect to this XO.
#
# It SHOULD be defined in case the IP address of the current machine is not
# good enough (e.g. a domain name must be used or there is a reverse proxy).
publicUrl = 'https://xoa.company.lan'

In any case, I took note of your feedback and we'll have to discuss some of your other interesting suggestions, both for XO Lite and XO 6, like showing more of the host's logs, failed services, etc.
Thanks!

Thanks for the feedback, we'll take care of that.

@Tristis-Oris Thanks for the report, it should be fixed on master. Could you pull and try again?

Hi @Houbsi, good question. This is how it works:

• any XO instance that is connected to a pool will add some information about itself to the pool's metadata
• XO Lite reads that information to know the URL of XO's UI

In xo-server's config, you can force XO to report a custom URL instead of raw network information:

[http]
publicUrl = 'http://example.com'

However, at the moment, XO Lite doesn't support it, but it's coming soon: https://github.com/vatesfr/xen-orchestra/pull/7849

And @olivierlambert, yes, for now, any XO instance, whether it's an XOA or not, reports itself on the pool and we simply pick the latest one. But we can definitely implement something smarter in the future if necessary.

pdonias opened this pull request in vatesfr/xen-orchestra

closed feat(lite/XoaButton): support `xo-server`'s setting `http.publicUrl` #7849

Indeed, it's not possible at the moment, only admins can edit ACLs. Taking note of the request, though

@mbriet Yes, you can. The user just needs to login once with their LDAP credentials to create the corresponding XO user and then you can manage that user pretty much like a local user, including adding them to groups you created yourself.

@mbriet Yes, exactly. You can import all the groups at once but if you want to set ACLs for a specific user, they have to login at least once first so that the user gets created within XO.

@olivierlambert It doesn't look like we did. It's documented in the config file but we can add it to the RPU doc too if necessary.