On Thu, May 26, 2011 at 03:57:45PM +0100, Mark McLoughlin wrote:
Hey,
We had a chat earlier medium term plans for image permissions. John is
going to write up some more detailed design thoughts, but I thought I'd
write down my understanding of the basic requirements before I forget:
1) Access control
We need users to be able to restrict access to images they create
or own - e.g. if you've got sensitive data in an image, or you
just want to prevent others from being able to delete your images
(This sounds to me like posix filesystem style permissions on
IWHD objects)
Agree.
2) Quotas
When an administrator adds a provider account in conductor, she
needs to be able to set a per-user quota for that account - e.g.
Mary can only use 20Gb of S3 storage on this EC2 account
(This sounds to me like a policy stored in Conductor, enforced
either by conductor or image factory. If the latter, the quota
could be passed to image factory via the credentials XML)
Hmm... I guess the storage used is always going to be billable to the
provider account used, isn't it. I suppose given that if we're
supposed to deal with anything having to do with accounts, we should
also be enforcing storage quota. Unfortunately that gets us back into
the business of having to be involved in every write to the image
factory, which makes me uncomfortable.
3) Environment/pool family policies
Based on the environment a user is launching an instance, a
different set of images should be available to the user.
(This sounds to me like a policy managed by the image tools and
enforced by Conductor)
Yes, we have to enforce this one, since we're deciding whether user U
can launch some deployable in some environment.
4) Entitlements/slots
This I'm less clear on. Take RHEL entitlements. When a RHEL
instance is started, it should automatically consume an
entitlement. However, does an image consume an entitlement? If so,
how do we make that happen?
Bryan talked about "management slots", but I think for all but the
bare metal case those slots refer to running instances only. I do not
believe a non-running image should consume an entitlement... but I
don't really know.
--H
--
== Hugh Brock, hbrock(a)redhat.com ==
== Engineering Manager, Cloud BU ==
== Aeolus Project: Manage virtual infrastructure across clouds. ==
==
http://aeolusproject.org ==
"I know that you believe you understand what you think I said, but I’m
not sure you realize that what you heard is not what I meant."
--Robert McCloskey