-
Notifications
You must be signed in to change notification settings - Fork 7
AccessRights
- Access rights (capabilities) overview
- Actions on all objects
- Actions on VMs and Templates
- Actions on VDI
- Actions on Networks
- Actions on SRs
Each XenServer infrastructure object is associated with a set of "access rights" that determine if an user of a system can perform a certain mutation with it.
They are located in the other_config field under vmemperor key. The structure is as follows:
{"access":
{"AUTHENTICATOR_NAME":
{"USER_ID1": ["action1", "action2", "action3"],
"USER_ID2": ["ALL"],
...
}
}
} Here, AUTHENTICATOR_NAME is taken from current authenticator's class name,
USER_ID1 and USER_ID2 are user identifiers.
A user identifier starts with users/ if it's an user, and with groups/ if it's a group. (This is done for compatibility with authentication systems where a collision between user name and group name is possible). After that, an ID retrieved from an external authentication system is located.
action1, action2, action3, are actions that describe mutations possible for user to execute on this object.
ALL is a special action that allows a user to execute every mutation on an object.
| Type | Description |
|---|---|
| regular user | Has been granted a limited number of actions ("USER_ID1" in example above) |
| owner | Can perform any action, set main owner, can't reset main_owner |
| main owner | One of owners against whom the quota is calculated |
| administrator | Owner of everything, can reset main owner (i.e. strip the resource of any quotes by setting it to None) |
ACLXenObject.check_access (Python code) on access checking
| Name | Description |
|---|---|
| destroy | Delete an object |
| rename | change name or description of an object |
| Name | Description |
|---|---|
| changing_memory_limits | Change RAM settings |
| change_VCPUs | Change VCPU settings |
| change_domain_type | Change Xen domain type (dubbed as VM virtualization mode in the frontend) |
| Name | Variations | Description |
|---|---|---|
| shutdown | hard_shutdown, clean_shutdown | VM shutdown (hard, clean). Overview screen performs hard_shutdown; VM List performs shutdown
|
| suspend | VM suspend | |
| resume | Resume after a suspend
|
|
| reboot | hard_reboot, clean_reboot | VM reboot (hard, clean). Overview screen performs hard_reboot; VM List performs reboot
|
| pause | Pause a VM | |
| unpause | Unpause a VM | |
| start | Start a VM | |
| snapshot | Make a snapshot | |
| revert | Revert a snapshot | |
| launch_playbook | Launch a playbook on this VM | |
| VNC | View VNC (Remote desktop) | |
| attach_network | Attach a network | |
| attach_vdi | Attach a disk |
| Name | Description |
|---|---|
| change_install_os_options | Change automatic install options (Distribution, version, etc) |
| create_vm | Create a VM with this template |
| clone | Clone this template |
| Name | Description |
|---|---|
| plug | Connect a VDI onto any VM user has an attach_vdi action granted on |
| Name | Description |
|---|---|
| attaching | Connect a network onto any VM user has an attach_network action granted on |
| Name | Description |
|---|---|
| vdi_create | User can create VDIs on this SR |