ACLs for Templates restricted to Groups. Need help understanding

Hi, what’s the best way to restrict users from seeing all Templates to just templates that their group has the correct permissions to use?

Currently, we are running Open Nebula 5.8.1.
Permissions on Templates are set to what we think are appropriate. Owner, Group and not usually Other.

However, when a user logs in they see all templates that exist regardless of the Template permission. I’m wanting for a user in a group to only see templates that are group permitted to use.

I know I need to provide a bit more detail, so please let me know what would need to be known to get this working.

Hello @josephg

Having that permissions should be correct, but maybe you have some ACL rule which gives access to that templates to everyone. So please, check your ACL rules that applies to VM templates and delete those ones that you don’t need. To see more information about ACL you can check this.

We’ve looked at that document before, but will re-review it. One thing we can’t seem to determine is how to edit an ACL. This does not seem possible. Is it possible?

onegroup create ${group} --resources VM+TEMPLATE

Is the command we use which then uses the system default ACLs. I’m not seeing a way to pass restrictions there.

Hello @josephg

No, you can’t update the ACL, you need to delete and create a new one.

With that command, you specify the resources that the group can create, if you want more restriction you need to use the ACL rules.

Thanks. Will give that a try.