Archive for the 'django' Category

Page 2 of 4

Ganeti Web Manager Permissions

Ganeti Web Manager features a very flexible permission system.  It’s powered by our django object permissions middleware, which grants permissions at an object level.  It can grant permissions per cluster and per virtual machine.  Ganeti Web Manager also supports groups, for easier management.


Groups and Users are interchangeable.  Permissions and quotas can be assigned to either groups or users.  At the OSL, groups represent one of the many  open source projects we host.   It is easier to manage access when everyone is assigned to their respective project groups.

Members of a group act on its behalf.  Each groups is assigned a quota, and group members create virtual machines that consume it.  The virtual machines belong to the group, not the individual.  Users can choose whichever persona they want to act on behalf of, themselves or a group, and Ganeti Web Manager will permit them accordingly.


Permissions are fine grained so any set of permissions can be assigned.  Here is a sample:

  • Clusters – creating virtual machines.
  • Virtual Machine - modifying, starting, stopping, rebooting and console access.

Admins are granted all permissions for an object.  They also have the ability to manage permissions for other users.  This empowers users to manage their own groups, clusters, and virtual machines freeing site admins to perform other tasks.

Admin permissions can be set at three levels:

  • Virtual Machine Admins – can manage a specific virtual machine.
  • Cluster Admins – can create and manage any virtual machines within that cluster.
  • Site Admins (superusers) – total access to all clusters and virtual machines.   Includes the ability to bypass quota and cluster restrictions.

Permissions and admins are meant to be combined in different scenarios:

  • Fully managed - users have no access at all.  Only admins can create, reboot, or modify.
  • Partially managed - users can’t create virtual machines, but they have some limited ability to manage them.
  • Self Service - users can create virtual machines on demand.  They can create and manage their own virtual machines as needed.
  • User Managed Cluster - a user has control of an entire cluster.

The default scenario is a fully managed (closed) system in which users must be granted permissions.  A different scenario can be used for each cluster managed by a single instance of Ganeti Web Manager.  At the OSL, we will be using several different scenarios.  Our production web cluster is fully managed, but some clients own an entire cluster and will manage it themselves.


Ganeti Web Manager has a basic quota system that limits consumption of RAM, disk space, and virtual CPUs (threads).  In a self service model quotas are used to divide the resources amongst the users.  Clusters default to unlimited quota and this can be changed per cluster.  Quotas can also be changed per user as needed.

Django Object Permissions 1.2

We’ve released  Django Object Permissions 1.2.

This release focuses on implementing a full featured set of functions for querying object permissions.  These functions encapsulate complicated query logic so that you don’t need to worry about it.

We’ve identified three directions you might want to query data:

  • Checking Permissions – When you just want to know if a user has a permission, or a set of permissions.
  • Retrieving Objects – When you want to retrieve a list of objects.  Used when listing a set of objects filtered by user permissions.
  • Retrieving Users – When you want to retrieve a list of users.  Used when listing users filtered by permissions on an object.

All of these methods are now have consistent naming and variants:

  • “All” Variants – allows you to require an exact match against a set of permissions.
  • “Any” Variants – allows you to check for any match in a set of permissions.
  • Group permissions – allows you to include or exclude permissions a user inherits through a group.  The default option now includes group permissions for all methods.

Check out the full API for more details.

Whats Next?

Our next release will focus on user experience:

  • add custom widgets for choosing users and groups.
  • include descriptions for permissions
  • list permissions across all objects (nice for admins)

Django Object Permissions 1.0

We’ve just released Django Object Permissions 1.0.   Object Permissions or row level permissions, allow you to grant users permissions on a specific model instance.  This feature is new in Django 1.2 and required by all authentication back-ends by Django 1.4.  At the OSL we’re building apps that allow our clients to self service, instead of waiting for an official implementation we rolled our own.

Continue reading ‘Django Object Permissions 1.0′

Touchscreen 2.0

Touchscreen is a platform building interactive kiosk displays.  We built it to show off our data center, which houses some of the worlds most important open source projects, and for status displays within our network operations center.  We have plans to build a status dashboard for our development team as well.

Touchscreen 2.0 is nearly complete rewrite of the framework.  The original version was written using OpenLaszlo a language that compiles XML and Javascript into Flash applications.  OpenLaszlo served its purpose but was a niche language that very few people knew, or would use elsewhere.  Ever increasing browser speeds, better support for SVG & canvas, along with great Javascript libraries such as Jquery and Raphael have enabled us to rewrite touchscreen using well known technologies.

Continue reading ‘Touchscreen 2.0′