Bug Reference

CLOUDSTACK-1390

Branch

master, 4.2.0

Purpose

In CloudStack today, a User VM can be moved to another user under the same domain i.e. Admin can create a VM and assign it to an Account as long as the account belongs to the same domain as admin

CloudStack should allow Root/Domain admin to move a User VM to another user under a different domain

Use cases

  1. Admin creates on behalf of another user and then assigns it the user. In a traditional enterprise, regular user may go to a service desk portal, request a marketing campaign application to be deployed. The admin might create a one or more VMs, setup the app, and turn it over the Line of Business User - in this case, we don't want to see every VM be assigned to admins only - this will create issues with billing etc.
  2. A developer has a bunch of VMs and he leaves the team/company - but, the manager wants to retain those work VMs or reassign it to another developer.

Scope

Say we have the following domains and subdomains - Root/Domain1, Root/Domain2, Root/Domain1/Subdomain1 and Root/Domain1/Subdomain2.

Root admin should be allowed to move User VM’s from,

  • account in ROOT to account in Domain1
  • account in Domain1 to account in Domain2
  • account in Domain1 to account in Subdomain1
  • account in Domain1 to an account in the subdomain of Subdomain1
    • any level in the domain chain will be allowed
  • account in Subdomain1 to account in Domain1 
    • any level in the domain chain will be allowed

The above means a ROOT admin can move VM's between any 2 accounts

Domain admin i.e. Domain admin of Domain1 should be allowed to move User VM’s from,

  • account in Domain1 to account in Subdomain1
  • account in Subdomain1 to account in Subdomain2 

The above means Domain admin can move VM's between 2 accounts that are in the domain path  

Keeping with the current behavior in CloudStack,

  • If VM is in Running state then fail the request
  • If VM belongs to a project then fail the request
  • If on moving the VM the account the VM is being moved to crosses the account limits (cpu, ram size) then fail the request
  • If VM has any PF/LB/Static NAT rules present then fail the request
  • All volumes attached to the VM will be moved to the new owner
    • If the volumes are not within the resource limits of the account the VM is being moved to then fail the request 
  • All existing snapshots of the volumes attached to VM will be marked as removed
  • If the account the VM is being moved to doesn't have access to the VM template then fail the request
  • If the account the VM is being moved to has no guest networks then create a new network

Web Services APIs

  • There will not be any API changes as the existing assignVirtualMachine API will be used to move the user between accounts under different domains.

DB

  • No DB changes

UI

  • No UI changes 
  • No labels

2 Comments

  1. gavinlee

    Or better to call the fs as change VMs ownership?

  2. Likitha Shetty

    Changed the title Gavin