[one-users] users can see other VMs, security concern ?

Zeeshan Ali Shah zashah at pdc.kth.se
Fri Feb 25 07:32:37 PST 2011


Hi Tino,
I think there is a slight confusion of Private/Public .. I mean Private 
cloud is for Private user such as your employee etc. (not for walking 
customer) .

so in this scenario one user shd not see other user's vm . or even scan 
whole of infrastructure.

for user in linux in case of shared hosting when you have shell access . 
user cannot see processes which are not belong to him.. (If security 
rightly applied).

Tino: as you have quite good indepth in coding of One , do you have any 
flow diagram or any other helpful way so that If needed i can extend 
Authn/Authz model for OCA layer.

--- all comments welcome

Zeeshan

On 02/25/2011 03:46 PM, Tino Vazquez wrote:
> Hi Zeeshan, Danny,
>
> Sunstone in its current version (coming really soon ;) ) is not a
> public cloud interface, but rather a private cloud interface. In the
> future, we plan to add role support, so you can have different views
> depending on the user.
>
> Internal users (private cloud users) can see the global state of the
> problem, the same way that in a linux OS one user can see other
> processes with 'ps', or users pf a PBS cluster can see other jobs with
> a 'qstat'. Although they of course cannot modify each others
> resources.
>
> On the other hand, OCCI and EC2 (public interfaces) _do_ limit the
> views of the resources.
>
> Hope it helps,
>
> -Tino
>
> --
> Constantino Vázquez Blanco | dsa-research.org/tinova
> Virtualization Technology Engineer / Researcher
> OpenNebula Toolkit | opennebula.org
>
>
>
> On Fri, Feb 25, 2011 at 3:01 PM, Danny Sternkopf<danny.sternkopf at csc.fi>  wrote:
>> Yep, it is definately a major security risk.
>> The sunstone WebGUI has a user limited view in contrast.
>>
>>
>> On 2011-02-25 15:58, Zeeshan Ali Shah wrote:
>>> wow, i think user can see each other VM , definately they cannot delete
>>> them , but they can even look into  other vms with onevm show..
>>>
>>> is it normal ?   also user can see onehost list and onevnet show.
>>>
>>> which is bit issue as user can poke into infrastructure.
>>>
>>> with User i mean , normal user you create with oneuser create command
>>>
>>> do these concern a security risk ?
>>>
>> --
>> Danny Sternkopf, Systems Specialist, Computing Environments
>> P.O.Box 405, 02101 Espoo, Finland
>> tel +358 9 457 2003, fax +358 9 457 2302
>> Mobile +358 50 381 8569, e-mail danny.sternkopf at csc.fi
>> CSC - IT center for science, http://www.csc.fi
>> _______________________________________________
>> Users mailing list
>> Users at lists.opennebula.org
>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org


-- 
Regards

Zeeshan Ali Shah
System Administrator
PDC-Center for High Performance Computing
KTH-Royal Institute of Technology , Sweden
+46 8 790 9115




More information about the Users mailing list