[one-users] opennebula 1.4 beta, installation

Ruben S. Montero rubensm at dacya.ucm.es
Fri Jul 31 16:40:41 PDT 2009


Hi

This is very interesting indeed. Some thoughts on the multi-user approach:

* Our first option was to use the Unix accounts and authentication
mechanisms to provide multi-user support. In fact the core is ready to
launch per-user drivers through sudo. In this way the users would
interact with the underlying subsystem (including file access) with
its own identity.

  - Pros. fine-grain control for access rights, including ownership of
VM images; and as you suggest a more natural way for Sven and Eduard
to interact with the system.

  - Cons. The authentication mechanism is not so simple. Note that we
have a separate server, so we have to verify the user identity,
server-side (apart from stating so in the xml-rpc request). This would
typically require a credential agent or some kind of mechanism to
challenge the UNIX identity. Moreover, you have to configure all the
nodes with the accounts in the front-end and those accounts to access
the nodes (ssh keys, hypervisors...).

* We tried to follow a KISS approach, we may have failed ;), and use
just single oneadmin account to perform all the underlying operations
(file movement, VM mangement, monitor...). We may still use the UNIX
accounts but again the authentication mechanism with the xml-rpc
server is not straight forward.

* Then more and more people wanted to use OpenNebula as their Cloud
engine.  In this scenario you may want to share your infrastructure
with other people. If we preserve the UNIX mechanism we have to either
make a mapping between external users and local accounts (which makes
accounting a nightmare) or create a unix account for every single
external user (which does not scale)

So our requirements:

- Keep the administration work of the cluster simple
- Keep the installation and configuration simple
- Keep the use of OpenNebula simple
- Keep the sharing of the infrastructure simple

We think that the current multi-user implementation meets the previous
requirements as:
- you just have to deal with oneadmin to do the low-level work
- you do not need to add additional services to perform user
authentication, and still use a "secure" mechanism
- you do not  need to generate keys or certificates for every single user
- you can easily add more users and keep track of their activities and
check access rights (now Sven can only access his VMs and networks and
not Eduard's)

Sorry for the long mail but I hope that know some of our design
decisions are now clearer. Thanks again for your feedback!!!!!!

Cheers

Ruben

PS: We can easily add a flag to bypass the authentication system and
behave as you request. But in this case, any request stating that
comes from Sven will be automatically trusted without any further
test, does it makes sense in your setup?


On Fri, Jul 31, 2009 at 8:39 PM, Sven Oostenbrink<sven at kionetworks.com> wrote:
> Hi Tino,
>
> Comments inline as well...
>
> On Fri, Jul 31, 2009 at 11:58 AM, Tino Vazquez <tinova at fdi.ucm.es> wrote:
>>
>> Hi Sven,
>>
>> comments inline,
>>
>>
>> On Fri, Jul 31, 2009 at 6:42 PM, Sven Oostenbrink<sven at kionetworks.com>
>> wrote:
>> > Tino,
>> >
>> > Thanks for the info! After some searching I already found it and
>> > opennebula
>> > 1.4 works fine now. Since I got directly on the installation guide, at
>> > first
>> > I didn't see it..
>> >
>> > One other commentary: I finally found the solution to the $ONE_AUTH
>> > problem
>> > (was not defined) but it was a bit tricky to find. Mayby you can also
>> > add
>> > some info about that on the installation guide?
>>
>> We see that as configuration, thus part of the configuration guide
>> (http://opennebula.org/doku.php?id=documentation:rel1.4:cg)
>
> I agree, it would be configuration, but I imagine people like me (no comment
> there) go over the installation guide, it works and then you onehost list
> and boom, there is a ONE_AUTH error and... how? what? where?  Maybe you
> could add just a small notice about it and a link pointing to the
> configuration page? In any case, its not for me, I get it already, just for
> other new users that may run into the same problem.
>
>>
>>
>> >
>> > Another question.. Why does opennebula has its own user management
>> > system?
>> > Why is it not using the user management of the underlying operating
>> > system,
>> > which would not require an extra thing to manage?
>>
>> Very good question, indeed. Probably the main reason is to avoid the
>> need to create one OS user for each OpenNebula user.
>
> Umm, that would not make sense, would it? As I understand it, I control
> opennebula from a shell, from a user, already. Like that, it would be like
> me (sven) entering in a shell as user sven, and then access onehost, but if
> my co-worker eduard wants to access it, he would access it from my shell as
> well? No, he would also have his own account to access that server in the
> first place, and with that there is already a user for him, no?
>
> Not sure if I make sense here, but well.. It'd be very nice if (in a future
> version?) I could have opennebula just follow the current shell user. If I
> (Sven) access opennebula, I can only modify VMs created by user sven and if
> Eduard accesses it, he can only access his servers..
>
> Cheers!
>
>>
>> >
>> > Keep up the good work!
>>
>> Thanks a lot for the feedback, we really appreciate it.
>>
>> Regards,
>>
>> -T
>> >
>> > Sven
>> >
>> > On Fri, Jul 31, 2009 at 5:39 AM, Tino Vazquez <tinova at fdi.ucm.es> wrote:
>> >>
>> >> Hi Sven,
>> >>
>> >> We have a list of needed packages in the platform notes page [1].
>> >> Could you please check that your package is indeed listed?
>> >>
>> >> We added a link to the platform notes page in the installation guide
>> >> so people can check that first.
>> >>
>> >> Thanks a lot for the feedback, we appreciate it.
>> >>
>> >> Best regards,
>> >>
>> >> -Tino
>> >>
>> >> [1] http://www.opennebula.org/doku.php?id=documentation:rel1.4:notes
>> >>
>> >> --
>> >> Constantino Vázquez, Grid Technology Engineer/Researcher:
>> >> http://www.dsa-research.org/tinova
>> >> DSA Research Group: http://dsa-research.org
>> >> Globus GridWay Metascheduler: http://www.GridWay.org
>> >> OpenNebula Virtual Infrastructure Engine: http://www.OpenNebula.org
>> >>
>> >>
>> >>
>> >> On Thu, Jul 30, 2009 at 9:54 PM, Sven Oostenbrink<sven at kionetworks.com>
>> >> wrote:
>> >> >
>> >> > Im installing opennebula 1.4 beta on ubuntu 9.04. I just submitted an
>> >> > error
>> >> > report from scons about xmlrpc-c test. Looked like it was caused by a
>> >> > missing g++ package. I installed the package and it passed the test
>> >> > but
>> >> > it
>> >> > failed on a couple of other of packages.
>> >> >
>> >> > I would recommend that you add a list of needed packages (for the
>> >> > various
>> >> > operating systems) so that anybody wanting to install it at least
>> >> > will
>> >> > know
>> >> > what the pre-requisits are. It would be nice if that list could be
>> >> > added
>> >> > to
>> >> > this wiki page :
>> >> > http://www.opennebula.org/doku.php?id=documentation:rel1.4:ignc
>> >> >
>> >> > Cheers,
>> >> >
>> >> > --
>> >> > Sven Oostenbrink
>> >> > Administrador LINUX Torre UNIX/Q, KIO Networks
>> >> >
>> >> > NOC:  01-800-5 CALL-KIO
>> >> >
>> >> > www.kionetworks.com
>> >> > www.trustmeitsnotmagic.com
>> >> >
>> >> > Este mensaje es confidencial.  Si usted no es el destinatario de este
>> >> > mensaje, le suplicamos se lo notifique al remitente mediante un
>> >> > correo
>> >> > electrónico y que borre el presente mensaje y sus anexos de su
>> >> > computadora
>> >> > sin retener una copia de los mismos. No debe copiar este mensaje o
>> >> > usarlo
>> >> > para cualquier propósito ni divulgar su contenido. KIO Networks se
>> >> > reserva
>> >> > el derecho de monitorear todas las comunicaciones de correo
>> >> > electrónico
>> >> > (relacionadas o no con KIO Networks) que se transmitan a través de su
>> >> > sistema. Muchas gracias.
>> >> >
>> >> > This email is confidential and may also be privileged.  If you are
>> >> > not
>> >> > the
>> >> > intended recipient please immediately advise the sender by reply
>> >> > e-mail
>> >> > and
>> >> > delete this message and its attachments from your computer without
>> >> > retaining
>> >> > a copy. You should not copy it or use it for any purpose nor disclose
>> >> > its
>> >> > contents to any other person. KIO Networks reserves the right to
>> >> > monitor
>> >> > all
>> >> > email communications (whether related to the business of KIO Networks
>> >> > or
>> >> > not) through its networks. Thank you.
>> >> >
>> >> > _______________________________________________
>> >> > Users mailing list
>> >> > Users at lists.opennebula.org
>> >> > http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>> >> >
>> >> >
>> >
>> >
>> >
>> > --
>> > Sven Oostenbrink
>> > Administrador LINUX Torre UNIX/Q, KIO Networks
>> >
>> > NOC:  01-800-5 CALL-KIO
>> >
>> > www.kionetworks.com
>> > www.trustmeitsnotmagic.com
>> >
>> > Este mensaje es confidencial.  Si usted no es el destinatario de este
>> > mensaje, le suplicamos se lo notifique al remitente mediante un correo
>> > electrónico y que borre el presente mensaje y sus anexos de su
>> > computadora
>> > sin retener una copia de los mismos. No debe copiar este mensaje o
>> > usarlo
>> > para cualquier propósito ni divulgar su contenido. KIO Networks se
>> > reserva
>> > el derecho de monitorear todas las comunicaciones de correo electrónico
>> > (relacionadas o no con KIO Networks) que se transmitan a través de su
>> > sistema. Muchas gracias.
>> >
>> > This email is confidential and may also be privileged.  If you are not
>> > the
>> > intended recipient please immediately advise the sender by reply e-mail
>> > and
>> > delete this message and its attachments from your computer without
>> > retaining
>> > a copy. You should not copy it or use it for any purpose nor disclose
>> > its
>> > contents to any other person. KIO Networks reserves the right to monitor
>> > all
>> > email communications (whether related to the business of KIO Networks or
>> > not) through its networks. Thank you.
>> >
>
>
>
> --
> Sven Oostenbrink
> Administrador LINUX Torre UNIX/Q, KIO Networks
>
> NOC:  01-800-5 CALL-KIO
>
> www.kionetworks.com
> www.trustmeitsnotmagic.com
>
> Este mensaje es confidencial.  Si usted no es el destinatario de este
> mensaje, le suplicamos se lo notifique al remitente mediante un correo
> electrónico y que borre el presente mensaje y sus anexos de su computadora
> sin retener una copia de los mismos. No debe copiar este mensaje o usarlo
> para cualquier propósito ni divulgar su contenido. KIO Networks se reserva
> el derecho de monitorear todas las comunicaciones de correo electrónico
> (relacionadas o no con KIO Networks) que se transmitan a través de su
> sistema. Muchas gracias.
>
> This email is confidential and may also be privileged.  If you are not the
> intended recipient please immediately advise the sender by reply e-mail and
> delete this message and its attachments from your computer without retaining
> a copy. You should not copy it or use it for any purpose nor disclose its
> contents to any other person. KIO Networks reserves the right to monitor all
> email communications (whether related to the business of KIO Networks or
> not) through its networks. Thank you.
>
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>
>



-- 
+---------------------------------------------------------------+
 Dr. Ruben Santiago Montero
 Associate Professor
 Distributed System Architecture Group (http://dsa-research.org)

 URL:    http://dsa-research.org/doku.php?id=people:ruben
 Weblog: http://blog.dsa-research.org/?author=7

 GridWay, http://www.gridway.org
 OpenNebula, http://www.opennebula.org
+---------------------------------------------------------------+


More information about the Users mailing list