[one-users] OpenNebula and authorization

Lars Kellogg-Stedman lars at seas.harvard.edu
Thu Apr 28 09:13:21 PDT 2011


We're looking at using OpenNebula to support courses in our CS area.
This will ultimately require some form of group-based authorization,
so that we can restrict control over vm instances to specific groups
of students, and so that we can restrict access to disk images to
particular classes.  There's no support for this out of the box, and
more importantly there's no support in the API [that I have been able
to find] for associating arbitrary metadata with objects in
OpenNebula.  Before we start down the road of trying to implement
something that meets our needs, I'm curious if anyone else has
implemented something that we could either use or at least use as a
model.

Ideally, we want to associate objects (networks, disk images, vm
instances) with one or more groups, and then use the same backend used
for authentication to make authorization decisions.  In this case,
that means we'd be pulling group information out of LDAP.

Cheers,

-- 
Lars Kellogg-Stedman <lars at seas.harvard.edu>
Senior Technologist
Harvard University SEAS
Academic and Research Computing (ARC)



More information about the Users mailing list