[one-users] users can see other VMs, security concern ?

Ruben S. Montero rubensm at dacya.ucm.es
Fri Feb 25 09:30:59 PST 2011


On Fri, Feb 25, 2011 at 4:32 PM, Zeeshan Ali Shah <zashah at pdc.kth.se> wrote:

> Hi Tino,
> I think there is a slight confusion of Private/Public .. I mean Private
> cloud is for Private user such as your employee etc. (not for walking
> customer) .
>
> so in this scenario one user shd not see other user's vm . or even scan
> whole of infrastructure.
>

Probably, we are not following the most accepted notation here, but
OPenNebula in its architecture defines the types of Cloud not based on Who
but on How.

The How. If you are using you infrastructure like a Public Cloud then it is
a public cloud. No matter if its your company's resources or Amazon's if you
apply the same restriction on operations. But if you are doing advance
infrastructure operations like migrating VMs, defining networks based on
your host configuration then that's a private use.

In OpenNebula we have both alternatives, and that is one of its most
powerful features compared with others, basically:

XML-RPC + OCA: It's advance non-abstracted functionality for VM management
EC2 + OCCI: It's a public Cloud interface.

Both interfaces are valid and have no security issues regarding access
rights. You have to choose what interface better suite your users. An
architect your cloud according those requirements.

Sunstone is a grpahical representation of both. This first release will only
cover XML-RPC/OCA interface. We will add features in the next release so you
can expose Sunstone to your public cloud users (You already have elasticfox
for the EC2 now).

>
> for user in linux in case of shared hosting when you have shell access .
> user cannot see processes which are not belong to him.. (If security rightly
> applied).
>
>
Agree but that is equivalent to public cloud users are only accessing a
fraction of a system. If you give an account of your system (no matter if it
is a VM or hosted or physical) then the notion of user sharing the same
system exists and that affects the design of API's and tools. For example
libc will always report information about kernel process, in the same way
XML-RPX will always report information about VMs in oned.


Tino: as you have quite good indepth in coding of One , do you have any flow
> diagram or any other helpful way so that If needed i can extend Authn/Authz
> model for OCA layer.
>

Documentation is always your friend (and sometimes it levels Tino knowledge
;)

http://www.opennebula.org/documentation:rel2.0:auth


>
> --- all comments welcome
>
> Zeeshan
>
>
> On 02/25/2011 03:46 PM, Tino Vazquez wrote:
>
>> Hi Zeeshan, Danny,
>>
>> Sunstone in its current version (coming really soon ;) ) is not a
>> public cloud interface, but rather a private cloud interface. In the
>> future, we plan to add role support, so you can have different views
>> depending on the user.
>>
>> Internal users (private cloud users) can see the global state of the
>> problem, the same way that in a linux OS one user can see other
>> processes with 'ps', or users pf a PBS cluster can see other jobs with
>> a 'qstat'. Although they of course cannot modify each others
>> resources.
>>
>> On the other hand, OCCI and EC2 (public interfaces) _do_ limit the
>> views of the resources.
>>
>> Hope it helps,
>>
>> -Tino
>>
>> --
>> Constantino Vázquez Blanco | dsa-research.org/tinova
>> Virtualization Technology Engineer / Researcher
>> OpenNebula Toolkit | opennebula.org
>>
>>
>>
>> On Fri, Feb 25, 2011 at 3:01 PM, Danny Sternkopf<danny.sternkopf at csc.fi>
>>  wrote:
>>
>>> Yep, it is definately a major security risk.
>>> The sunstone WebGUI has a user limited view in contrast.
>>>
>>>
>>> On 2011-02-25 15:58, Zeeshan Ali Shah wrote:
>>>
>>>> wow, i think user can see each other VM , definately they cannot delete
>>>> them , but they can even look into  other vms with onevm show..
>>>>
>>>> is it normal ?   also user can see onehost list and onevnet show.
>>>>
>>>> which is bit issue as user can poke into infrastructure.
>>>>
>>>> with User i mean , normal user you create with oneuser create command
>>>>
>>>> do these concern a security risk ?
>>>>
>>>>  --
>>> Danny Sternkopf, Systems Specialist, Computing Environments
>>> P.O.Box 405, 02101 Espoo, Finland
>>> tel +358 9 457 2003, fax +358 9 457 2302
>>> Mobile +358 50 381 8569, e-mail danny.sternkopf at csc.fi
>>> CSC - IT center for science, http://www.csc.fi
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.opennebula.org
>>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>>
>>>  _______________________________________________
>> Users mailing list
>> Users at lists.opennebula.org
>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>
>
>
> --
> Regards
>
> Zeeshan Ali Shah
> System Administrator
> PDC-Center for High Performance Computing
> KTH-Royal Institute of Technology , Sweden
> +46 8 790 9115
>
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>



-- 
Dr. Ruben Santiago Montero
Associate Professor (Profesor Titular), Complutense University of Madrid

URL: http://dsa-research.org/doku.php?id=people:ruben
Weblog: http://blog.dsa-research.org/?author=7
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20110225/dcf16ff0/attachment-0002.htm>


More information about the Users mailing list