[one-users] users can see other VMs, security concern ?

Tino Vazquez tinova79 at gmail.com
Fri Feb 25 06:46:22 PST 2011

Hi Zeeshan, Danny,

Sunstone in its current version (coming really soon ;) ) is not a
public cloud interface, but rather a private cloud interface. In the
future, we plan to add role support, so you can have different views
depending on the user.

Internal users (private cloud users) can see the global state of the
problem, the same way that in a linux OS one user can see other
processes with 'ps', or users pf a PBS cluster can see other jobs with
a 'qstat'. Although they of course cannot modify each others

On the other hand, OCCI and EC2 (public interfaces) _do_ limit the
views of the resources.

Hope it helps,


Constantino Vázquez Blanco | dsa-research.org/tinova
Virtualization Technology Engineer / Researcher
OpenNebula Toolkit | opennebula.org

On Fri, Feb 25, 2011 at 3:01 PM, Danny Sternkopf <danny.sternkopf at csc.fi> wrote:
> Yep, it is definately a major security risk.
> The sunstone WebGUI has a user limited view in contrast.
> On 2011-02-25 15:58, Zeeshan Ali Shah wrote:
>> wow, i think user can see each other VM , definately they cannot delete
>> them , but they can even look into  other vms with onevm show..
>> is it normal ?   also user can see onehost list and onevnet show.
>> which is bit issue as user can poke into infrastructure.
>> with User i mean , normal user you create with oneuser create command
>> do these concern a security risk ?
> --
> Danny Sternkopf, Systems Specialist, Computing Environments
> P.O.Box 405, 02101 Espoo, Finland
> tel +358 9 457 2003, fax +358 9 457 2302
> Mobile +358 50 381 8569, e-mail danny.sternkopf at csc.fi
> CSC - IT center for science, http://www.csc.fi
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org

More information about the Users mailing list