[one-users] OpenNebula and authorization

Carlos Martín Sánchez cmartin at opennebula.org
Tue May 3 07:09:28 PDT 2011


Hi Lars,

The functionality you are describing will be available for the next release.

Our first idea is to have a main group and many secondary ones for each
user; the rest of the resources will belong only to one group.
We'll implement an ACL system to allow fine-tuning of the permissions.


If you need to implement it for 2.2, I'd suggest a workaround in the
authorization module.

The VNET, Image and VM templates can contain arbitrary data to store group
information, but new data cannot be added once the resource is created (with
the exception of Images). So the resource-group association will be better
managed in an external DB, which shouldn't be problematic since all
OpenNebula resources are identified by a unique ID.

About the creation and management of groups, it could be done totally
independent from OpenNebula, as long as the data is stored in a DB accesible
from the authorization driver. If the driver is written in ruby, the sequel
gem can take care of both sqlite and mysql connections.

The main problem with this workaround is that users will be able to list and
see all resources, without a way to identify which ones are available for
them.
This could be tackled modifying the onevm, oneimage and onevnet commands.
Since these files are just ruby scripts, you could read your permissions DB
and add a new column to the resources table showing the group(s) they belong
to. Or even hide some of the resources.

For the external DB, sqlite should do just fine. I believe you can even
protect it setting the file to be read-only for the users executing the
onevm/oneimage commands, and writable for oneadmin.


Best regards,
Carlos.

--
Carlos Martín, MSc
Project Major Contributor
OpenNebula - The Open Source Toolkit for Cloud Computing
www.OpenNebula.org <http://www.opennebula.org/> | cmartin at opennebula.org


On Thu, Apr 28, 2011 at 6:13 PM, Lars Kellogg-Stedman <lars at seas.harvard.edu
> wrote:

> We're looking at using OpenNebula to support courses in our CS area.
> This will ultimately require some form of group-based authorization,
> so that we can restrict control over vm instances to specific groups
> of students, and so that we can restrict access to disk images to
> particular classes.  There's no support for this out of the box, and
> more importantly there's no support in the API [that I have been able
> to find] for associating arbitrary metadata with objects in
> OpenNebula.  Before we start down the road of trying to implement
> something that meets our needs, I'm curious if anyone else has
> implemented something that we could either use or at least use as a
> model.
>
> Ideally, we want to associate objects (networks, disk images, vm
> instances) with one or more groups, and then use the same backend used
> for authentication to make authorization decisions.  In this case,
> that means we'd be pulling group information out of LDAP.
>
> Cheers,
>
> --
> Lars Kellogg-Stedman <lars at seas.harvard.edu>
> Senior Technologist
> Harvard University SEAS
> Academic and Research Computing (ARC)
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20110503/98201d11/attachment-0002.htm>


More information about the Users mailing list