[one-users] ACLs and CONTEXT parameters
Ruben S. Montero
rsmontero at opennebula.org
Fri Oct 26 08:42:40 PDT 2012
Hi
Not all CONTEXT attributes are restricted, it is only FILES. So we only let
oneadmin use CONTEXT/FILES. The rationale behind this is that CONTEXT/FILES
means accessing the filesystem using oneadmin priviledges, and so you can
use:
CONTEXT= [
FILES = "/var/lib/one/one.db /etc/passwd"
]
and now you have access to the whole one.db or passwd file of the frontend.
However this maybe safe depending on your setup, e.g. you only let users
access through EC2 or OCCI...
If you can live with that, simply drop the
VM_RESTRICTED_ATTR = "CONTEXT/FILES"
in oned.conf
Cheers
Ruben
On Fri, Oct 26, 2012 at 2:53 PM, Steffen Claus <
steffen.claus at scai.fraunhofer.de> wrote:
> Hi,
> i have a general question regarding the handling of VM-templates with
> CONTEXT parameters.
> I know that the owner has to be either "oneadmin" or a member of the
> "oneadmin" group.
> Since ONE 3.4 it is possible to grant USE-rights on such templates for
> normal users.
> So far, so good.
>
> But now I would also like to change the owner of the template to a normal
> user. Why is this not possible? What are the main concerns that led to the
> decision to only allow "oneadmin" to define CONTEXT parameters,
> respectively, possess templates with such parameters? Are there any best
> practices how to handle this problem?
>
> BR,
> Steffen Claus
>
>
>
> --
> Steffen Claus
>
> Fraunhofer-Institut für Algorithmen und Wissenschaftliches Rechnen (SCAI)
> Schloss Birlinghoven
> D-53754 Sankt Augustin
> Tel: +49 2241 14-2511
> steffen.claus at scai.fraunhofer.de
> http://www.scai.fraunhofer.de
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>
--
Ruben S. Montero, PhD
Project co-Lead and Chief Architect
OpenNebula - The Open Source Solution for Data Center Virtualization
www.OpenNebula.org | rsmontero at opennebula.org | @OpenNebula
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20121026/491cd4f3/attachment-0002.htm>
More information about the Users
mailing list