[one-users] ACLs and CONTEXT parameters
Steffen Claus
steffen.claus at scai.fraunhofer.de
Mon Oct 29 08:21:57 PDT 2012
Hi,
of course, you're right. Allowing users to define the FILES is a potential security issue.
It would still be nice to enable users to update the other template parameters (e.g. image ID).
I know that this is way more complicated, as each individual parameter would have to be checked.
BR,
Steffen
----- Ursprüngliche Mail -----
> Hi
> Not all CONTEXT attributes are restricted, it is only FILES. So we
> only let oneadmin use CONTEXT/FILES. The rationale behind this is
> that CONTEXT/FILES means accessing the filesystem using oneadmin
> priviledges, and so you can use:
> CONTEXT= [
> FILES = "/var/lib/one/one.db /etc/passwd"
> ]
> and now you have access to the whole one.db or passwd file of the
> frontend.
> However this maybe safe depending on your setup, e.g. you only let
> users access through EC2 or OCCI...
> If you can live with that, simply drop the
> VM_RESTRICTED_ATTR = "CONTEXT/FILES"
> in oned.conf
> Cheers
> Ruben
> On Fri, Oct 26, 2012 at 2:53 PM, Steffen Claus <
> steffen.claus at scai.fraunhofer.de > wrote:
> > Hi,
>
> > i have a general question regarding the handling of VM-templates
> > with
> > CONTEXT parameters.
>
> > I know that the owner has to be either "oneadmin" or a member of
> > the
> > "oneadmin" group.
>
> > Since ONE 3.4 it is possible to grant USE-rights on such templates
> > for normal users.
>
> > So far, so good.
>
> > But now I would also like to change the owner of the template to a
> > normal user. Why is this not possible? What are the main concerns
> > that led to the decision to only allow "oneadmin" to define CONTEXT
> > parameters, respectively, possess templates with such parameters?
> > Are there any best practices how to handle this problem?
>
> > BR,
>
> > Steffen Claus
>
> > --
>
> > Steffen Claus
>
> > Fraunhofer-Institut für Algorithmen und Wissenschaftliches Rechnen
> > (SCAI)
>
> > Schloss Birlinghoven
>
> > D-53754 Sankt Augustin
>
> > Tel: +49 2241 14-2511
>
> > steffen.claus at scai.fraunhofer.de
>
> > http://www.scai.fraunhofer.de
>
> > _______________________________________________
>
> > Users mailing list
>
> > Users at lists.opennebula.org
>
> > http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>
> --
> Ruben S. Montero, PhD
> Project co-Lead and Chief Architect
> OpenNebula - The Open Source Solution for Data Center Virtualization
> www.OpenNebula.org | rsmontero at opennebula.org | @OpenNebula
--
Steffen Claus
Fraunhofer-Institut für Algorithmen und Wissenschaftliches Rechnen (SCAI)
Schloss Birlinghoven
D-53754 Sankt Augustin
Tel: +49 2241 14-2511
steffen.claus at scai.fraunhofer.de
http://www.scai.fraunhofer.de
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20121029/f08413a1/attachment-0002.htm>
More information about the Users
mailing list