[one-users] ACLs and CONTEXT parameters

Steffen Claus steffen.claus at scai.fraunhofer.de
Mon Oct 29 08:21:57 PDT 2012


Hi, 
of course, you're right. Allowing users to define the FILES is a potential security issue. 
It would still be nice to enable users to update the other template parameters (e.g. image ID). 

I know that this is way more complicated, as each individual parameter would have to be checked. 

BR, 
Steffen 

----- Ursprüngliche Mail -----

> Hi

> Not all CONTEXT attributes are restricted, it is only FILES. So we
> only let oneadmin use CONTEXT/FILES. The rationale behind this is
> that CONTEXT/FILES means accessing the filesystem using oneadmin
> priviledges, and so you can use:

> CONTEXT= [
> FILES = "/var/lib/one/one.db /etc/passwd"
> ]

> and now you have access to the whole one.db or passwd file of the
> frontend.

> However this maybe safe depending on your setup, e.g. you only let
> users access through EC2 or OCCI...

> If you can live with that, simply drop the

> VM_RESTRICTED_ATTR = "CONTEXT/FILES"

> in oned.conf

> Cheers

> Ruben

> On Fri, Oct 26, 2012 at 2:53 PM, Steffen Claus <
> steffen.claus at scai.fraunhofer.de > wrote:

> > Hi,
> 
> > i have a general question regarding the handling of VM-templates
> > with
> > CONTEXT parameters.
> 
> > I know that the owner has to be either "oneadmin" or a member of
> > the
> > "oneadmin" group.
> 
> > Since ONE 3.4 it is possible to grant USE-rights on such templates
> > for normal users.
> 
> > So far, so good.
> 

> > But now I would also like to change the owner of the template to a
> > normal user. Why is this not possible? What are the main concerns
> > that led to the decision to only allow "oneadmin" to define CONTEXT
> > parameters, respectively, possess templates with such parameters?
> > Are there any best practices how to handle this problem?
> 

> > BR,
> 
> > Steffen Claus
> 

> > --
> 
> > Steffen Claus
> 

> > Fraunhofer-Institut für Algorithmen und Wissenschaftliches Rechnen
> > (SCAI)
> 
> > Schloss Birlinghoven
> 
> > D-53754 Sankt Augustin
> 
> > Tel: +49 2241 14-2511
> 
> > steffen.claus at scai.fraunhofer.de
> 
> > http://www.scai.fraunhofer.de
> 
> > _______________________________________________
> 
> > Users mailing list
> 
> > Users at lists.opennebula.org
> 
> > http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
> 

> --
> Ruben S. Montero, PhD
> Project co-Lead and Chief Architect
> OpenNebula - The Open Source Solution for Data Center Virtualization
> www.OpenNebula.org | rsmontero at opennebula.org | @OpenNebula

-- 

Steffen Claus 

Fraunhofer-Institut für Algorithmen und Wissenschaftliches Rechnen (SCAI) 
Schloss Birlinghoven 
D-53754 Sankt Augustin 
Tel: +49 2241 14-2511 
steffen.claus at scai.fraunhofer.de 
http://www.scai.fraunhofer.de 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20121029/f08413a1/attachment-0002.htm>


More information about the Users mailing list