[one-users] ACLs and CONTEXT parameters
Ruben S. Montero
rsmontero at opennebula.org
Mon Oct 29 08:45:38 PDT 2012
Hi,
Our approach will be to implement a File Datastore, where users can store
files, share them... The files will be used in context using the
IMAGE_ID/IMAGE_NAME in the Datastore. This datastore will be used also to
store kernels and ramdisks...
Cheers
Ruben
On Mon, Oct 29, 2012 at 4:21 PM, Steffen Claus <
steffen.claus at scai.fraunhofer.de> wrote:
> Hi,
> of course, you're right. Allowing users to define the FILES is a potential
> security issue.
> It would still be nice to enable users to update the other template
> parameters (e.g. image ID).
>
> I know that this is way more complicated, as each individual parameter
> would have to be checked.
>
> BR,
> Steffen
>
> ------------------------------
>
> Hi
>
> Not all CONTEXT attributes are restricted, it is only FILES. So we only
> let oneadmin use CONTEXT/FILES. The rationale behind this is that
> CONTEXT/FILES means accessing the filesystem using oneadmin priviledges,
> and so you can use:
>
> CONTEXT= [
> FILES = "/var/lib/one/one.db /etc/passwd"
> ]
>
> and now you have access to the whole one.db or passwd file of the
> frontend.
>
> However this maybe safe depending on your setup, e.g. you only let users
> access through EC2 or OCCI...
>
> If you can live with that, simply drop the
>
> VM_RESTRICTED_ATTR = "CONTEXT/FILES"
>
> in oned.conf
>
> Cheers
>
> Ruben
>
> On Fri, Oct 26, 2012 at 2:53 PM, Steffen Claus <
> steffen.claus at scai.fraunhofer.de> wrote:
>
>> Hi,
>> i have a general question regarding the handling of VM-templates with
>> CONTEXT parameters.
>> I know that the owner has to be either "oneadmin" or a member of the
>> "oneadmin" group.
>> Since ONE 3.4 it is possible to grant USE-rights on such templates for
>> normal users.
>> So far, so good.
>>
>> But now I would also like to change the owner of the template to a normal
>> user. Why is this not possible? What are the main concerns that led to the
>> decision to only allow "oneadmin" to define CONTEXT parameters,
>> respectively, possess templates with such parameters? Are there any best
>> practices how to handle this problem?
>>
>> BR,
>> Steffen Claus
>>
>>
>>
>> --
>> Steffen Claus
>>
>> Fraunhofer-Institut für Algorithmen und Wissenschaftliches Rechnen (SCAI)
>> Schloss Birlinghoven
>> D-53754 Sankt Augustin
>> Tel: +49 2241 14-2511
>> steffen.claus at scai.fraunhofer.de
>> http://www.scai.fraunhofer.de
>> _______________________________________________
>> Users mailing list
>> Users at lists.opennebula.org
>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>
>
>
>
> --
> Ruben S. Montero, PhD
> Project co-Lead and Chief Architect
> OpenNebula - The Open Source Solution for Data Center Virtualization
> www.OpenNebula.org | rsmontero at opennebula.org | @OpenNebula
>
>
>
>
> --
> Steffen Claus
>
> Fraunhofer-Institut für Algorithmen und Wissenschaftliches Rechnen (SCAI)
> Schloss Birlinghoven
> D-53754 Sankt Augustin
> Tel: +49 2241 14-2511
> steffen.claus at scai.fraunhofer.de
> http://www.scai.fraunhofer.de
>
--
Ruben S. Montero, PhD
Project co-Lead and Chief Architect
OpenNebula - The Open Source Solution for Data Center Virtualization
www.OpenNebula.org | rsmontero at opennebula.org | @OpenNebula
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20121029/7635bff2/attachment-0002.htm>
More information about the Users
mailing list