[one-users] restricted_attr in oned.conf of ON44

Thu Apr 17 14:37:05 PDT 2014

On Wed, Apr 16, 2014 at 5:15 PM, Hyun Woo Kim <hyunwoo at fnal.gov> wrote:

>  Hi Ruben,
>
>  Thanks for the message. (It's still confusing to me though.)
>
>  Let me see if I understand this right.
>
>  In "Merge Use Case" section of
> http://docs.opennebula.org/4.4/user/virtual_resource_management/vm_guide.html
>
> suppose there is VM_RESTRICTED_ATTR="CPU" in oned.conf.
> This only prevents non-oneadmin-group users from
> using —cpu option to onetemplate instantiate command
> but it (VM_RESTRICTED_ATTR="CPU" in oned.conf) does NOT prevent users from
> using
> CPU attribute in their VM templates. Is this right?
>

Right (although they won't be able to instantiate them)

>
>  In ON3.2, src/vm/VirtualMachineTemplate.cc has the following code
> [A] =
> const string VirtualMachineTemplate::RESTRICTED_ATTRIBUTES[] = {
>        "CONTEXT/FILES",
> "DISK/SOURCE",
>         "NIC/MAC",
>         "NIC/VLAN_ID",
>         "RANK"
> };
>
>  We know that this prevents non-oneadmin-users from using for example
> CONTEXT/FILES attribute in their template
> so we had to modify the above to comment out CONTEXT/FILES and RANK.
>
>  But it looks like this array is gone now but the new entries in oned.cof
> (VM_RESTRICTED_ATTR) has NOT inherited the functionality.
>

You are right, we've restructured the code, and probably move the checks to
onetemplate instantiate / onevm create.

>  So, in summary, looks like there is restriction that prevents normal
> users from using
> those attributes [A] in their templates.
>

>  Do I understand right?
>

In summary, template checks for restricted attributes are made:

1.- on VM template instantiate (onetemplate instantiate)
2.- on VM create (onevm create)
3.- on VM attach nic (onevm attachnic) (for example to not allow users to
use NIC/MAC)

Hope it is clearer now,

Cheers

Ruben

>
>  Thanks again,
> Hyunwoo
> FermiCloud
>
>
>   From: "Ruben S. Montero" <rsmontero at opennebula.org>
> Date: Wednesday, April 16, 2014 9:37 AM
> To: Carlos Martín Sánchez <cmartin at opennebula.org>
> Cc: Hyunwoo Kim <hyunwoo at fnal.gov>, users <users at lists.opennebula.org>
> Subject: Re: [one-users] restricted_attr in oned.conf of ON44
>
>   Hi Hyun
>
>  We've taken a look into it and it seems to be working. A couple of notes:
>
>  1.- VM Template is checked for restricted attributes if the owner is not
> oneadmin (or in oneadmin group). The rationale behind it is that oneadmin
> can prepare templates with "unsafe" attributes but let the user instantiate
> them (but not set or modify the attributes). We'll make it clearer in the
> doc.
>
>  2. Disk snapshot operation may use the SOURCE attribute but internally,
> the user cannot modify or set the SOURCE attribute.
>
>  Hope it makes it clearer.
>
>  Cheers
>
>  Ruben
>
>
> On Wed, Apr 16, 2014 at 3:22 PM, Carlos Martín Sánchez <
> cmartin at opennebula.org> wrote:
>
>> Hi,
>>
>>  There is not much to it, it should be working as you describe. We'll
>> try to reproduce it and fix it for 4.6 if it's broken.
>> http://dev.opennebula.org/issues/2838
>>
>>  Regards.
>>
>>  --
>> Carlos Martín, MSc
>> Project Engineer
>> OpenNebula - Flexible Enterprise Cloud Made Simple
>> www.OpenNebula.org | cmartin at opennebula.org | @OpenNebula<http://twitter.com/opennebula><cmartin at opennebula.org>
>>
>>
>>  On Tue, Apr 15, 2014 at 5:50 PM, Hyun Woo Kim <hyunwoo at fnal.gov> wrote:
>>
>>>   Hello,
>>>
>>>
>>> http://docs.opennebula.org/4.4/administration/references/oned_conf.html#oned-conf-restricted-attributes-configuration
>>> says we can use {VM,IMAGE}_RESTRICTED_ATTR
>>> to restrict users outside the oneadmin group
>>>
>>>  but I experiment as a user whose group is users, not oneadmin
>>> to launch a VM from a vm.template with CONTEXT/FILES
>>> and onevm disk-snapshot command which must use SOURCE attribute,
>>> both work, i.e. restricted_attr do not seem to work..
>>>
>>>  Am I missing something?
>>>
>>>  Thanks,
>>> Hyunwoo KIM
>>> FermiCloud
>>>
>>>
>>>
>>>  _______________________________________________
>>> Users mailing list
>>> Users at lists.opennebula.org
>>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>>
>>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opennebula.org
>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>
>>
>
>
>  --
>  --
>  Ruben S. Montero, PhD
> Project co-Lead and Chief Architect
> OpenNebula - Flexible Enterprise Cloud Made Simple
> www.OpenNebula.org | rsmontero at opennebula.org | @OpenNebula
>

-- 
-- 
Ruben S. Montero, PhD
Project co-Lead and Chief Architect
OpenNebula - Flexible Enterprise Cloud Made Simple
www.OpenNebula.org | rsmontero at opennebula.org | @OpenNebula
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20140417/84d610c7/attachment-0002.htm>