[one-users] restricted_attr in oned.conf of ON44

Hyun Woo Kim hyunwoo at fnal.gov
Thu Apr 17 14:45:15 PDT 2014


Hi Ruben,

Thanks again for your response. It is very clear to me now..

My previous assertion
> but it (VM_RESTRICTED_ATTR="CPU" in oned.conf) does NOT prevent users from using CPU attribute in their VM templates.
is wrong, I made a mistake when I was testing this feature,
i.e. now I know that VM_RESTRICTED_ATTR in oned.conf works..

Let me ask one last question regarding IMAGE_RESTRICTED_ATTR.
In ON3.2, we know the following code
less src/image/ImageTemplate.cc
const string ImageTemplate::RESTRICTED_ATTRIBUTES[] = {
    "SOURCE"
};
disallows non-oneadmin-group users to use the command onevm saveas
because internally this involves SOURCE attribute,

but in newer version e.g. ON4.4, this seems to be gone
even when we have IMAGE_RESTRICTED_ATTR=SOURCE in oned.conf.
This is what I learned from my testings.

Could you confirm this?
Thank you!

Hyunwoo
FermiCloud


From: "Ruben S. Montero" <rsmontero at opennebula.org<mailto:rsmontero at opennebula.org>>
Date: Thursday, April 17, 2014 4:37 PM
To: Hyunwoo Kim <hyunwoo at fnal.gov<mailto:hyunwoo at fnal.gov>>
Cc: Carlos Martín Sánchez <cmartin at opennebula.org<mailto:cmartin at opennebula.org>>, users <users at lists.opennebula.org<mailto:users at lists.opennebula.org>>, Steven C Timm <timm at fnal.gov<mailto:timm at fnal.gov>>
Subject: Re: [one-users] restricted_attr in oned.conf of ON44




On Wed, Apr 16, 2014 at 5:15 PM, Hyun Woo Kim <hyunwoo at fnal.gov<mailto:hyunwoo at fnal.gov>> wrote:
Hi Ruben,

Thanks for the message. (It's still confusing to me though.)

Let me see if I understand this right.

In "Merge Use Case" section of http://docs.opennebula.org/4.4/user/virtual_resource_management/vm_guide.html
suppose there is VM_RESTRICTED_ATTR="CPU" in oned.conf.
This only prevents non-oneadmin-group users from
using —cpu option to onetemplate instantiate command
but it (VM_RESTRICTED_ATTR="CPU" in oned.conf) does NOT prevent users from using
CPU attribute in their VM templates. Is this right?

Right (although they won't be able to instantiate them)


In ON3.2, src/vm/VirtualMachineTemplate.cc has the following code
[A] =
const string VirtualMachineTemplate::RESTRICTED_ATTRIBUTES[] = {
       "CONTEXT/FILES",
"DISK/SOURCE",
        "NIC/MAC",
        "NIC/VLAN_ID",
        "RANK"
};

We know that this prevents non-oneadmin-users from using for example CONTEXT/FILES attribute in their template
so we had to modify the above to comment out CONTEXT/FILES and RANK.

But it looks like this array is gone now but the new entries in oned.cof (VM_RESTRICTED_ATTR) has NOT inherited the functionality.

You are right, we've restructured the code, and probably move the checks to onetemplate instantiate / onevm create.


So, in summary, looks like there is restriction that prevents normal users from using
those attributes [A] in their templates.

Do I understand right?

In summary, template checks for restricted attributes are made:

1.- on VM template instantiate (onetemplate instantiate)
2.- on VM create (onevm create)
3.- on VM attach nic (onevm attachnic) (for example to not allow users to use NIC/MAC)


Hope it is clearer now,

Cheers

Ruben

Thanks again,
Hyunwoo
FermiCloud


From: "Ruben S. Montero" <rsmontero at opennebula.org<mailto:rsmontero at opennebula.org>>
Date: Wednesday, April 16, 2014 9:37 AM
To: Carlos Martín Sánchez <cmartin at opennebula.org<mailto:cmartin at opennebula.org>>
Cc: Hyunwoo Kim <hyunwoo at fnal.gov<mailto:hyunwoo at fnal.gov>>, users <users at lists.opennebula.org<mailto:users at lists.opennebula.org>>
Subject: Re: [one-users] restricted_attr in oned.conf of ON44

Hi Hyun

We've taken a look into it and it seems to be working. A couple of notes:

1.- VM Template is checked for restricted attributes if the owner is not oneadmin (or in oneadmin group). The rationale behind it is that oneadmin can prepare templates with "unsafe" attributes but let the user instantiate them (but not set or modify the attributes). We'll make it clearer in the doc.

2. Disk snapshot operation may use the SOURCE attribute but internally, the user cannot modify or set the SOURCE attribute.

Hope it makes it clearer.

Cheers

Ruben


On Wed, Apr 16, 2014 at 3:22 PM, Carlos Martín Sánchez <cmartin at opennebula.org<mailto:cmartin at opennebula.org>> wrote:
Hi,

There is not much to it, it should be working as you describe. We'll try to reproduce it and fix it for 4.6 if it's broken.
http://dev.opennebula.org/issues/2838

Regards.

--
Carlos Martín, MSc
Project Engineer
OpenNebula - Flexible Enterprise Cloud Made Simple
www.OpenNebula.org<http://www.OpenNebula.org> | cmartin at opennebula.org<mailto:cmartin at opennebula.org> | @OpenNebula<http://twitter.com/opennebula><mailto:cmartin at opennebula.org>


On Tue, Apr 15, 2014 at 5:50 PM, Hyun Woo Kim <hyunwoo at fnal.gov<mailto:hyunwoo at fnal.gov>> wrote:
Hello,

http://docs.opennebula.org/4.4/administration/references/oned_conf.html#oned-conf-restricted-attributes-configuration
says we can use {VM,IMAGE}_RESTRICTED_ATTR
to restrict users outside the oneadmin group

but I experiment as a user whose group is users, not oneadmin
to launch a VM from a vm.template with CONTEXT/FILES
and onevm disk-snapshot command which must use SOURCE attribute,
both work, i.e. restricted_attr do not seem to work..

Am I missing something?

Thanks,
Hyunwoo KIM
FermiCloud



_______________________________________________
Users mailing list
Users at lists.opennebula.org<mailto:Users at lists.opennebula.org>
http://lists.opennebula.org/listinfo.cgi/users-opennebula.org



_______________________________________________
Users mailing list
Users at lists.opennebula.org<mailto:Users at lists.opennebula.org>
http://lists.opennebula.org/listinfo.cgi/users-opennebula.org




--
--
Ruben S. Montero, PhD
Project co-Lead and Chief Architect
OpenNebula - Flexible Enterprise Cloud Made Simple
www.OpenNebula.org<http://www.OpenNebula.org> | rsmontero at opennebula.org<mailto:rsmontero at opennebula.org> | @OpenNebula



--
--
Ruben S. Montero, PhD
Project co-Lead and Chief Architect
OpenNebula - Flexible Enterprise Cloud Made Simple
www.OpenNebula.org<http://www.OpenNebula.org> | rsmontero at opennebula.org<mailto:rsmontero at opennebula.org> | @OpenNebula
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20140417/a5551be4/attachment-0002.htm>


More information about the Users mailing list