[one-users] restricted_attr in oned.conf of ON44

Thu Apr 17 15:13:20 PDT 2014

>
> Let me ask one last question regarding IMAGE_RESTRICTED_ATTR.
> In ON3.2, we know the following code
>  less src/image/ImageTemplate.cc
> const string ImageTemplate::RESTRICTED_ATTRIBUTES[] = {
>     "SOURCE"
> };
>  disallows non-oneadmin-group users to use the command onevm saveas
> because internally this involves SOURCE attribute,
>

I've gone through the code, and the behavior should be the same, take a
look at:

https://github.com/OpenNebula/one/blob/one-3.2/src/rm/RequestManagerVirtualMachine.cc#L440

So, in both 3.2 and 4.4 a regular user should be able to save the disk of a
running VM no matter if SOURCE is restricted or not...

>  but in newer version e.g. ON4.4, this seems to be gone
> even when we have IMAGE_RESTRICTED_ATTR=SOURCE in oned.conf.
> This is what I learned from my testings.
>
>  Could you confirm this?
> Thank you!
>
>  Hyunwoo
> FermiCloud
>
>
>   From: "Ruben S. Montero" <rsmontero at opennebula.org>
> Date: Thursday, April 17, 2014 4:37 PM
> To: Hyunwoo Kim <hyunwoo at fnal.gov>
> Cc: Carlos Martín Sánchez <cmartin at opennebula.org>, users <
> users at lists.opennebula.org>, Steven C Timm <timm at fnal.gov>
> Subject: Re: [one-users] restricted_attr in oned.conf of ON44
>
>
>
>
> On Wed, Apr 16, 2014 at 5:15 PM, Hyun Woo Kim <hyunwoo at fnal.gov> wrote:
>
>>  Hi Ruben,
>>
>>  Thanks for the message. (It's still confusing to me though.)
>>
>>  Let me see if I understand this right.
>>
>>  In "Merge Use Case" section of
>> http://docs.opennebula.org/4.4/user/virtual_resource_management/vm_guide.html
>>
>> suppose there is VM_RESTRICTED_ATTR="CPU" in oned.conf.
>> This only prevents non-oneadmin-group users from
>> using —cpu option to onetemplate instantiate command
>> but it (VM_RESTRICTED_ATTR="CPU" in oned.conf) does NOT prevent users
>> from using
>> CPU attribute in their VM templates. Is this right?
>>
>
>  Right (although they won't be able to instantiate them)
>
>
>>
>>  In ON3.2, src/vm/VirtualMachineTemplate.cc has the following code
>> [A] =
>> const string VirtualMachineTemplate::RESTRICTED_ATTRIBUTES[] = {
>>        "CONTEXT/FILES",
>> "DISK/SOURCE",
>>         "NIC/MAC",
>>         "NIC/VLAN_ID",
>>         "RANK"
>> };
>>
>>  We know that this prevents non-oneadmin-users from using for example
>> CONTEXT/FILES attribute in their template
>> so we had to modify the above to comment out CONTEXT/FILES and RANK.
>>
>>  But it looks like this array is gone now but the new entries in
>> oned.cof (VM_RESTRICTED_ATTR) has NOT inherited the functionality.
>>
>
>  You are right, we've restructured the code, and probably move the checks
> to onetemplate instantiate / onevm create.
>
>
>>  So, in summary, looks like there is restriction that prevents normal
>> users from using
>> those attributes [A] in their templates.
>>
>
>>  Do I understand right?
>>
>
>  In summary, template checks for restricted attributes are made:
>
>  1.- on VM template instantiate (onetemplate instantiate)
> 2.- on VM create (onevm create)
> 3.- on VM attach nic (onevm attachnic) (for example to not allow users to
> use NIC/MAC)
>
>
>  Hope it is clearer now,
>
>  Cheers
>
>  Ruben
>
>>
>>  Thanks again,
>> Hyunwoo
>> FermiCloud
>>
>>
>>   From: "Ruben S. Montero" <rsmontero at opennebula.org>
>> Date: Wednesday, April 16, 2014 9:37 AM
>> To: Carlos Martín Sánchez <cmartin at opennebula.org>
>> Cc: Hyunwoo Kim <hyunwoo at fnal.gov>, users <users at lists.opennebula.org>
>> Subject: Re: [one-users] restricted_attr in oned.conf of ON44
>>
>>   Hi Hyun
>>
>>  We've taken a look into it and it seems to be working. A couple of
>> notes:
>>
>>  1.- VM Template is checked for restricted attributes if the owner is
>> not oneadmin (or in oneadmin group). The rationale behind it is that
>> oneadmin can prepare templates with "unsafe" attributes but let the user
>> instantiate them (but not set or modify the attributes). We'll make it
>> clearer in the doc.
>>
>>  2. Disk snapshot operation may use the SOURCE attribute but internally,
>> the user cannot modify or set the SOURCE attribute.
>>
>>  Hope it makes it clearer.
>>
>>  Cheers
>>
>>  Ruben
>>
>>
>> On Wed, Apr 16, 2014 at 3:22 PM, Carlos Martín Sánchez <
>> cmartin at opennebula.org> wrote:
>>
>>> Hi,
>>>
>>>  There is not much to it, it should be working as you describe. We'll
>>> try to reproduce it and fix it for 4.6 if it's broken.
>>> http://dev.opennebula.org/issues/2838
>>>
>>>  Regards.
>>>
>>>  --
>>> Carlos Martín, MSc
>>> Project Engineer
>>> OpenNebula - Flexible Enterprise Cloud Made Simple
>>> www.OpenNebula.org | cmartin at opennebula.org | @OpenNebula<http://twitter.com/opennebula><cmartin at opennebula.org>
>>>
>>>
>>>  On Tue, Apr 15, 2014 at 5:50 PM, Hyun Woo Kim <hyunwoo at fnal.gov> wrote:
>>>
>>>>   Hello,
>>>>
>>>>
>>>> http://docs.opennebula.org/4.4/administration/references/oned_conf.html#oned-conf-restricted-attributes-configuration
>>>> says we can use {VM,IMAGE}_RESTRICTED_ATTR
>>>> to restrict users outside the oneadmin group
>>>>
>>>>  but I experiment as a user whose group is users, not oneadmin
>>>> to launch a VM from a vm.template with CONTEXT/FILES
>>>> and onevm disk-snapshot command which must use SOURCE attribute,
>>>> both work, i.e. restricted_attr do not seem to work..
>>>>
>>>>  Am I missing something?
>>>>
>>>>  Thanks,
>>>> Hyunwoo KIM
>>>> FermiCloud
>>>>
>>>>
>>>>
>>>>  _______________________________________________
>>>> Users mailing list
>>>> Users at lists.opennebula.org
>>>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>>>
>>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.opennebula.org
>>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>>
>>>
>>
>>
>>  --
>>  --
>>  Ruben S. Montero, PhD
>> Project co-Lead and Chief Architect
>> OpenNebula - Flexible Enterprise Cloud Made Simple
>> www.OpenNebula.org | rsmontero at opennebula.org | @OpenNebula
>>
>
>
>
>  --
>  --
>  Ruben S. Montero, PhD
> Project co-Lead and Chief Architect
> OpenNebula - Flexible Enterprise Cloud Made Simple
> www.OpenNebula.org | rsmontero at opennebula.org | @OpenNebula
>

-- 
-- 
Ruben S. Montero, PhD
Project co-Lead and Chief Architect
OpenNebula - Flexible Enterprise Cloud Made Simple
www.OpenNebula.org | rsmontero at opennebula.org | @OpenNebula
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20140418/81578539/attachment-0002.htm>