<br><br><div class="gmail_quote">On Fri, Feb 25, 2011 at 4:32 PM, Zeeshan Ali Shah <span dir="ltr"><<a href="mailto:zashah@pdc.kth.se">zashah@pdc.kth.se</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Hi Tino,<br>
I think there is a slight confusion of Private/Public .. I mean Private cloud is for Private user such as your employee etc. (not for walking customer) .<br>
<br>
so in this scenario one user shd not see other user's vm . or even scan whole of infrastructure.<br></blockquote><div><br></div><div>Probably, we are not following the most accepted notation here, but OPenNebula in its architecture defines the types of Cloud not based on Who but on How.</div>
<div><br></div><div>The How. If you are using you infrastructure like a Public Cloud then it is a public cloud. No matter if its your company's resources or Amazon's if you apply the same restriction on operations. But if you are doing advance infrastructure operations like migrating VMs, defining networks based on your host configuration then that's a private use.</div>
<div><br></div><div>In OpenNebula we have both alternatives, and that is one of its most powerful features compared with others, basically:</div><div><br></div><div>XML-RPC + OCA: It's advance non-abstracted functionality for VM management</div>
<div>EC2 + OCCI: It's a public Cloud interface.</div><div><br></div><div>Both interfaces are valid and have no security issues regarding access rights. You have to choose what interface better suite your users. An architect your cloud according those requirements.</div>
<div> </div><div>Sunstone is a grpahical representation of both. This first release will only cover XML-RPC/OCA interface. We will add features in the next release so you can expose Sunstone to your public cloud users (You already have elasticfox for the EC2 now).</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<br>
for user in linux in case of shared hosting when you have shell access . user cannot see processes which are not belong to him.. (If security rightly applied).<br>
<br></blockquote><div><br></div><div>Agree but that is equivalent to public cloud users are only accessing a fraction of a system. If you give an account of your system (no matter if it is a VM or hosted or physical) then the notion of user sharing the same system exists and that affects the design of API's and tools. For example libc will always report information about kernel process, in the same way XML-RPX will always report information about VMs in oned. </div>
<div><br></div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Tino: as you have quite good indepth in coding of One , do you have any flow diagram or any other helpful way so that If needed i can extend Authn/Authz model for OCA layer.<br></blockquote><div><br></div><div>Documentation is always your friend (and sometimes it levels Tino knowledge ;)</div>
<div><br></div><div><a href="http://www.opennebula.org/documentation:rel2.0:auth">http://www.opennebula.org/documentation:rel2.0:auth</a></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<br>
--- all comments welcome<br><font color="#888888">
<br>
Zeeshan</font><div><div></div><div class="h5"><br>
<br>
On 02/25/2011 03:46 PM, Tino Vazquez wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi Zeeshan, Danny,<br>
<br>
Sunstone in its current version (coming really soon ;) ) is not a<br>
public cloud interface, but rather a private cloud interface. In the<br>
future, we plan to add role support, so you can have different views<br>
depending on the user.<br>
<br>
Internal users (private cloud users) can see the global state of the<br>
problem, the same way that in a linux OS one user can see other<br>
processes with 'ps', or users pf a PBS cluster can see other jobs with<br>
a 'qstat'. Although they of course cannot modify each others<br>
resources.<br>
<br>
On the other hand, OCCI and EC2 (public interfaces) _do_ limit the<br>
views of the resources.<br>
<br>
Hope it helps,<br>
<br>
-Tino<br>
<br>
--<br>
Constantino Vázquez Blanco | <a href="http://dsa-research.org/tinova" target="_blank">dsa-research.org/tinova</a><br>
Virtualization Technology Engineer / Researcher<br>
OpenNebula Toolkit | <a href="http://opennebula.org" target="_blank">opennebula.org</a><br>
<br>
<br>
<br>
On Fri, Feb 25, 2011 at 3:01 PM, Danny Sternkopf<<a href="mailto:danny.sternkopf@csc.fi" target="_blank">danny.sternkopf@csc.fi</a>> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Yep, it is definately a major security risk.<br>
The sunstone WebGUI has a user limited view in contrast.<br>
<br>
<br>
On 2011-02-25 15:58, Zeeshan Ali Shah wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
wow, i think user can see each other VM , definately they cannot delete<br>
them , but they can even look into other vms with onevm show..<br>
<br>
is it normal ? also user can see onehost list and onevnet show.<br>
<br>
which is bit issue as user can poke into infrastructure.<br>
<br>
with User i mean , normal user you create with oneuser create command<br>
<br>
do these concern a security risk ?<br>
<br>
</blockquote>
--<br>
Danny Sternkopf, Systems Specialist, Computing Environments<br>
P.O.Box 405, 02101 Espoo, Finland<br>
tel +358 9 457 2003, fax +358 9 457 2302<br>
Mobile +358 50 381 8569, e-mail <a href="mailto:danny.sternkopf@csc.fi" target="_blank">danny.sternkopf@csc.fi</a><br>
CSC - IT center for science, <a href="http://www.csc.fi" target="_blank">http://www.csc.fi</a><br>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opennebula.org" target="_blank">Users@lists.opennebula.org</a><br>
<a href="http://lists.opennebula.org/listinfo.cgi/users-opennebula.org" target="_blank">http://lists.opennebula.org/listinfo.cgi/users-opennebula.org</a><br>
<br>
</blockquote>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opennebula.org" target="_blank">Users@lists.opennebula.org</a><br>
<a href="http://lists.opennebula.org/listinfo.cgi/users-opennebula.org" target="_blank">http://lists.opennebula.org/listinfo.cgi/users-opennebula.org</a><br>
</blockquote>
<br>
<br></div></div><div class="im">
-- <br>
Regards<br>
<br>
Zeeshan Ali Shah<br>
System Administrator<br>
PDC-Center for High Performance Computing<br>
KTH-Royal Institute of Technology , Sweden<br>
+46 8 790 9115<br>
<br>
_______________________________________________<br></div><div><div></div><div class="h5">
Users mailing list<br>
<a href="mailto:Users@lists.opennebula.org" target="_blank">Users@lists.opennebula.org</a><br>
<a href="http://lists.opennebula.org/listinfo.cgi/users-opennebula.org" target="_blank">http://lists.opennebula.org/listinfo.cgi/users-opennebula.org</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Dr. Ruben Santiago Montero<br>Associate Professor (Profesor Titular), Complutense University of Madrid<br><br>URL: <a href="http://dsa-research.org/doku.php?id=people:ruben" target="_blank">http://dsa-research.org/doku.php?id=people:ruben</a><br>
Weblog: <a href="http://blog.dsa-research.org/?author=7" target="_blank">http://blog.dsa-research.org/?author=7</a><br>