[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Xen-API] [PATCH] CA-34203: only root can call slave-local-login-with-password

  • To: 'Marco Sinhoreli' <msinhore@xxxxxxxxx>
  • From: Marcus Granado <Marcus.Granado@xxxxxxxxxxxxx>
  • Date: Mon, 9 Nov 2009 19:33:28 +0000
  • Accept-language: en-US
  • Acceptlanguage: en-US
  • Cc: xen-api <xen-api@xxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Mon, 09 Nov 2009 12:30:08 -0800
  • List-id: Discussion of API issues surrounding Xen <xen-api.lists.xensource.com>
  • Thread-index: Acpha8xPweD4AkO/Swa1kQ5huOxzRwAAfSlg
  • Thread-topic: [Xen-API] [PATCH] CA-34203: only root can call slave-local-login-with-password
Hi Marco,

The api call for normal login is 'login_with_password', which is accessible to 
any user with a valid user/password.
'slave_local_login_with_password' is an internal call that currently is meant 
to be accessible only to root. 

Hope this helps,

> -----Original Message-----
> From: Marco Sinhoreli [mailto:msinhore@xxxxxxxxx]
> Sent: 09 November 2009 18:38
> To: Marcus Granado
> Cc: xen-api
> Subject: Re: [Xen-API] [PATCH] CA-34203: only root can call slave-
> local-login-with-password
> 
> Hi Marcus,
> 
> Let me undesrtand this patch and please, correct me if I'm wrong:
> Only the PAM user 'root' can to connect using the API and if I have
> another normal user I can't to connect, this is right?
> 
> 
> 
> Thanks,
> 
> 
> 
> On Fri, Nov 6, 2009 at 2:48 PM, Marcus Granado
> <marcus.granado@xxxxxxxxxx> wrote:
> > 2 files changed, 7 insertions(+), 1 deletion(-)
> > ocaml/idl/datamodel.ml   |  Â2 +-
> > ocaml/xapi/xapi_session.ml | Â Â6 ++++++
> >
> >
> > # HG changeset patch
> > # User Marcus Granado <marcus.granado@xxxxxxxxxx>
> > # Date 1257526015 0
> > # Node ID 0a45055b867ad44d3e3f7c26e29ffe9dc1ee3c9f
> > # Parent Â719d8f6c6d8cfe94cf612ddf26cc11af24fd99d5
> > CA-34203: only root can call slave-local-login-with-password
> >
> > Signed-off-by: Marcus Granado <marcus.granado@xxxxxxxxxxxxx>
> >
> > diff -r 719d8f6c6d8c -r 0a45055b867a ocaml/idl/datamodel.ml
> > --- a/ocaml/idl/datamodel.ml  ÂFri Nov 06 16:12:03 2009 +0000
> > +++ b/ocaml/idl/datamodel.ml  ÂFri Nov 06 16:46:55 2009 +0000
> > @@ -960,7 +960,7 @@
> > Â Â Â Â Â]
> > Â ~in_oss_since:None
> > Â ~secret:true
> > - Â~allowed_roles:_R_POOL_ADMIN (*only root can do an emergency slave
> login*)
> > + Â~allowed_roles:_R_LOCAL_ROOT_ONLY (*only root can do an emergency
> slave login*)
> > Â ()
> >
> > Âlet local_logout = call ~flags:[`Session]
> > diff -r 719d8f6c6d8c -r 0a45055b867a ocaml/xapi/xapi_session.ml
> > --- a/ocaml/xapi/xapi_session.ml    ÂFri Nov 06 16:12:03 2009
> +0000
> > +++ b/ocaml/xapi/xapi_session.ml    ÂFri Nov 06 16:46:55 2009
> +0000
> > @@ -323,6 +323,12 @@
> > Âlet slave_local_login_with_password ~__context ~uname ~pwd =
> wipe_params_after_fn [pwd] (fun () ->
> > Â if not (Context.preauth ~__context)
> > Â then
> > + Â Âif uname <> local_superuser
> > + Â Âthen (* CA-34203: never authenticate external users as
> local_login *)
> > + Â Â Âraise (Api_errors.Server_error
> > + Â Â Â Â(Api_errors.rbac_permission_denied,
> > + Â Â Â Â[local_superuser; "No permission in local login"]))
> > + Â Âelse
> > Â Â (try
> > Â Â Â Â(* CP696 - only tries to authenticate against LOCAL superuser
> account *)
> > Â Â Â Âdo_local_auth uname pwd;
> >
> > _______________________________________________
> > xen-api mailing list
> > xen-api@xxxxxxxxxxxxxxxxxxx
> > http://lists.xensource.com/mailman/listinfo/xen-api
> >
> >
> 
> 
> 
> --
> Marco Sinhoreli

_______________________________________________
xen-api mailing list
xen-api@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/mailman/listinfo/xen-api

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.