[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-API] [PATCH] CA-34203: only root can call slave-local-login-with-password


  • To: Marcus Granado <Marcus.Granado@xxxxxxxxxxxxx>
  • From: Marco Sinhoreli <msinhore@xxxxxxxxx>
  • Date: Mon, 9 Nov 2009 19:01:19 -0200
  • Cc: xen-api <xen-api@xxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Mon, 09 Nov 2009 13:01:22 -0800
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=abcmm0cA+GHIcipOspBFOewuLmT2+pa9dmPD6Pg1AOs43yu6BP9X2jtyxixFLUx3dL MsQIBbcpRoRcY26Drym83YrzdhpCvU/Hgj69dKJnnJna5UG7KqugwftlZ22ZmyL6J8oe BfRCwYUwQqyf9N7iY+l3iClJd/Fg32M1DtYXE=
  • List-id: Discussion of API issues surrounding Xen <xen-api.lists.xensource.com>

Hi Marcus,

It means be possible to connect as an normal unix user using the XEn
API client, right?


Cheers,
On Mon, Nov 9, 2009 at 5:33 PM, Marcus Granado
<Marcus.Granado@xxxxxxxxxxxxx> wrote:
> Hi Marco,
>
> The api call for normal login is 'login_with_password', which is accessible 
> to any user with a valid user/password.
> 'slave_local_login_with_password' is an internal call that currently is meant 
> to be accessible only to root.
>
> Hope this helps,
>
>> -----Original Message-----
>> From: Marco Sinhoreli [mailto:msinhore@xxxxxxxxx]
>> Sent: 09 November 2009 18:38
>> To: Marcus Granado
>> Cc: xen-api
>> Subject: Re: [Xen-API] [PATCH] CA-34203: only root can call slave-
>> local-login-with-password
>>
>> Hi Marcus,
>>
>> Let me undesrtand this patch and please, correct me if I'm wrong:
>> Only the PAM user 'root' can to connect using the API and if I have
>> another normal user I can't to connect, this is right?
>>
>>
>>
>> Thanks,
>>
>>
>>
>> On Fri, Nov 6, 2009 at 2:48 PM, Marcus Granado
>> <marcus.granado@xxxxxxxxxx> wrote:
>> > 2 files changed, 7 insertions(+), 1 deletion(-)
>> > ocaml/idl/datamodel.ml   |  Â2 +-
>> > ocaml/xapi/xapi_session.ml | Â Â6 ++++++
>> >
>> >
>> > # HG changeset patch
>> > # User Marcus Granado <marcus.granado@xxxxxxxxxx>
>> > # Date 1257526015 0
>> > # Node ID 0a45055b867ad44d3e3f7c26e29ffe9dc1ee3c9f
>> > # Parent Â719d8f6c6d8cfe94cf612ddf26cc11af24fd99d5
>> > CA-34203: only root can call slave-local-login-with-password
>> >
>> > Signed-off-by: Marcus Granado <marcus.granado@xxxxxxxxxxxxx>
>> >
>> > diff -r 719d8f6c6d8c -r 0a45055b867a ocaml/idl/datamodel.ml
>> > --- a/ocaml/idl/datamodel.ml  ÂFri Nov 06 16:12:03 2009 +0000
>> > +++ b/ocaml/idl/datamodel.ml  ÂFri Nov 06 16:46:55 2009 +0000
>> > @@ -960,7 +960,7 @@
>> > Â Â Â Â Â]
>> > Â ~in_oss_since:None
>> > Â ~secret:true
>> > - Â~allowed_roles:_R_POOL_ADMIN (*only root can do an emergency slave
>> login*)
>> > + Â~allowed_roles:_R_LOCAL_ROOT_ONLY (*only root can do an emergency
>> slave login*)
>> > Â ()
>> >
>> > Âlet local_logout = call ~flags:[`Session]
>> > diff -r 719d8f6c6d8c -r 0a45055b867a ocaml/xapi/xapi_session.ml
>> > --- a/ocaml/xapi/xapi_session.ml    ÂFri Nov 06 16:12:03 2009
>> +0000
>> > +++ b/ocaml/xapi/xapi_session.ml    ÂFri Nov 06 16:46:55 2009
>> +0000
>> > @@ -323,6 +323,12 @@
>> > Âlet slave_local_login_with_password ~__context ~uname ~pwd =
>> wipe_params_after_fn [pwd] (fun () ->
>> > Â if not (Context.preauth ~__context)
>> > Â then
>> > + Â Âif uname <> local_superuser
>> > + Â Âthen (* CA-34203: never authenticate external users as
>> local_login *)
>> > + Â Â Âraise (Api_errors.Server_error
>> > + Â Â Â Â(Api_errors.rbac_permission_denied,
>> > + Â Â Â Â[local_superuser; "No permission in local login"]))
>> > + Â Âelse
>> > Â Â (try
>> > Â Â Â Â(* CP696 - only tries to authenticate against LOCAL superuser
>> account *)
>> > Â Â Â Âdo_local_auth uname pwd;
>> >
>> > _______________________________________________
>> > xen-api mailing list
>> > xen-api@xxxxxxxxxxxxxxxxxxx
>> > http://lists.xensource.com/mailman/listinfo/xen-api
>> >
>> >
>>
>>
>>
>> --
>> Marco Sinhoreli
>



-- 
Marco Sinhoreli

_______________________________________________
xen-api mailing list
xen-api@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/mailman/listinfo/xen-api


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.