|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-API] [PATCH] CA-34203: only root can call slave-local-login-with-password
Hi Marcus, It means be possible to connect as an normal unix user using the XEn API client, right? Cheers, On Mon, Nov 9, 2009 at 5:33 PM, Marcus Granado <Marcus.Granado@xxxxxxxxxxxxx> wrote: > Hi Marco, > > The api call for normal login is 'login_with_password', which is accessible > to any user with a valid user/password. > 'slave_local_login_with_password' is an internal call that currently is meant > to be accessible only to root. > > Hope this helps, > >> -----Original Message----- >> From: Marco Sinhoreli [mailto:msinhore@xxxxxxxxx] >> Sent: 09 November 2009 18:38 >> To: Marcus Granado >> Cc: xen-api >> Subject: Re: [Xen-API] [PATCH] CA-34203: only root can call slave- >> local-login-with-password >> >> Hi Marcus, >> >> Let me undesrtand this patch and please, correct me if I'm wrong: >> Only the PAM user 'root' can to connect using the API and if I have >> another normal user I can't to connect, this is right? >> >> >> >> Thanks, >> >> >> >> On Fri, Nov 6, 2009 at 2:48 PM, Marcus Granado >> <marcus.granado@xxxxxxxxxx> wrote: >> > 2 files changed, 7 insertions(+), 1 deletion(-) >> > ocaml/idl/datamodel.ml   |  Â2 +- >> > ocaml/xapi/xapi_session.ml |  Â6 ++++++ >> > >> > >> > # HG changeset patch >> > # User Marcus Granado <marcus.granado@xxxxxxxxxx> >> > # Date 1257526015 0 >> > # Node ID 0a45055b867ad44d3e3f7c26e29ffe9dc1ee3c9f >> > # Parent Â719d8f6c6d8cfe94cf612ddf26cc11af24fd99d5 >> > CA-34203: only root can call slave-local-login-with-password >> > >> > Signed-off-by: Marcus Granado <marcus.granado@xxxxxxxxxxxxx> >> > >> > diff -r 719d8f6c6d8c -r 0a45055b867a ocaml/idl/datamodel.ml >> > --- a/ocaml/idl/datamodel.ml  ÂFri Nov 06 16:12:03 2009 +0000 >> > +++ b/ocaml/idl/datamodel.ml  ÂFri Nov 06 16:46:55 2009 +0000 >> > @@ -960,7 +960,7 @@ >> >     Â] >> >  ~in_oss_since:None >> >  ~secret:true >> > - Â~allowed_roles:_R_POOL_ADMIN (*only root can do an emergency slave >> login*) >> > + Â~allowed_roles:_R_LOCAL_ROOT_ONLY (*only root can do an emergency >> slave login*) >> >  () >> > >> > Âlet local_logout = call ~flags:[`Session] >> > diff -r 719d8f6c6d8c -r 0a45055b867a ocaml/xapi/xapi_session.ml >> > --- a/ocaml/xapi/xapi_session.ml    ÂFri Nov 06 16:12:03 2009 >> +0000 >> > +++ b/ocaml/xapi/xapi_session.ml    ÂFri Nov 06 16:46:55 2009 >> +0000 >> > @@ -323,6 +323,12 @@ >> > Âlet slave_local_login_with_password ~__context ~uname ~pwd = >> wipe_params_after_fn [pwd] (fun () -> >> >  if not (Context.preauth ~__context) >> >  then >> > +  Âif uname <> local_superuser >> > +  Âthen (* CA-34203: never authenticate external users as >> local_login *) >> > +   Âraise (Api_errors.Server_error >> > +    Â(Api_errors.rbac_permission_denied, >> > +    Â[local_superuser; "No permission in local login"])) >> > +  Âelse >> >   (try >> >    Â(* CP696 - only tries to authenticate against LOCAL superuser >> account *) >> >    Âdo_local_auth uname pwd; >> > >> > _______________________________________________ >> > xen-api mailing list >> > xen-api@xxxxxxxxxxxxxxxxxxx >> > http://lists.xensource.com/mailman/listinfo/xen-api >> > >> > >> >> >> >> -- >> Marco Sinhoreli > -- Marco Sinhoreli _______________________________________________ xen-api mailing list xen-api@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/mailman/listinfo/xen-api
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |