|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-API] [PATCH] CA-34203: only root can call slave-local-login-with-password
Our orchestration system is using an non-root unix user to connect via
XenAPI (I have restrictions of my security team to use the root user
to connect to hosts). We are using the XenServer 5.0 and it not was
updated to 5.5 because the 5.5 not accepts authenticate a non-root
user via API. I tried to connect to XCP using a non-root user via
Python API and it is returning this exception:
Traceback (most recent call last):
File "checkstatus.py", line 9, in <module>
conn = session.xenapi.login_with_password(username, password)
File "/home/msinhore/Projects/XenServerPython/XenAPI.py", line 209,
in __call__
return self.__send(self.__name, args)
File "/home/msinhore/Projects/XenServerPython/XenAPI.py", line 129,
in xenapi_request
self._login(methodname, params)
File "/home/msinhore/Projects/XenServerPython/XenAPI.py", line 150, in _login
result = _parse_result(getattr(self, 'session.%s' % method)(*params))
File "/home/msinhore/Projects/XenServerPython/XenAPI.py", line 184,
in _parse_result
raise Failure(result['ErrorDescription'])
XenAPI.Failure: SESSION_AUTHENTICATION_FAILED
Has some package for update to obtain the authentication via API with
non-root user?
Cheers,
On Tue, Nov 10, 2009 at 9:10 AM, Marcus Granado
<Marcus.Granado@xxxxxxxxxxxxx> wrote:
> Yes
>
>> -----Original Message-----
>> From: Marco Sinhoreli [mailto:msinhore@xxxxxxxxx]
>> Sent: 09 November 2009 21:01
>> To: Marcus Granado
>> Cc: xen-api
>> Subject: Re: [Xen-API] [PATCH] CA-34203: only root can call slave-
>> local-login-with-password
>>
>> Hi Marcus,
>>
>> It means be possible to connect as an normal unix user using the XEn
>> API client, right?
>>
>>
>> Cheers,
>> On Mon, Nov 9, 2009 at 5:33 PM, Marcus Granado
>> <Marcus.Granado@xxxxxxxxxxxxx> wrote:
>> > Hi Marco,
>> >
>> > The api call for normal login is 'login_with_password', which is
>> accessible to any user with a valid user/password.
>> > 'slave_local_login_with_password' is an internal call that currently
>> is meant to be accessible only to root.
>> >
>> > Hope this helps,
>> >
>> >> -----Original Message-----
>> >> From: Marco Sinhoreli [mailto:msinhore@xxxxxxxxx]
>> >> Sent: 09 November 2009 18:38
>> >> To: Marcus Granado
>> >> Cc: xen-api
>> >> Subject: Re: [Xen-API] [PATCH] CA-34203: only root can call slave-
>> >> local-login-with-password
>> >>
>> >> Hi Marcus,
>> >>
>> >> Let me undesrtand this patch and please, correct me if I'm wrong:
>> >> Only the PAM user 'root' can to connect using the API and if I have
>> >> another normal user I can't to connect, this is right?
>> >>
>> >>
>> >>
>> >> Thanks,
>> >>
>> >>
>> >>
>> >> On Fri, Nov 6, 2009 at 2:48 PM, Marcus Granado
>> >> <marcus.granado@xxxxxxxxxx> wrote:
>> >> > 2 files changed, 7 insertions(+), 1 deletion(-)
>> >> > ocaml/idl/datamodel.ml   |  Â2 +-
>> >> > ocaml/xapi/xapi_session.ml | Â Â6 ++++++
>> >> >
>> >> >
>> >> > # HG changeset patch
>> >> > # User Marcus Granado <marcus.granado@xxxxxxxxxx>
>> >> > # Date 1257526015 0
>> >> > # Node ID 0a45055b867ad44d3e3f7c26e29ffe9dc1ee3c9f
>> >> > # Parent Â719d8f6c6d8cfe94cf612ddf26cc11af24fd99d5
>> >> > CA-34203: only root can call slave-local-login-with-password
>> >> >
>> >> > Signed-off-by: Marcus Granado <marcus.granado@xxxxxxxxxxxxx>
>> >> >
>> >> > diff -r 719d8f6c6d8c -r 0a45055b867a ocaml/idl/datamodel.ml
>> >> > --- a/ocaml/idl/datamodel.ml  ÂFri Nov 06 16:12:03 2009 +0000
>> >> > +++ b/ocaml/idl/datamodel.ml  ÂFri Nov 06 16:46:55 2009 +0000
>> >> > @@ -960,7 +960,7 @@
>> >> > Â Â Â Â Â]
>> >> > Â ~in_oss_since:None
>> >> > Â ~secret:true
>> >> > - Â~allowed_roles:_R_POOL_ADMIN (*only root can do an emergency
>> slave
>> >> login*)
>> >> > + Â~allowed_roles:_R_LOCAL_ROOT_ONLY (*only root can do an
>> emergency
>> >> slave login*)
>> >> > Â ()
>> >> >
>> >> > Âlet local_logout = call ~flags:[`Session]
>> >> > diff -r 719d8f6c6d8c -r 0a45055b867a ocaml/xapi/xapi_session.ml
>> >> > --- a/ocaml/xapi/xapi_session.ml    ÂFri Nov 06 16:12:03 2009
>> >> +0000
>> >> > +++ b/ocaml/xapi/xapi_session.ml    ÂFri Nov 06 16:46:55 2009
>> >> +0000
>> >> > @@ -323,6 +323,12 @@
>> >> > Âlet slave_local_login_with_password ~__context ~uname ~pwd =
>> >> wipe_params_after_fn [pwd] (fun () ->
>> >> > Â if not (Context.preauth ~__context)
>> >> > Â then
>> >> > + Â Âif uname <> local_superuser
>> >> > + Â Âthen (* CA-34203: never authenticate external users as
>> >> local_login *)
>> >> > + Â Â Âraise (Api_errors.Server_error
>> >> > + Â Â Â Â(Api_errors.rbac_permission_denied,
>> >> > + Â Â Â Â[local_superuser; "No permission in local login"]))
>> >> > + Â Âelse
>> >> > Â Â (try
>> >> > Â Â Â Â(* CP696 - only tries to authenticate against LOCAL
>> superuser
>> >> account *)
>> >> > Â Â Â Âdo_local_auth uname pwd;
>> >> >
>> >> > _______________________________________________
>> >> > xen-api mailing list
>> >> > xen-api@xxxxxxxxxxxxxxxxxxx
>> >> > http://lists.xensource.com/mailman/listinfo/xen-api
>> >> >
>> >> >
>> >>
>> >>
>> >>
>> >> --
>> >> Marco Sinhoreli
>> >
>>
>>
>>
>> --
>> Marco Sinhoreli
>
--
Marco Sinhoreli
_______________________________________________
xen-api mailing list
xen-api@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/mailman/listinfo/xen-api
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |