|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [Xen-API] [PATCH] CA-34203: only root can call slave-local-login-with-password
In XCP you can use the auth-type=PAM option when calling pool-enable-external-auth Cheers, > -----Original Message----- > From: Marco Sinhoreli [mailto:msinhore@xxxxxxxxx] > Sent: 13 November 2009 20:12 > To: Marcus Granado > Cc: xen-api > Subject: Re: [Xen-API] [PATCH] CA-34203: only root can call slave- > local-login-with-password > > Our orchestration system is using an non-root unix user to connect via > XenAPI (I have restrictions of my security team to use the root user > to connect to hosts). We are using the XenServer 5.0 and it not was > updated to 5.5 because the 5.5 not accepts authenticate a non-root > user via API. I tried to connect to XCP using a non-root user via > Python API and it is returning this exception: > > Traceback (most recent call last): > File "checkstatus.py", line 9, in <module> > conn = session.xenapi.login_with_password(username, password) > File "/home/msinhore/Projects/XenServerPython/XenAPI.py", line 209, > in __call__ > return self.__send(self.__name, args) > File "/home/msinhore/Projects/XenServerPython/XenAPI.py", line 129, > in xenapi_request > self._login(methodname, params) > File "/home/msinhore/Projects/XenServerPython/XenAPI.py", line 150, > in _login > result = _parse_result(getattr(self, 'session.%s' % > method)(*params)) > File "/home/msinhore/Projects/XenServerPython/XenAPI.py", line 184, > in _parse_result > raise Failure(result['ErrorDescription']) > XenAPI.Failure: SESSION_AUTHENTICATION_FAILED > > > Has some package for update to obtain the authentication via API with > non-root user? > > > Cheers, > > > On Tue, Nov 10, 2009 at 9:10 AM, Marcus Granado > <Marcus.Granado@xxxxxxxxxxxxx> wrote: > > Yes > > > >> -----Original Message----- > >> From: Marco Sinhoreli [mailto:msinhore@xxxxxxxxx] > >> Sent: 09 November 2009 21:01 > >> To: Marcus Granado > >> Cc: xen-api > >> Subject: Re: [Xen-API] [PATCH] CA-34203: only root can call slave- > >> local-login-with-password > >> > >> Hi Marcus, > >> > >> It means be possible to connect as an normal unix user using the XEn > >> API client, right? > >> > >> > >> Cheers, > >> On Mon, Nov 9, 2009 at 5:33 PM, Marcus Granado > >> <Marcus.Granado@xxxxxxxxxxxxx> wrote: > >> > Hi Marco, > >> > > >> > The api call for normal login is 'login_with_password', which is > >> accessible to any user with a valid user/password. > >> > 'slave_local_login_with_password' is an internal call that > currently > >> is meant to be accessible only to root. > >> > > >> > Hope this helps, > >> > > >> >> -----Original Message----- > >> >> From: Marco Sinhoreli [mailto:msinhore@xxxxxxxxx] > >> >> Sent: 09 November 2009 18:38 > >> >> To: Marcus Granado > >> >> Cc: xen-api > >> >> Subject: Re: [Xen-API] [PATCH] CA-34203: only root can call > slave- > >> >> local-login-with-password > >> >> > >> >> Hi Marcus, > >> >> > >> >> Let me undesrtand this patch and please, correct me if I'm wrong: > >> >> Only the PAM user 'root' can to connect using the API and if I > have > >> >> another normal user I can't to connect, this is right? > >> >> > >> >> > >> >> > >> >> Thanks, > >> >> > >> >> > >> >> > >> >> On Fri, Nov 6, 2009 at 2:48 PM, Marcus Granado > >> >> <marcus.granado@xxxxxxxxxx> wrote: > >> >> > 2 files changed, 7 insertions(+), 1 deletion(-) > >> >> > ocaml/idl/datamodel.ml   |  Â2 +- > >> >> > ocaml/xapi/xapi_session.ml |  Â6 ++++++ > >> >> > > >> >> > > >> >> > # HG changeset patch > >> >> > # User Marcus Granado <marcus.granado@xxxxxxxxxx> > >> >> > # Date 1257526015 0 > >> >> > # Node ID 0a45055b867ad44d3e3f7c26e29ffe9dc1ee3c9f > >> >> > # Parent Â719d8f6c6d8cfe94cf612ddf26cc11af24fd99d5 > >> >> > CA-34203: only root can call slave-local-login-with-password > >> >> > > >> >> > Signed-off-by: Marcus Granado <marcus.granado@xxxxxxxxxxxxx> > >> >> > > >> >> > diff -r 719d8f6c6d8c -r 0a45055b867a ocaml/idl/datamodel.ml > >> >> > --- a/ocaml/idl/datamodel.ml  ÂFri Nov 06 16:12:03 2009 +0000 > >> >> > +++ b/ocaml/idl/datamodel.ml  ÂFri Nov 06 16:46:55 2009 +0000 > >> >> > @@ -960,7 +960,7 @@ > >> >> >     Â] > >> >> >  ~in_oss_since:None > >> >> >  ~secret:true > >> >> > - Â~allowed_roles:_R_POOL_ADMIN (*only root can do an emergency > >> slave > >> >> login*) > >> >> > + Â~allowed_roles:_R_LOCAL_ROOT_ONLY (*only root can do an > >> emergency > >> >> slave login*) > >> >> >  () > >> >> > > >> >> > Âlet local_logout = call ~flags:[`Session] > >> >> > diff -r 719d8f6c6d8c -r 0a45055b867a ocaml/xapi/xapi_session.ml > >> >> > --- a/ocaml/xapi/xapi_session.ml    ÂFri Nov 06 16:12:03 > 2009 > >> >> +0000 > >> >> > +++ b/ocaml/xapi/xapi_session.ml    ÂFri Nov 06 16:46:55 > 2009 > >> >> +0000 > >> >> > @@ -323,6 +323,12 @@ > >> >> > Âlet slave_local_login_with_password ~__context ~uname ~pwd = > >> >> wipe_params_after_fn [pwd] (fun () -> > >> >> >  if not (Context.preauth ~__context) > >> >> >  then > >> >> > +  Âif uname <> local_superuser > >> >> > +  Âthen (* CA-34203: never authenticate external users as > >> >> local_login *) > >> >> > +   Âraise (Api_errors.Server_error > >> >> > +    Â(Api_errors.rbac_permission_denied, > >> >> > +    Â[local_superuser; "No permission in local login"])) > >> >> > +  Âelse > >> >> >   (try > >> >> >    Â(* CP696 - only tries to authenticate against LOCAL > >> superuser > >> >> account *) > >> >> >    Âdo_local_auth uname pwd; > >> >> > > >> >> > _______________________________________________ > >> >> > xen-api mailing list > >> >> > xen-api@xxxxxxxxxxxxxxxxxxx > >> >> > http://lists.xensource.com/mailman/listinfo/xen-api > >> >> > > >> >> > > >> >> > >> >> > >> >> > >> >> -- > >> >> Marco Sinhoreli > >> > > >> > >> > >> > >> -- > >> Marco Sinhoreli > > > > > > -- > Marco Sinhoreli _______________________________________________ xen-api mailing list xen-api@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/mailman/listinfo/xen-api
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |