[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-API] User Based Access Control

RBAC on XAPI is cool but it's doesn't work between pools (by
definition, scoped by XAPI itself).

That's why indeed there is multiples solutions as explained in the
previous messages, each depending of what you need:
- RBAC in XAPI for people wanting ACLs but in one pool only (if the VM
is migrated on another pool you need to duplicate ACLs on this pool
too. Not very convenient!)
- ACLs in multiples pools but without having to install agents on each
hosts and without advanced features (like billing for CPU usage, etc):
Xen Orchestra
- "Advanced" ACLs for bigger infrastructure and/or advanced cases: CloudStack

There is no silver bullet for any situations.

But as far I can tell, on my side I met a LOT of people asking for
ACLs in Xen Orchestra (hey! that's the main reason we are implementing
it after all!). Our "usual" user asks for keeping the simplicity of XO
(nothing to install on hosts, just a XAPI compatible software) with
the possibility to "delegate" objects in few clicks. For sure, we'll
do our best to deliver soon, and connecting this stuff to a AD/Open
LDAP is also a priority.

And yes, exactly Thomas: XO act like a kind of "proxy" (exactly, it's
the "xo-server" module) and that's exactly where ACLs are. You get a
better picture with this:
https://raw.githubusercontent.com/vatesfr/xo/master/doc/architecture/assets/xo-arch.jpg

On Wed, Feb 25, 2015 at 4:25 PM, Marcus Granado
<marcus.granado@xxxxxxxxxx> wrote:
> I like the idea of implementing this access control mechanism as close as
> possible to the objects being accessed, ie in XAPI.
>
> There's a proposal for creating a restricting scope mechanism in XAPI
> similar to what Shiva described, on top of (and compatible with) the
> existing RBAC mechanism:
> http://lists.xen.org/archives/html/xen-api/2010-05/msg00093.html
>
>
>
> On 25/02/15 14:16, Thomas Sanders wrote:
>>
>> Cloudstack/Cloudplatform does something like this.
>>   XenServer itself doesn't have the necessary information in the
>> datamodel: a VM doesn't have an "owner". Therefore XenServer's existing RBAC
>> feature can't do what you want at present.
>>
>> It might be less work to add the feature to XenServer than to implement it
>> by writing new gateway software that mediates between the users and
>> XenServer... but it sounds as if Olivier is adding it to his existing
>> gateway/mediator software Xen-Orchestra.
>>
>>
>>> -----Original Message-----
>>> From: xen-api-bounces@xxxxxxxxxxxxx
>>> [mailto:xen-api-bounces@xxxxxxxxxxxxx]
>>> On Behalf Of Olivier Lambert
>>> Sent: 25 February 2015 12:12 PM
>>> To: Shiva Bhanujan
>>> Cc: xen-api@xxxxxxxxxxxxxxxxxxxx
>>> Subject: Re: [Xen-API] User Based Access Control
>>>
>>> Hi,
>>>
>>> https://xen-orchestra.com/blog/xo-4-x-starts-to-show-up/
>>>
>>> It actually works and we are in closed Beta so far. I will create a
>>> small video to show you how it works.
>>>
>>> Should be out to the end of the month.
>>>
>>> Regards,
>>>
>>>
>>> Olivier.
>>>
>>> On Wed, Feb 18, 2015 at 7:55 PM, Shiva Bhanujan <sxb075@xxxxxxxxx> wrote:
>>>>
>>>> Hello,
>>>>
>>>> I'm trying to figure out if we can have a mechanism such that when user
>>>> A
>>>> creates a VM, or a network or any object from dom0, another user B would
>>>
>>> not
>>>>
>>>> have any access to objects created by user A.  Is there such a mechanism
>>>> available?
>>>>
>>>> I've looked at the RBAC mechanism in PAM, and Xen Orchestra, but I doubt
>>>
>>> if
>>>>
>>>> they address this need.  Is anybody aware of anything that might satisfy
>>>> this need?
>>>>
>>>> Regards,
>>>> Shiva
>>>>
>>>>
>>>> _______________________________________________
>>>> Xen-api mailing list
>>>> Xen-api@xxxxxxxxxxxxx
>>>> http://lists.xen.org/cgi-bin/mailman/listinfo/xen-api
>>>>
>>> _______________________________________________
>>> Xen-api mailing list
>>> Xen-api@xxxxxxxxxxxxx
>>> http://lists.xen.org/cgi-bin/mailman/listinfo/xen-api
>>
>> _______________________________________________
>> Xen-api mailing list
>> Xen-api@xxxxxxxxxxxxx
>> http://lists.xen.org/cgi-bin/mailman/listinfo/xen-api
>
>
>
> _______________________________________________
> Xen-api mailing list
> Xen-api@xxxxxxxxxxxxx
> http://lists.xen.org/cgi-bin/mailman/listinfo/xen-api

_______________________________________________
Xen-api mailing list
Xen-api@xxxxxxxxxxxxx
http://lists.xen.org/cgi-bin/mailman/listinfo/xen-api

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.