Re: [Xen-users] Access Control solution for Xen?

[Ozan Safi <ozansafi@xxxxxxxxx>]

On Wed, Dec 8, 2010 at 2:29 PM, Jonathan Tripathy <jonnyt@xxxxxxxxxxx> wrote:

On 08/12/10 13:21, Ozan Safi wrote:

Hi,

I am looking for an open-source management solution that has support for access control. For some reason I wasn't able to access the control panel demo site but I went through dtc-xen's presentation and have not seen anything related to access control. Could you point me to a link where this is explained?

Please explain what you mean by "access control". To me, this means that you only want certain users to be able to control certain DomUs (i.e. a hosting solution). dtc-xen indeed does have access control on a per customers base. Just because something is tailored towards a hosting company doesn't meant that it *has* to be used for hosting. (Replace the word "customer" with "staff member")

> I am afraid I am looking for something much more finer-grained than that. For the same domU, I need different users in different roles to be allowed to do different things to it. I also want to set constraints on them to further restrict what can be done with a specific action. (e.g. role A can do migration but for role A the action migrate is only allowed to hosts x,y, and z) I have more demands from the access control solution, but we can start from here. 

I also don't expect any solution to have all of this, but if there is something to start with, I might consider extending that. 

Until now, I've only seen mention of such a feature on Eucalyptus Enterprise Edition.

from http://www.eucalyptus.com/products/eee: "Sophisticated user, group, and role management allows precise control of resources within a private cloud"

Indeed Eucalyptus supports this, but is very difficult to get going.

> AFAICT, only the Enterprise Edition supports this, which is neither free nor open-source and I couldn't test it because they didn't hold on to their promise of "we will contact you in 24 hours".

If it is not available in any free and open-source software, I am planning to implement it myself. Either by extending one of the management solutions or modifying the Xen code itself.

You shoudn't (but legally can) modify the Xen code to support this. Xen is a Type 1 Hypervisor, which is out of scope for access control. Indeed, maybe modifying the xm scripts to do this may be an option, but again you run the risk of breaking something. This is why all solutions out there haven't actually modified xm scripts, but have made an "over the top" layer for control....with the assumption that direct SSH access to the Dom0 isn't available from the outside (which it shouldn’t be!)

 

> Why would it be "out of scope for access control"? You can implement access control in any layer. Access control is best done where the actual action takes place. Otherwise there are plenty of opportunities to get around it. If neither Xend nor Xen-API is restricted on the actual hypervisor, a bug in the management platform would allow you to do whatever you want with it. I also don't believe Xen is a Type-1 hypervisor, but that is irrelevant right now. 

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users