WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-api

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Xen-API] [PATCH] CA-34203: only root can call slave-local-login-wit

from [Marcus Granado] [Permanent Link][Original]
To: 'Marco Sinhoreli' <msinhore@xxxxxxxxx>
Subject: RE: [Xen-API] [PATCH] CA-34203: only root can call slave-local-login-with-password
From: Marcus Granado <Marcus.Granado@xxxxxxxxxxxxx>
Date: Mon, 9 Nov 2009 19:33:28 +0000
Accept-language: en-US
Acceptlanguage: en-US
Cc: xen-api <xen-api@xxxxxxxxxxxxxxxxxxx>
Delivery-date: Mon, 09 Nov 2009 12:30:08 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <20fe3cf60911091038t3b6802a0re7fd25185401f8e6@xxxxxxxxxxxxxx>
List-help: <mailto:xen-api-request@lists.xensource.com?subject=help>
List-id: Discussion of API issues surrounding Xen <xen-api.lists.xensource.com>
List-post: <mailto:xen-api@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-api>, <mailto:xen-api-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-api>, <mailto:xen-api-request@lists.xensource.com?subject=unsubscribe>
References: <0a45055b867ad44d3e3f.1257526087@localhost> <20fe3cf60911091038t3b6802a0re7fd25185401f8e6@xxxxxxxxxxxxxx>
Sender: xen-api-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: Acpha8xPweD4AkO/Swa1kQ5huOxzRwAAfSlg
Thread-topic: [Xen-API] [PATCH] CA-34203: only root can call slave-local-login-with-password 
Hi Marco,

The api call for normal login is 'login_with_password', which is accessible to 
any user with a valid user/password.
'slave_local_login_with_password' is an internal call that currently is meant 
to be accessible only to root. 

Hope this helps,

> -----Original Message-----
> From: Marco Sinhoreli [mailto:msinhore@xxxxxxxxx]
> Sent: 09 November 2009 18:38
> To: Marcus Granado
> Cc: xen-api
> Subject: Re: [Xen-API] [PATCH] CA-34203: only root can call slave-
> local-login-with-password
> 
> Hi Marcus,
> 
> Let me undesrtand this patch and please, correct me if I'm wrong:
> Only the PAM user 'root' can to connect using the API and if I have
> another normal user I can't to connect, this is right?
> 
> 
> 
> Thanks,
> 
> 
> 
> On Fri, Nov 6, 2009 at 2:48 PM, Marcus Granado
> <marcus.granado@xxxxxxxxxx> wrote:
> > 2 files changed, 7 insertions(+), 1 deletion(-)
> > ocaml/idl/datamodel.ml     |    2 +-
> > ocaml/xapi/xapi_session.ml |    6 ++++++
> >
> >
> > # HG changeset patch
> > # User Marcus Granado <marcus.granado@xxxxxxxxxx>
> > # Date 1257526015 0
> > # Node ID 0a45055b867ad44d3e3f7c26e29ffe9dc1ee3c9f
> > # Parent  719d8f6c6d8cfe94cf612ddf26cc11af24fd99d5
> > CA-34203: only root can call slave-local-login-with-password
> >
> > Signed-off-by: Marcus Granado <marcus.granado@xxxxxxxxxxxxx>
> >
> > diff -r 719d8f6c6d8c -r 0a45055b867a ocaml/idl/datamodel.ml
> > --- a/ocaml/idl/datamodel.ml    Fri Nov 06 16:12:03 2009 +0000
> > +++ b/ocaml/idl/datamodel.ml    Fri Nov 06 16:46:55 2009 +0000
> > @@ -960,7 +960,7 @@
> >          ]
> >   ~in_oss_since:None
> >   ~secret:true
> > -  ~allowed_roles:_R_POOL_ADMIN (*only root can do an emergency slave
> login*)
> > +  ~allowed_roles:_R_LOCAL_ROOT_ONLY (*only root can do an emergency
> slave login*)
> >   ()
> >
> >  let local_logout = call ~flags:[`Session]
> > diff -r 719d8f6c6d8c -r 0a45055b867a ocaml/xapi/xapi_session.ml
> > --- a/ocaml/xapi/xapi_session.ml        Fri Nov 06 16:12:03 2009
> +0000
> > +++ b/ocaml/xapi/xapi_session.ml        Fri Nov 06 16:46:55 2009
> +0000
> > @@ -323,6 +323,12 @@
> >  let slave_local_login_with_password ~__context ~uname ~pwd =
> wipe_params_after_fn [pwd] (fun () ->
> >   if not (Context.preauth ~__context)
> >   then
> > +    if uname <> local_superuser
> > +    then (* CA-34203: never authenticate external users as
> local_login *)
> > +      raise (Api_errors.Server_error
> > +        (Api_errors.rbac_permission_denied,
> > +        [local_superuser; "No permission in local login"]))
> > +    else
> >     (try
> >        (* CP696 - only tries to authenticate against LOCAL superuser
> account *)
> >        do_local_auth uname pwd;
> >
> > _______________________________________________
> > xen-api mailing list
> > xen-api@xxxxxxxxxxxxxxxxxxx
> > http://lists.xensource.com/mailman/listinfo/xen-api
> >
> >
> 
> 
> 
> --
> Marco Sinhoreli

_______________________________________________
xen-api mailing list
xen-api@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/mailman/listinfo/xen-api
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-API] [PATCH] CA-34203: only root can call slave-local-login-with-password, Marco Sinhoreli
Next by Date:  Re: [Xen-API] [PATCH] CA-34203: only root can call slave-local-login-with-password, Marco Sinhoreli
Previous by Thread:  Re: [Xen-API] [PATCH] CA-34203: only root can call slave-local-login-with-password, Marco Sinhoreli
Next by Thread:  Re: [Xen-API] [PATCH] CA-34203: only root can call slave-local-login-with-password, Marco Sinhoreli
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy