WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-api

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-API] [PATCH] CA-34203: only root can call slave-local-login-wi

from [Marco Sinhoreli] [Permanent Link][Original]
To: Marcus Granado <Marcus.Granado@xxxxxxxxxxxxx>
Subject: Re: [Xen-API] [PATCH] CA-34203: only root can call slave-local-login-with-password
From: Marco Sinhoreli <msinhore@xxxxxxxxx>
Date: Fri, 13 Nov 2009 18:12:18 -0200
Cc: xen-api <xen-api@xxxxxxxxxxxxxxxxxxx>
Delivery-date: Fri, 13 Nov 2009 12:12:20 -0800
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=tzYBn3a+WBHTcV+2xZxL16OchDt3M76Qft5V6Oxkdg8=; b=oQqZwq+dw2/2s2oFOl02MT4pPK+UD921ibUPKQNYlRwBWuTdNiCVi+ZLFxB6rnADQY hw9P4wBn5W2XW6aL/BUHbZX0xdjPhvIQOJG+I5Xnry00YUYI58O7Buossm5ot8wxMoBu /gOx+Qj6tbg4uyD5Goq2RorFhQgSiSBTgKTfU=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=c8IgkNqOT8MVpNlvwCUZSwCnDtPf8G7UQwE0CIezeO70jZy3Zp6k1y9bFbI83br6vi QcPqGIaRCcu8dUwcKntCE3Mgbv+E2L6KeVLIwJzdTkgx3iS3uPCKXrsDK5zq14EDxPB1 M8vjJ3CxbhBzYQT5Abt/OyPb+xc5whLFgsyMM=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <291EDFCB1E9E224A99088639C47620224190B6E74B@xxxxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-api-request@lists.xensource.com?subject=help>
List-id: Discussion of API issues surrounding Xen <xen-api.lists.xensource.com>
List-post: <mailto:xen-api@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-api>, <mailto:xen-api-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-api>, <mailto:xen-api-request@lists.xensource.com?subject=unsubscribe>
References: <0a45055b867ad44d3e3f.1257526087@localhost> <20fe3cf60911091038t3b6802a0re7fd25185401f8e6@xxxxxxxxxxxxxx> <291EDFCB1E9E224A99088639C47620224190B6E74A@xxxxxxxxxxxxxxxxxxxxxxxxx> <20fe3cf60911091301t48781eg2523c60a9ab41716@xxxxxxxxxxxxxx> <291EDFCB1E9E224A99088639C47620224190B6E74B@xxxxxxxxxxxxxxxxxxxxxxxxx>
Sender: xen-api-bounces@xxxxxxxxxxxxxxxxxxx 
Our orchestration system is using an non-root unix user to connect via
XenAPI (I have restrictions of my security team to use the root user
to connect to hosts). We are using the XenServer 5.0 and it not was
updated to 5.5 because the 5.5 not accepts  authenticate a non-root
user via API. I tried to connect to XCP using a non-root user  via
Python API and it is returning this exception:

Traceback (most recent call last):
  File "checkstatus.py", line 9, in <module>
    conn = session.xenapi.login_with_password(username, password)
  File "/home/msinhore/Projects/XenServerPython/XenAPI.py", line 209,
in __call__
    return self.__send(self.__name, args)
  File "/home/msinhore/Projects/XenServerPython/XenAPI.py", line 129,
in xenapi_request
    self._login(methodname, params)
  File "/home/msinhore/Projects/XenServerPython/XenAPI.py", line 150, in _login
    result = _parse_result(getattr(self, 'session.%s' % method)(*params))
  File "/home/msinhore/Projects/XenServerPython/XenAPI.py", line 184,
in _parse_result
    raise Failure(result['ErrorDescription'])
XenAPI.Failure: SESSION_AUTHENTICATION_FAILED


Has some package for update to obtain the authentication via API with
non-root user?


Cheers,


On Tue, Nov 10, 2009 at 9:10 AM, Marcus Granado
<Marcus.Granado@xxxxxxxxxxxxx> wrote:
> Yes
>
>> -----Original Message-----
>> From: Marco Sinhoreli [mailto:msinhore@xxxxxxxxx]
>> Sent: 09 November 2009 21:01
>> To: Marcus Granado
>> Cc: xen-api
>> Subject: Re: [Xen-API] [PATCH] CA-34203: only root can call slave-
>> local-login-with-password
>>
>> Hi Marcus,
>>
>> It means be possible to connect as an normal unix user using the XEn
>> API client, right?
>>
>>
>> Cheers,
>> On Mon, Nov 9, 2009 at 5:33 PM, Marcus Granado
>> <Marcus.Granado@xxxxxxxxxxxxx> wrote:
>> > Hi Marco,
>> >
>> > The api call for normal login is 'login_with_password', which is
>> accessible to any user with a valid user/password.
>> > 'slave_local_login_with_password' is an internal call that currently
>> is meant to be accessible only to root.
>> >
>> > Hope this helps,
>> >
>> >> -----Original Message-----
>> >> From: Marco Sinhoreli [mailto:msinhore@xxxxxxxxx]
>> >> Sent: 09 November 2009 18:38
>> >> To: Marcus Granado
>> >> Cc: xen-api
>> >> Subject: Re: [Xen-API] [PATCH] CA-34203: only root can call slave-
>> >> local-login-with-password
>> >>
>> >> Hi Marcus,
>> >>
>> >> Let me undesrtand this patch and please, correct me if I'm wrong:
>> >> Only the PAM user 'root' can to connect using the API and if I have
>> >> another normal user I can't to connect, this is right?
>> >>
>> >>
>> >>
>> >> Thanks,
>> >>
>> >>
>> >>
>> >> On Fri, Nov 6, 2009 at 2:48 PM, Marcus Granado
>> >> <marcus.granado@xxxxxxxxxx> wrote:
>> >> > 2 files changed, 7 insertions(+), 1 deletion(-)
>> >> > ocaml/idl/datamodel.ml     |    2 +-
>> >> > ocaml/xapi/xapi_session.ml |    6 ++++++
>> >> >
>> >> >
>> >> > # HG changeset patch
>> >> > # User Marcus Granado <marcus.granado@xxxxxxxxxx>
>> >> > # Date 1257526015 0
>> >> > # Node ID 0a45055b867ad44d3e3f7c26e29ffe9dc1ee3c9f
>> >> > # Parent  719d8f6c6d8cfe94cf612ddf26cc11af24fd99d5
>> >> > CA-34203: only root can call slave-local-login-with-password
>> >> >
>> >> > Signed-off-by: Marcus Granado <marcus.granado@xxxxxxxxxxxxx>
>> >> >
>> >> > diff -r 719d8f6c6d8c -r 0a45055b867a ocaml/idl/datamodel.ml
>> >> > --- a/ocaml/idl/datamodel.ml    Fri Nov 06 16:12:03 2009 +0000
>> >> > +++ b/ocaml/idl/datamodel.ml    Fri Nov 06 16:46:55 2009 +0000
>> >> > @@ -960,7 +960,7 @@
>> >> >          ]
>> >> >   ~in_oss_since:None
>> >> >   ~secret:true
>> >> > -  ~allowed_roles:_R_POOL_ADMIN (*only root can do an emergency
>> slave
>> >> login*)
>> >> > +  ~allowed_roles:_R_LOCAL_ROOT_ONLY (*only root can do an
>> emergency
>> >> slave login*)
>> >> >   ()
>> >> >
>> >> >  let local_logout = call ~flags:[`Session]
>> >> > diff -r 719d8f6c6d8c -r 0a45055b867a ocaml/xapi/xapi_session.ml
>> >> > --- a/ocaml/xapi/xapi_session.ml        Fri Nov 06 16:12:03 2009
>> >> +0000
>> >> > +++ b/ocaml/xapi/xapi_session.ml        Fri Nov 06 16:46:55 2009
>> >> +0000
>> >> > @@ -323,6 +323,12 @@
>> >> >  let slave_local_login_with_password ~__context ~uname ~pwd =
>> >> wipe_params_after_fn [pwd] (fun () ->
>> >> >   if not (Context.preauth ~__context)
>> >> >   then
>> >> > +    if uname <> local_superuser
>> >> > +    then (* CA-34203: never authenticate external users as
>> >> local_login *)
>> >> > +      raise (Api_errors.Server_error
>> >> > +        (Api_errors.rbac_permission_denied,
>> >> > +        [local_superuser; "No permission in local login"]))
>> >> > +    else
>> >> >     (try
>> >> >        (* CP696 - only tries to authenticate against LOCAL
>> superuser
>> >> account *)
>> >> >        do_local_auth uname pwd;
>> >> >
>> >> > _______________________________________________
>> >> > xen-api mailing list
>> >> > xen-api@xxxxxxxxxxxxxxxxxxx
>> >> > http://lists.xensource.com/mailman/listinfo/xen-api
>> >> >
>> >> >
>> >>
>> >>
>> >>
>> >> --
>> >> Marco Sinhoreli
>> >
>>
>>
>>
>> --
>> Marco Sinhoreli
>



-- 
Marco Sinhoreli

_______________________________________________
xen-api mailing list
xen-api@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/mailman/listinfo/xen-api
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Xen-API] [PATCH] CA-34034: add default_args to audit params, Marcus Granado
Next by Date:  [Xen-API] [RFC] host memory ballooning daemon, Dave Scott
Previous by Thread:  RE: [Xen-API] [PATCH] CA-34203: only root can call slave-local-login-with-password, Marcus Granado
Next by Thread:  RE: [Xen-API] [PATCH] CA-34203: only root can call slave-local-login-with-password, Marcus Granado
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy