WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-api

RE: [Xen-API] [PATCH] CA-34203: only root can call slave-local-login-wit

To: 'Marco Sinhoreli' <msinhore@xxxxxxxxx>
Subject: RE: [Xen-API] [PATCH] CA-34203: only root can call slave-local-login-with-password
From: Marcus Granado <Marcus.Granado@xxxxxxxxxxxxx>
Date: Wed, 25 Nov 2009 19:03:54 +0000
Accept-language: en-US
Acceptlanguage: en-US
Cc: xen-api <xen-api@xxxxxxxxxxxxxxxxxxx>
Delivery-date: Wed, 25 Nov 2009 11:03:59 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <20fe3cf60911131212v4de15f30p1c4397394b57b586@xxxxxxxxxxxxxx>
List-help: <mailto:xen-api-request@lists.xensource.com?subject=help>
List-id: Discussion of API issues surrounding Xen <xen-api.lists.xensource.com>
List-post: <mailto:xen-api@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-api>, <mailto:xen-api-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-api>, <mailto:xen-api-request@lists.xensource.com?subject=unsubscribe>
References: <0a45055b867ad44d3e3f.1257526087@localhost> <20fe3cf60911091038t3b6802a0re7fd25185401f8e6@xxxxxxxxxxxxxx> <291EDFCB1E9E224A99088639C47620224190B6E74A@xxxxxxxxxxxxxxxxxxxxxxxxx> <20fe3cf60911091301t48781eg2523c60a9ab41716@xxxxxxxxxxxxxx> <291EDFCB1E9E224A99088639C47620224190B6E74B@xxxxxxxxxxxxxxxxxxxxxxxxx> <20fe3cf60911131212v4de15f30p1c4397394b57b586@xxxxxxxxxxxxxx>
Sender: xen-api-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: AcpknZwBgRILFOcJRRuHwriU8Y127QJZAeEw
Thread-topic: [Xen-API] [PATCH] CA-34203: only root can call slave-local-login-with-password
In XCP you can use the auth-type=PAM option when calling 
pool-enable-external-auth

Cheers,

> -----Original Message-----
> From: Marco Sinhoreli [mailto:msinhore@xxxxxxxxx]
> Sent: 13 November 2009 20:12
> To: Marcus Granado
> Cc: xen-api
> Subject: Re: [Xen-API] [PATCH] CA-34203: only root can call slave-
> local-login-with-password
> 
> Our orchestration system is using an non-root unix user to connect via
> XenAPI (I have restrictions of my security team to use the root user
> to connect to hosts). We are using the XenServer 5.0 and it not was
> updated to 5.5 because the 5.5 not accepts  authenticate a non-root
> user via API. I tried to connect to XCP using a non-root user  via
> Python API and it is returning this exception:
> 
> Traceback (most recent call last):
>   File "checkstatus.py", line 9, in <module>
>     conn = session.xenapi.login_with_password(username, password)
>   File "/home/msinhore/Projects/XenServerPython/XenAPI.py", line 209,
> in __call__
>     return self.__send(self.__name, args)
>   File "/home/msinhore/Projects/XenServerPython/XenAPI.py", line 129,
> in xenapi_request
>     self._login(methodname, params)
>   File "/home/msinhore/Projects/XenServerPython/XenAPI.py", line 150,
> in _login
>     result = _parse_result(getattr(self, 'session.%s' %
> method)(*params))
>   File "/home/msinhore/Projects/XenServerPython/XenAPI.py", line 184,
> in _parse_result
>     raise Failure(result['ErrorDescription'])
> XenAPI.Failure: SESSION_AUTHENTICATION_FAILED
> 
> 
> Has some package for update to obtain the authentication via API with
> non-root user?
> 
> 
> Cheers,
> 
> 
> On Tue, Nov 10, 2009 at 9:10 AM, Marcus Granado
> <Marcus.Granado@xxxxxxxxxxxxx> wrote:
> > Yes
> >
> >> -----Original Message-----
> >> From: Marco Sinhoreli [mailto:msinhore@xxxxxxxxx]
> >> Sent: 09 November 2009 21:01
> >> To: Marcus Granado
> >> Cc: xen-api
> >> Subject: Re: [Xen-API] [PATCH] CA-34203: only root can call slave-
> >> local-login-with-password
> >>
> >> Hi Marcus,
> >>
> >> It means be possible to connect as an normal unix user using the XEn
> >> API client, right?
> >>
> >>
> >> Cheers,
> >> On Mon, Nov 9, 2009 at 5:33 PM, Marcus Granado
> >> <Marcus.Granado@xxxxxxxxxxxxx> wrote:
> >> > Hi Marco,
> >> >
> >> > The api call for normal login is 'login_with_password', which is
> >> accessible to any user with a valid user/password.
> >> > 'slave_local_login_with_password' is an internal call that
> currently
> >> is meant to be accessible only to root.
> >> >
> >> > Hope this helps,
> >> >
> >> >> -----Original Message-----
> >> >> From: Marco Sinhoreli [mailto:msinhore@xxxxxxxxx]
> >> >> Sent: 09 November 2009 18:38
> >> >> To: Marcus Granado
> >> >> Cc: xen-api
> >> >> Subject: Re: [Xen-API] [PATCH] CA-34203: only root can call
> slave-
> >> >> local-login-with-password
> >> >>
> >> >> Hi Marcus,
> >> >>
> >> >> Let me undesrtand this patch and please, correct me if I'm wrong:
> >> >> Only the PAM user 'root' can to connect using the API and if I
> have
> >> >> another normal user I can't to connect, this is right?
> >> >>
> >> >>
> >> >>
> >> >> Thanks,
> >> >>
> >> >>
> >> >>
> >> >> On Fri, Nov 6, 2009 at 2:48 PM, Marcus Granado
> >> >> <marcus.granado@xxxxxxxxxx> wrote:
> >> >> > 2 files changed, 7 insertions(+), 1 deletion(-)
> >> >> > ocaml/idl/datamodel.ml     |    2 +-
> >> >> > ocaml/xapi/xapi_session.ml |    6 ++++++
> >> >> >
> >> >> >
> >> >> > # HG changeset patch
> >> >> > # User Marcus Granado <marcus.granado@xxxxxxxxxx>
> >> >> > # Date 1257526015 0
> >> >> > # Node ID 0a45055b867ad44d3e3f7c26e29ffe9dc1ee3c9f
> >> >> > # Parent  719d8f6c6d8cfe94cf612ddf26cc11af24fd99d5
> >> >> > CA-34203: only root can call slave-local-login-with-password
> >> >> >
> >> >> > Signed-off-by: Marcus Granado <marcus.granado@xxxxxxxxxxxxx>
> >> >> >
> >> >> > diff -r 719d8f6c6d8c -r 0a45055b867a ocaml/idl/datamodel.ml
> >> >> > --- a/ocaml/idl/datamodel.ml    Fri Nov 06 16:12:03 2009 +0000
> >> >> > +++ b/ocaml/idl/datamodel.ml    Fri Nov 06 16:46:55 2009 +0000
> >> >> > @@ -960,7 +960,7 @@
> >> >> >          ]
> >> >> >   ~in_oss_since:None
> >> >> >   ~secret:true
> >> >> > -  ~allowed_roles:_R_POOL_ADMIN (*only root can do an emergency
> >> slave
> >> >> login*)
> >> >> > +  ~allowed_roles:_R_LOCAL_ROOT_ONLY (*only root can do an
> >> emergency
> >> >> slave login*)
> >> >> >   ()
> >> >> >
> >> >> >  let local_logout = call ~flags:[`Session]
> >> >> > diff -r 719d8f6c6d8c -r 0a45055b867a ocaml/xapi/xapi_session.ml
> >> >> > --- a/ocaml/xapi/xapi_session.ml        Fri Nov 06 16:12:03
> 2009
> >> >> +0000
> >> >> > +++ b/ocaml/xapi/xapi_session.ml        Fri Nov 06 16:46:55
> 2009
> >> >> +0000
> >> >> > @@ -323,6 +323,12 @@
> >> >> >  let slave_local_login_with_password ~__context ~uname ~pwd =
> >> >> wipe_params_after_fn [pwd] (fun () ->
> >> >> >   if not (Context.preauth ~__context)
> >> >> >   then
> >> >> > +    if uname <> local_superuser
> >> >> > +    then (* CA-34203: never authenticate external users as
> >> >> local_login *)
> >> >> > +      raise (Api_errors.Server_error
> >> >> > +        (Api_errors.rbac_permission_denied,
> >> >> > +        [local_superuser; "No permission in local login"]))
> >> >> > +    else
> >> >> >     (try
> >> >> >        (* CP696 - only tries to authenticate against LOCAL
> >> superuser
> >> >> account *)
> >> >> >        do_local_auth uname pwd;
> >> >> >
> >> >> > _______________________________________________
> >> >> > xen-api mailing list
> >> >> > xen-api@xxxxxxxxxxxxxxxxxxx
> >> >> > http://lists.xensource.com/mailman/listinfo/xen-api
> >> >> >
> >> >> >
> >> >>
> >> >>
> >> >>
> >> >> --
> >> >> Marco Sinhoreli
> >> >
> >>
> >>
> >>
> >> --
> >> Marco Sinhoreli
> >
> 
> 
> 
> --
> Marco Sinhoreli
_______________________________________________
xen-api mailing list
xen-api@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/mailman/listinfo/xen-api