In XCP you can use the auth-type=PAM option when calling
pool-enable-external-auth
Cheers,
> -----Original Message-----
> From: Marco Sinhoreli [mailto:msinhore@xxxxxxxxx]
> Sent: 13 November 2009 20:12
> To: Marcus Granado
> Cc: xen-api
> Subject: Re: [Xen-API] [PATCH] CA-34203: only root can call slave-
> local-login-with-password
>
> Our orchestration system is using an non-root unix user to connect via
> XenAPI (I have restrictions of my security team to use the root user
> to connect to hosts). We are using the XenServer 5.0 and it not was
> updated to 5.5 because the 5.5 not accepts authenticate a non-root
> user via API. I tried to connect to XCP using a non-root user via
> Python API and it is returning this exception:
>
> Traceback (most recent call last):
> File "checkstatus.py", line 9, in <module>
> conn = session.xenapi.login_with_password(username, password)
> File "/home/msinhore/Projects/XenServerPython/XenAPI.py", line 209,
> in __call__
> return self.__send(self.__name, args)
> File "/home/msinhore/Projects/XenServerPython/XenAPI.py", line 129,
> in xenapi_request
> self._login(methodname, params)
> File "/home/msinhore/Projects/XenServerPython/XenAPI.py", line 150,
> in _login
> result = _parse_result(getattr(self, 'session.%s' %
> method)(*params))
> File "/home/msinhore/Projects/XenServerPython/XenAPI.py", line 184,
> in _parse_result
> raise Failure(result['ErrorDescription'])
> XenAPI.Failure: SESSION_AUTHENTICATION_FAILED
>
>
> Has some package for update to obtain the authentication via API with
> non-root user?
>
>
> Cheers,
>
>
> On Tue, Nov 10, 2009 at 9:10 AM, Marcus Granado
> <Marcus.Granado@xxxxxxxxxxxxx> wrote:
> > Yes
> >
> >> -----Original Message-----
> >> From: Marco Sinhoreli [mailto:msinhore@xxxxxxxxx]
> >> Sent: 09 November 2009 21:01
> >> To: Marcus Granado
> >> Cc: xen-api
> >> Subject: Re: [Xen-API] [PATCH] CA-34203: only root can call slave-
> >> local-login-with-password
> >>
> >> Hi Marcus,
> >>
> >> It means be possible to connect as an normal unix user using the XEn
> >> API client, right?
> >>
> >>
> >> Cheers,
> >> On Mon, Nov 9, 2009 at 5:33 PM, Marcus Granado
> >> <Marcus.Granado@xxxxxxxxxxxxx> wrote:
> >> > Hi Marco,
> >> >
> >> > The api call for normal login is 'login_with_password', which is
> >> accessible to any user with a valid user/password.
> >> > 'slave_local_login_with_password' is an internal call that
> currently
> >> is meant to be accessible only to root.
> >> >
> >> > Hope this helps,
> >> >
> >> >> -----Original Message-----
> >> >> From: Marco Sinhoreli [mailto:msinhore@xxxxxxxxx]
> >> >> Sent: 09 November 2009 18:38
> >> >> To: Marcus Granado
> >> >> Cc: xen-api
> >> >> Subject: Re: [Xen-API] [PATCH] CA-34203: only root can call
> slave-
> >> >> local-login-with-password
> >> >>
> >> >> Hi Marcus,
> >> >>
> >> >> Let me undesrtand this patch and please, correct me if I'm wrong:
> >> >> Only the PAM user 'root' can to connect using the API and if I
> have
> >> >> another normal user I can't to connect, this is right?
> >> >>
> >> >>
> >> >>
> >> >> Thanks,
> >> >>
> >> >>
> >> >>
> >> >> On Fri, Nov 6, 2009 at 2:48 PM, Marcus Granado
> >> >> <marcus.granado@xxxxxxxxxx> wrote:
> >> >> > 2 files changed, 7 insertions(+), 1 deletion(-)
> >> >> > ocaml/idl/datamodel.ml | 2 +-
> >> >> > ocaml/xapi/xapi_session.ml | 6 ++++++
> >> >> >
> >> >> >
> >> >> > # HG changeset patch
> >> >> > # User Marcus Granado <marcus.granado@xxxxxxxxxx>
> >> >> > # Date 1257526015 0
> >> >> > # Node ID 0a45055b867ad44d3e3f7c26e29ffe9dc1ee3c9f
> >> >> > # Parent 719d8f6c6d8cfe94cf612ddf26cc11af24fd99d5
> >> >> > CA-34203: only root can call slave-local-login-with-password
> >> >> >
> >> >> > Signed-off-by: Marcus Granado <marcus.granado@xxxxxxxxxxxxx>
> >> >> >
> >> >> > diff -r 719d8f6c6d8c -r 0a45055b867a ocaml/idl/datamodel.ml
> >> >> > --- a/ocaml/idl/datamodel.ml Fri Nov 06 16:12:03 2009 +0000
> >> >> > +++ b/ocaml/idl/datamodel.ml Fri Nov 06 16:46:55 2009 +0000
> >> >> > @@ -960,7 +960,7 @@
> >> >> > ]
> >> >> > ~in_oss_since:None
> >> >> > ~secret:true
> >> >> > - ~allowed_roles:_R_POOL_ADMIN (*only root can do an emergency
> >> slave
> >> >> login*)
> >> >> > + ~allowed_roles:_R_LOCAL_ROOT_ONLY (*only root can do an
> >> emergency
> >> >> slave login*)
> >> >> > ()
> >> >> >
> >> >> > let local_logout = call ~flags:[`Session]
> >> >> > diff -r 719d8f6c6d8c -r 0a45055b867a ocaml/xapi/xapi_session.ml
> >> >> > --- a/ocaml/xapi/xapi_session.ml Fri Nov 06 16:12:03
> 2009
> >> >> +0000
> >> >> > +++ b/ocaml/xapi/xapi_session.ml Fri Nov 06 16:46:55
> 2009
> >> >> +0000
> >> >> > @@ -323,6 +323,12 @@
> >> >> > let slave_local_login_with_password ~__context ~uname ~pwd =
> >> >> wipe_params_after_fn [pwd] (fun () ->
> >> >> > if not (Context.preauth ~__context)
> >> >> > then
> >> >> > + if uname <> local_superuser
> >> >> > + then (* CA-34203: never authenticate external users as
> >> >> local_login *)
> >> >> > + raise (Api_errors.Server_error
> >> >> > + (Api_errors.rbac_permission_denied,
> >> >> > + [local_superuser; "No permission in local login"]))
> >> >> > + else
> >> >> > (try
> >> >> > (* CP696 - only tries to authenticate against LOCAL
> >> superuser
> >> >> account *)
> >> >> > do_local_auth uname pwd;
> >> >> >
> >> >> > _______________________________________________
> >> >> > xen-api mailing list
> >> >> > xen-api@xxxxxxxxxxxxxxxxxxx
> >> >> > http://lists.xensource.com/mailman/listinfo/xen-api
> >> >> >
> >> >> >
> >> >>
> >> >>
> >> >>
> >> >> --
> >> >> Marco Sinhoreli
> >> >
> >>
> >>
> >>
> >> --
> >> Marco Sinhoreli
> >
>
>
>
> --
> Marco Sinhoreli
_______________________________________________
xen-api mailing list
xen-api@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/mailman/listinfo/xen-api
|