WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-api

[Xen-API] [PATCH] CA-34203: revert only root can call slave-local-login-

To: xen-api <xen-api@xxxxxxxxxxxxxxxxxxx>
Subject: [Xen-API] [PATCH] CA-34203: revert only root can call slave-local-login-with-password
From: Marcus Granado <marcus.granado@xxxxxxxxxx>
Date: Wed, 2 Dec 2009 17:28:13 +0000
Delivery-date: Wed, 02 Dec 2009 09:28:53 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-api-request@lists.xensource.com?subject=help>
List-id: Discussion of API issues surrounding Xen <xen-api.lists.xensource.com>
List-post: <mailto:xen-api@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-api>, <mailto:xen-api-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-api>, <mailto:xen-api-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-api-bounces@xxxxxxxxxxxxxxxxxxx
2 files changed, 1 insertion(+), 7 deletions(-)
ocaml/idl/datamodel.ml     |    2 +-
ocaml/xapi/xapi_session.ml |    6 ------


# HG changeset patch
# User Marcus Granado <marcus.granado@xxxxxxxxxx>
# Date 1259774775 0
# Node ID 938c7defdf34865e1b6885268f63ba12a8f471b1
# Parent  27bf2365d9e208039b1f663f82a4cc46b89305a1
CA-34203: revert only root can call slave-local-login-with-password

Signed-off-by: Marcus Granado <marcus.granado@xxxxxxxxxxxxx>

The testcase was modified so that the patch is not needed anymore.

diff -r 27bf2365d9e2 -r 938c7defdf34 ocaml/idl/datamodel.ml
--- a/ocaml/idl/datamodel.ml    Wed Dec 02 13:21:43 2009 +0000
+++ b/ocaml/idl/datamodel.ml    Wed Dec 02 17:26:15 2009 +0000
@@ -962,7 +962,7 @@
          ]
   ~in_oss_since:None
   ~secret:true
-  ~allowed_roles:_R_LOCAL_ROOT_ONLY (*only root can do an emergency slave 
login*)
+  ~allowed_roles:_R_POOL_ADMIN (*only root can do an emergency slave login*)
   ()
 
 let local_logout = call ~flags:[`Session]
diff -r 27bf2365d9e2 -r 938c7defdf34 ocaml/xapi/xapi_session.ml
--- a/ocaml/xapi/xapi_session.ml        Wed Dec 02 13:21:43 2009 +0000
+++ b/ocaml/xapi/xapi_session.ml        Wed Dec 02 17:26:15 2009 +0000
@@ -325,12 +325,6 @@
 let slave_local_login_with_password ~__context ~uname ~pwd = 
wipe_params_after_fn [pwd] (fun () ->
   if not (Context.preauth ~__context)
   then
-    if uname <> local_superuser
-    then (* CA-34203: never authenticate external users as local_login *)
-      raise (Api_errors.Server_error
-        (Api_errors.rbac_permission_denied,
-        [local_superuser; "No permission in local login"]))
-    else
     (try
        (* CP696 - only tries to authenticate against LOCAL superuser account *)
        do_local_auth uname pwd;

Attachment: xen-api.hg.patch
Description: Text Data

_______________________________________________
xen-api mailing list
xen-api@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/mailman/listinfo/xen-api
<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-API] [PATCH] CA-34203: revert only root can call slave-local-login-with-password, Marcus Granado <=