WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-api

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Xen-API] [PATCH] CA-34203: revert only root can call slave-local-login-

from [Marcus Granado] [Permanent Link][Original]
To: xen-api <xen-api@xxxxxxxxxxxxxxxxxxx>
Subject: [Xen-API] [PATCH] CA-34203: revert only root can call slave-local-login-with-password
From: Marcus Granado <marcus.granado@xxxxxxxxxx>
Date: Wed, 2 Dec 2009 17:28:13 +0000
Delivery-date: Wed, 02 Dec 2009 09:28:53 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-api-request@lists.xensource.com?subject=help>
List-id: Discussion of API issues surrounding Xen <xen-api.lists.xensource.com>
List-post: <mailto:xen-api@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-api>, <mailto:xen-api-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-api>, <mailto:xen-api-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-api-bounces@xxxxxxxxxxxxxxxxxxx 
2 files changed, 1 insertion(+), 7 deletions(-)
ocaml/idl/datamodel.ml     |    2 +-
ocaml/xapi/xapi_session.ml |    6 ------


# HG changeset patch
# User Marcus Granado <marcus.granado@xxxxxxxxxx>
# Date 1259774775 0
# Node ID 938c7defdf34865e1b6885268f63ba12a8f471b1
# Parent  27bf2365d9e208039b1f663f82a4cc46b89305a1
CA-34203: revert only root can call slave-local-login-with-password

Signed-off-by: Marcus Granado <marcus.granado@xxxxxxxxxxxxx>

The testcase was modified so that the patch is not needed anymore.

diff -r 27bf2365d9e2 -r 938c7defdf34 ocaml/idl/datamodel.ml
--- a/ocaml/idl/datamodel.ml    Wed Dec 02 13:21:43 2009 +0000
+++ b/ocaml/idl/datamodel.ml    Wed Dec 02 17:26:15 2009 +0000
@@ -962,7 +962,7 @@
          ]
   ~in_oss_since:None
   ~secret:true
-  ~allowed_roles:_R_LOCAL_ROOT_ONLY (*only root can do an emergency slave 
login*)
+  ~allowed_roles:_R_POOL_ADMIN (*only root can do an emergency slave login*)
   ()
 
 let local_logout = call ~flags:[`Session]
diff -r 27bf2365d9e2 -r 938c7defdf34 ocaml/xapi/xapi_session.ml
--- a/ocaml/xapi/xapi_session.ml        Wed Dec 02 13:21:43 2009 +0000
+++ b/ocaml/xapi/xapi_session.ml        Wed Dec 02 17:26:15 2009 +0000
@@ -325,12 +325,6 @@
 let slave_local_login_with_password ~__context ~uname ~pwd = 
wipe_params_after_fn [pwd] (fun () ->
   if not (Context.preauth ~__context)
   then
-    if uname <> local_superuser
-    then (* CA-34203: never authenticate external users as local_login *)
-      raise (Api_errors.Server_error
-        (Api_errors.rbac_permission_denied,
-        [local_superuser; "No permission in local login"]))
-    else
     (try
        (* CP696 - only tries to authenticate against LOCAL superuser account *)
        do_local_auth uname pwd;

Attachment: xen-api.hg.patch
Description: Text Data

_______________________________________________
xen-api mailing list
xen-api@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/mailman/listinfo/xen-api
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-API] [PATCH] CA-34203: revert only root can call slave-local-login-with-password, Marcus Granado <=
Previous by Date:  RE: [Xen-API] [PATCH] CA-35368: use unambiguous key-tag in permission, Dave Scott
Next by Date:  RE: [Xen-API] [PATCH] CA-35368: use unambiguous key-tag in permission, Marcus Granado
Previous by Thread:  [Xen-API] [PATCH] [ocamldoc] Docs for remaining xapi licensing modules, Rob Hoes
Next by Thread:  [Xen-API] [PATCH] CA-33235: add some debug msgs for timed-out sessions, Marcus Granado
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy