WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-api

Re: [Xen-API] [PATCH] CA-34203: only root can call slave-local-login-wi

To: Marcus Granado <marcus.granado@xxxxxxxxxx>
Subject: Re: [Xen-API] [PATCH] CA-34203: only root can call slave-local-login-with-password
From: Marco Sinhoreli <msinhore@xxxxxxxxx>
Date: Mon, 9 Nov 2009 16:38:11 -0200
Cc: xen-api <xen-api@xxxxxxxxxxxxxxxxxxx>
Delivery-date: Mon, 09 Nov 2009 10:38:13 -0800
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=3UMex2sR5AH3ivP8ea+73YInw9YsbJ3OGcecx+UZKAo=; b=G5JzloQzvwli5mJZQqD4AJ7o4TG8kBTlmda9MitdqzdvV9IQDxwmSh1DIyuWKskZWS gzvQx/I3j+9xREFDrmocyYLCV8kRsPAkd/4MOxPeqjquVJRFc4n18+4A/RKmaR6Sds1u tQhGs79/4Gv1PMDlQh76pjdzzDQqmQiBFtICU=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=PE3Qo8Dhs+fZ/H18vjdMkAl4xL9kQGipo75IMqFXSgNMa1hwlInQmzs1Evj1xgkUJx FSDfdFkmiN8ND0NhgBerBY1XPHGPAL0tx8k4NLCW8D4e4b/HYWAs581JehNuQ13WObWb 3PaZFQE9xcoXW1b+x7mYs3q7TQpcogv9RtUkU=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <0a45055b867ad44d3e3f.1257526087@localhost>
List-help: <mailto:xen-api-request@lists.xensource.com?subject=help>
List-id: Discussion of API issues surrounding Xen <xen-api.lists.xensource.com>
List-post: <mailto:xen-api@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-api>, <mailto:xen-api-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-api>, <mailto:xen-api-request@lists.xensource.com?subject=unsubscribe>
References: <0a45055b867ad44d3e3f.1257526087@localhost>
Sender: xen-api-bounces@xxxxxxxxxxxxxxxxxxx
Hi Marcus,

Let me undesrtand this patch and please, correct me if I'm wrong:
Only the PAM user 'root' can to connect using the API and if I have
another normal user I can't to connect, this is right?



Thanks,



On Fri, Nov 6, 2009 at 2:48 PM, Marcus Granado
<marcus.granado@xxxxxxxxxx> wrote:
> 2 files changed, 7 insertions(+), 1 deletion(-)
> ocaml/idl/datamodel.ml     |    2 +-
> ocaml/xapi/xapi_session.ml |    6 ++++++
>
>
> # HG changeset patch
> # User Marcus Granado <marcus.granado@xxxxxxxxxx>
> # Date 1257526015 0
> # Node ID 0a45055b867ad44d3e3f7c26e29ffe9dc1ee3c9f
> # Parent  719d8f6c6d8cfe94cf612ddf26cc11af24fd99d5
> CA-34203: only root can call slave-local-login-with-password
>
> Signed-off-by: Marcus Granado <marcus.granado@xxxxxxxxxxxxx>
>
> diff -r 719d8f6c6d8c -r 0a45055b867a ocaml/idl/datamodel.ml
> --- a/ocaml/idl/datamodel.ml    Fri Nov 06 16:12:03 2009 +0000
> +++ b/ocaml/idl/datamodel.ml    Fri Nov 06 16:46:55 2009 +0000
> @@ -960,7 +960,7 @@
>          ]
>   ~in_oss_since:None
>   ~secret:true
> -  ~allowed_roles:_R_POOL_ADMIN (*only root can do an emergency slave login*)
> +  ~allowed_roles:_R_LOCAL_ROOT_ONLY (*only root can do an emergency slave 
> login*)
>   ()
>
>  let local_logout = call ~flags:[`Session]
> diff -r 719d8f6c6d8c -r 0a45055b867a ocaml/xapi/xapi_session.ml
> --- a/ocaml/xapi/xapi_session.ml        Fri Nov 06 16:12:03 2009 +0000
> +++ b/ocaml/xapi/xapi_session.ml        Fri Nov 06 16:46:55 2009 +0000
> @@ -323,6 +323,12 @@
>  let slave_local_login_with_password ~__context ~uname ~pwd = 
> wipe_params_after_fn [pwd] (fun () ->
>   if not (Context.preauth ~__context)
>   then
> +    if uname <> local_superuser
> +    then (* CA-34203: never authenticate external users as local_login *)
> +      raise (Api_errors.Server_error
> +        (Api_errors.rbac_permission_denied,
> +        [local_superuser; "No permission in local login"]))
> +    else
>     (try
>        (* CP696 - only tries to authenticate against LOCAL superuser account 
> *)
>        do_local_auth uname pwd;
>
> _______________________________________________
> xen-api mailing list
> xen-api@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/mailman/listinfo/xen-api
>
>



-- 
Marco Sinhoreli

_______________________________________________
xen-api mailing list
xen-api@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/mailman/listinfo/xen-api