[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-API] User Based Access Control

  • To: <xen-api@xxxxxxxxxxxxx>
  • From: Marcus Granado <marcus.granado@xxxxxxxxxx>
  • Date: Wed, 25 Feb 2015 15:25:15 +0000
  • Delivery-date: Wed, 25 Feb 2015 15:25:28 +0000
  • List-id: User and development list for XCP and XAPI <xen-api.lists.xen.org>
I like the idea of implementing this access control mechanism as close as possible to the objects being accessed, ie in XAPI.
There's a proposal for creating a restricting scope mechanism in XAPI similar to what Shiva described, on top of (and compatible with) the existing RBAC mechanism: 
http://lists.xen.org/archives/html/xen-api/2010-05/msg00093.html


On 25/02/15 14:16, Thomas Sanders wrote:

Cloudstack/Cloudplatform does something like this.
XenServer itself doesn't have the necessary information in the datamodel: a VM doesn't have an "owner". Therefore XenServer's existing RBAC feature can't do what you want at present. 

It might be less work to add the feature to XenServer than to implement it by 
writing new gateway software that mediates between the users and XenServer... 
but it sounds as if Olivier is adding it to his existing gateway/mediator 
software Xen-Orchestra.



-----Original Message-----
From: xen-api-bounces@xxxxxxxxxxxxx [mailto:xen-api-bounces@xxxxxxxxxxxxx]
On Behalf Of Olivier Lambert
Sent: 25 February 2015 12:12 PM
To: Shiva Bhanujan
Cc: xen-api@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-API] User Based Access Control

Hi,

https://xen-orchestra.com/blog/xo-4-x-starts-to-show-up/

It actually works and we are in closed Beta so far. I will create a
small video to show you how it works.

Should be out to the end of the month.

Regards,


Olivier.

On Wed, Feb 18, 2015 at 7:55 PM, Shiva Bhanujan <sxb075@xxxxxxxxx> wrote:

Hello,

I'm trying to figure out if we can have a mechanism such that when user A
creates a VM, or a network or any object from dom0, another user B would

not

have any access to objects created by user A.  Is there such a mechanism
available?

I've looked at the RBAC mechanism in PAM, and Xen Orchestra, but I doubt

if

they address this need.  Is anybody aware of anything that might satisfy
this need?

Regards,
Shiva


_______________________________________________
Xen-api mailing list
Xen-api@xxxxxxxxxxxxx
http://lists.xen.org/cgi-bin/mailman/listinfo/xen-api


_______________________________________________
Xen-api mailing list
Xen-api@xxxxxxxxxxxxx
http://lists.xen.org/cgi-bin/mailman/listinfo/xen-api

_______________________________________________
Xen-api mailing list
Xen-api@xxxxxxxxxxxxx
http://lists.xen.org/cgi-bin/mailman/listinfo/xen-api



_______________________________________________
Xen-api mailing list
Xen-api@xxxxxxxxxxxxx
http://lists.xen.org/cgi-bin/mailman/listinfo/xen-api

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.