[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Xen and Enomaly


  • To: Olivier LAMBERT <lambert.olivier@xxxxxxxxx>
  • From: Grant McWilliams <grantmasterflash@xxxxxxxxx>
  • Date: Fri, 11 Sep 2009 13:49:19 -0700
  • Cc: xen-users@xxxxxxxxxxxxxxxxxxx, Longina Przybyszewska <longina@xxxxxxxxxxxx>
  • Delivery-date: Fri, 11 Sep 2009 13:50:27 -0700
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; b=TDJKeDoyAlUjBHW9rUEp2EcfQ/7R3493xcwLrh8UtmrxFsZDaOARiN4tQluR40KMAR VT4dk/oL275AXkfTHy+f7pmLUHbGoVjEiEbSSAYiRVfMdc0nTeAHUoVfD0vrvfSNYI4l 7dJ32npkhnBQne/qmIZnlD4sVfqsHTX6u89gE=
  • List-id: Xen user discussion <xen-users.lists.xensource.com>



So, no root or other stuff like that. In my case, I choose to make
things simple : just an htaccess (so far).

With the API, you've got access to the entire Xen daemon, but I think
it's not so hard to restrict an user to a VM (or more). It's "just" an
added layer, can be interfaced with ldap, mysql or pgsql database,
with adaquates informations on users.

For your "feature request", I think I'll do, but in a first time, my
goal is to admin Xen easily. But ASAP, I'll try to respond to your
request.
And as it's a open source project, everyone can contribute, so.. more
we are, more the project will be great :)

Regards,

So currently you're using .htaccess to limit who can connect and control the VMs but if I understand you there's no limit what that person can do?
If Bob (we like calling him Bob) logs into Orchestra he can restart ALL VMs? I don't know if this helps me any since I could just grant people sudo access to the xm command.

If however you set it up so there's a database table that lists access rights and when creating a VM you assign admins to it this would be ideal. If Bob logs in your code would look up the database record to see what bob could do and restrict his actions to his own VM. Like you said I don't think this would be difficult code but for my project definitely needed. It's already very easy to start/stop domUs. I could set up a web page in about 30 seconds that does the same thing (locally) without even using the API. I realize this is not what you're doing and that the project will grow but I'm hoping that this will be a feature you add fairly soon or I can if I have time. If I don't have that then it's no more useful than what I have now. :-)

Grant McWilliams.
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.