[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Access Control solution for Xen?


  • To: Jonathan Tripathy <jonnyt@xxxxxxxxxxx>
  • From: Ozan Safi <ozansafi@xxxxxxxxx>
  • Date: Wed, 8 Dec 2010 15:49:39 +0100
  • Cc: xen-users@xxxxxxxxxxxxxxxxxxx
  • Delivery-date: Wed, 08 Dec 2010 06:51:33 -0800
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; b=XlhP9z3SgLNzbzfXJkhetT7PK/IYq+vK9Y0UqSm4BtrX63DcqYZVODqV0EbR8gOgXg zU4cqc5pNal+mxl707jb4zhH5Kaw6770f8CKn2mFjeIBJsqH8C7tQtsUy6kgvJ29gOEf XmJ+Rn/dP7L3wrHif8v2lKjGcti0V6/kHseMc=
  • List-id: Xen user discussion <xen-users.lists.xensource.com>

On Wed, Dec 8, 2010 at 2:29 PM, Jonathan Tripathy <jonnyt@xxxxxxxxxxx> wrote:

On 08/12/10 13:21, Ozan Safi wrote:
Hi,
I am looking for an open-source management solution that has support for access control. For some reason I wasn't able to access the control panel demo site but I went through dtc-xen's presentation and have not seen anything related to access control. Could you point me to a link where this is explained?
Please explain what you mean by "access control". To me, this means that you only want certain users to be able to control certain DomUs (i.e. a hosting solution). dtc-xen indeed does have access control on a per customers base. Just because something is tailored towards a hosting company doesn't meant that it *has* to be used for hosting. (Replace the word "customer" with "staff member")

> I am afraid I am looking for something much more finer-grained than that. For the same domU, I need different users in different roles to be allowed to do different things to it. I also want to set constraints on them to further restrict what can be done with a specific action. (e.g. role A can do migration but for role A the action migrate is only allowed to hosts x,y, and z) I have more demands from the access control solution, but we can start from here. 
I also don't expect any solution to have all of this, but if there is something to start with, I might consider extending that. 

Until now, I've only seen mention of such a feature on Eucalyptus Enterprise Edition.
from http://www.eucalyptus.com/products/eee: "Sophisticated user, group, and role management allows precise control of resources within a private cloud"
Indeed Eucalyptus supports this, but is very difficult to get going.

> AFAICT, only the Enterprise Edition supports this, which is neither free nor open-source and I couldn't test it because they didn't hold on to their promise of "we will contact you in 24 hours".

If it is not available in any free and open-source software, I am planning to implement it myself. Either by extending one of the management solutions or modifying the Xen code itself.
You shoudn't (but legally can) modify the Xen code to support this. Xen is a Type 1 Hypervisor, which is out of scope for access control. Indeed, maybe modifying the xm scripts to do this may be an option, but again you run the risk of breaking something. This is why all solutions out there haven't actually modified xm scripts, but have made an "over the top" layer for control....with the assumption that direct SSH access to the Dom0 isn't available from the outside (which it shouldn’t be!)
 
> Why would it be "out of scope for access control"? You can implement access control in any layer. Access control is best done where the actual action takes place. Otherwise there are plenty of opportunities to get around it. If neither Xend nor Xen-API is restricted on the actual hypervisor, a bug in the management platform would allow you to do whatever you want with it. I also don't believe Xen is a Type-1 hypervisor, but that is irrelevant right now. 
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.