Mailing List Archive: Access rights to domU

Access rights to domU

Jul 5, 2007, 6:37 AM

Post #1 of 5 (946 views)

Hi all :)

After reading through the archives, I fear there is no
answer to my question (yet), but here goes, anyway :)

Is there a way to limit the access of a user and thus his
sessions to a single or a set of domUs? This user would
ideally be able to start, stop, reboot and get a console,
nothing else.

Best regards,
Richard

Re: Access rights to domU [ In reply to ]

tom.wilkie at gmail

Jul 5, 2007, 6:48 AM

Post #2 of 5 (940 views)

Permalink

Hi Richard

I'm afraid not. At the moment we just have users who can do everything.

Sorry

Tom

On 5 Jul 2007, at 14:37, Richard Hartmann wrote:

> Hi all :)
>
>
> After reading through the archives, I fear there is no
> answer to my question (yet), but here goes, anyway :)
>
> Is there a way to limit the access of a user and thus his
> sessions to a single or a set of domUs? This user would
> ideally be able to start, stop, reboot and get a console,
> nothing else.
>
>
> Best regards,
> Richard
> _______________________________________________
> xen-api mailing list
> xen-api@lists.xensource.com
> http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-api

_______________________________________________
xen-api mailing list
xen-api@lists.xensource.com
http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-api

Re: Access rights to domU [ In reply to ]

richih.mailinglist at gmail

Jul 5, 2007, 6:54 AM

Post #3 of 5 (936 views)

Permalink

Hi Tom,

is there any ETA on resolving this?
Also, is there a replacement for PAM planned? As that other guy
on the list pointed out, the login module is not only not useful, it is
actually harmful (unless you could give them /bin/false as shell, but
in this case, the PAM module will deny the request. Thus, back to
square one).

Richard :)

Re: Access rights to domU [ In reply to ]

tom.wilkie at gmail

Jul 5, 2007, 7:33 AM

Post #4 of 5 (929 views)

Permalink

No not really. When we asked for comments nobody said they'd like
this feature, so we didn't plan for it. If you want to propose some
changes (and dare I say do an implementation?) then I'm sure it would
be welcome.

As far as I'm aware, PAM is pluggable, so you could quite easily swap
out the login module for a db module, say. This should get around
your concerns.

Tom

On 5 Jul 2007, at 14:54, Richard Hartmann wrote:

> Hi Tom,
>
> is there any ETA on resolving this?
> Also, is there a replacement for PAM planned? As that other guy
> on the list pointed out, the login module is not only not useful,
> it is
> actually harmful (unless you could give them /bin/false as shell, but
> in this case, the PAM module will deny the request. Thus, back to
> square one).
>
>
> Richard :)

_______________________________________________
xen-api mailing list
xen-api@lists.xensource.com
http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-api

Re: Access rights to domU [ In reply to ]

john.levon at sun

Jul 5, 2007, 9:33 AM

Post #5 of 5 (938 views)

Permalink

On Thu, Jul 05, 2007 at 03:33:29PM +0100, Tom Wilkie wrote:

> No not really. When we asked for comments nobody said they'd like
> this feature, so we didn't plan for it. If you want to propose some
> changes (and dare I say do an implementation?) then I'm sure it would
> be welcome.

Hmm, I'm not sure where the disconnect happened here. We (Sun) are extremely
interested in fine-grained access control, delegation etc. and hope to be
looking at this in the near future...

> As far as I'm aware, PAM is pluggable, so you could quite easily swap
> out the login module for a db module, say. This should get around
> your concerns.

As well as getting this situation resolved hopefully.

regards
john

_______________________________________________
xen-api mailing list
xen-api@lists.xensource.com
http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-api