Mailing List Archive

Hi,

https://xen-orchestra.com/blog/xo-4-x-starts-to-show-up/

It actually works and we are in closed Beta so far. I will create a
small video to show you how it works.

Should be out to the end of the month.

Regards,


Olivier.

On Wed, Feb 18, 2015 at 7:55 PM, Shiva Bhanujan <sxb075@gmail.com> wrote:
> Hello,
>
> I'm trying to figure out if we can have a mechanism such that when user A
> creates a VM, or a network or any object from dom0, another user B would not
> have any access to objects created by user A. Is there such a mechanism
> available?
>
> I've looked at the RBAC mechanism in PAM, and Xen Orchestra, but I doubt if
> they address this need. Is anybody aware of anything that might satisfy
> this need?
>
> Regards,
> Shiva
>
>
> _______________________________________________
> Xen-api mailing list
> Xen-api@lists.xen.org
> http://lists.xen.org/cgi-bin/mailman/listinfo/xen-api
>

_______________________________________________
Xen-api mailing list
Xen-api@lists.xen.org
http://lists.xen.org/cgi-bin/mailman/listinfo/xen-api

Cloudstack/Cloudplatform does something like this.

XenServer itself doesn't have the necessary information in the datamodel: a VM doesn't have an "owner". Therefore XenServer's existing RBAC feature can't do what you want at present.

It might be less work to add the feature to XenServer than to implement it by writing new gateway software that mediates between the users and XenServer... but it sounds as if Olivier is adding it to his existing gateway/mediator software Xen-Orchestra.


> -----Original Message-----
> From: xen-api-bounces@lists.xen.org [mailto:xen-api-bounces@lists.xen.org]
> On Behalf Of Olivier Lambert
> Sent: 25 February 2015 12:12 PM
> To: Shiva Bhanujan
> Cc: xen-api@lists.xenproject.org
> Subject: Re: [Xen-API] User Based Access Control
>
> Hi,
>
> https://xen-orchestra.com/blog/xo-4-x-starts-to-show-up/
>
> It actually works and we are in closed Beta so far. I will create a
> small video to show you how it works.
>
> Should be out to the end of the month.
>
> Regards,
>
>
> Olivier.
>
> On Wed, Feb 18, 2015 at 7:55 PM, Shiva Bhanujan <sxb075@gmail.com> wrote:
> > Hello,
> >
> > I'm trying to figure out if we can have a mechanism such that when user A
> > creates a VM, or a network or any object from dom0, another user B would
> not
> > have any access to objects created by user A. Is there such a mechanism
> > available?
> >
> > I've looked at the RBAC mechanism in PAM, and Xen Orchestra, but I doubt
> if
> > they address this need. Is anybody aware of anything that might satisfy
> > this need?
> >
> > Regards,
> > Shiva
> >
> >
> > _______________________________________________
> > Xen-api mailing list
> > Xen-api@lists.xen.org
> > http://lists.xen.org/cgi-bin/mailman/listinfo/xen-api
> >
>
> _______________________________________________
> Xen-api mailing list
> Xen-api@lists.xen.org
> http://lists.xen.org/cgi-bin/mailman/listinfo/xen-api

_______________________________________________
Xen-api mailing list
Xen-api@lists.xen.org
http://lists.xen.org/cgi-bin/mailman/listinfo/xen-api

I like the idea of implementing this access control mechanism as close
as possible to the objects being accessed, ie in XAPI.

There's a proposal for creating a restricting scope mechanism in XAPI
similar to what Shiva described, on top of (and compatible with) the
existing RBAC mechanism:
http://lists.xen.org/archives/html/xen-api/2010-05/msg00093.html


On 25/02/15 14:16, Thomas Sanders wrote:
> Cloudstack/Cloudplatform does something like this.
>
> XenServer itself doesn't have the necessary information in the datamodel: a VM doesn't have an "owner". Therefore XenServer's existing RBAC feature can't do what you want at present.
>
> It might be less work to add the feature to XenServer than to implement it by writing new gateway software that mediates between the users and XenServer... but it sounds as if Olivier is adding it to his existing gateway/mediator software Xen-Orchestra.
>
>
>> -----Original Message-----
>> From: xen-api-bounces@lists.xen.org [mailto:xen-api-bounces@lists.xen.org]
>> On Behalf Of Olivier Lambert
>> Sent: 25 February 2015 12:12 PM
>> To: Shiva Bhanujan
>> Cc: xen-api@lists.xenproject.org
>> Subject: Re: [Xen-API] User Based Access Control
>>
>> Hi,
>>
>> https://xen-orchestra.com/blog/xo-4-x-starts-to-show-up/
>>
>> It actually works and we are in closed Beta so far. I will create a
>> small video to show you how it works.
>>
>> Should be out to the end of the month.
>>
>> Regards,
>>
>>
>> Olivier.
>>
>> On Wed, Feb 18, 2015 at 7:55 PM, Shiva Bhanujan <sxb075@gmail.com> wrote:
>>> Hello,
>>>
>>> I'm trying to figure out if we can have a mechanism such that when user A
>>> creates a VM, or a network or any object from dom0, another user B would
>> not
>>> have any access to objects created by user A. Is there such a mechanism
>>> available?
>>>
>>> I've looked at the RBAC mechanism in PAM, and Xen Orchestra, but I doubt
>> if
>>> they address this need. Is anybody aware of anything that might satisfy
>>> this need?
>>>
>>> Regards,
>>> Shiva
>>>
>>>
>>> _______________________________________________
>>> Xen-api mailing list
>>> Xen-api@lists.xen.org
>>> http://lists.xen.org/cgi-bin/mailman/listinfo/xen-api
>>>
>> _______________________________________________
>> Xen-api mailing list
>> Xen-api@lists.xen.org
>> http://lists.xen.org/cgi-bin/mailman/listinfo/xen-api
> _______________________________________________
> Xen-api mailing list
> Xen-api@lists.xen.org
> http://lists.xen.org/cgi-bin/mailman/listinfo/xen-api


_______________________________________________
Xen-api mailing list
Xen-api@lists.xen.org
http://lists.xen.org/cgi-bin/mailman/listinfo/xen-api

RBAC on XAPI is cool but it's doesn't work between pools (by
definition, scoped by XAPI itself).

That's why indeed there is multiples solutions as explained in the
previous messages, each depending of what you need:
- RBAC in XAPI for people wanting ACLs but in one pool only (if the VM
is migrated on another pool you need to duplicate ACLs on this pool
too. Not very convenient!)
- ACLs in multiples pools but without having to install agents on each
hosts and without advanced features (like billing for CPU usage, etc):
Xen Orchestra
- "Advanced" ACLs for bigger infrastructure and/or advanced cases: CloudStack

There is no silver bullet for any situations.

But as far I can tell, on my side I met a LOT of people asking for
ACLs in Xen Orchestra (hey! that's the main reason we are implementing
it after all!). Our "usual" user asks for keeping the simplicity of XO
(nothing to install on hosts, just a XAPI compatible software) with
the possibility to "delegate" objects in few clicks. For sure, we'll
do our best to deliver soon, and connecting this stuff to a AD/Open
LDAP is also a priority.

And yes, exactly Thomas: XO act like a kind of "proxy" (exactly, it's
the "xo-server" module) and that's exactly where ACLs are. You get a
better picture with this:
https://raw.githubusercontent.com/vatesfr/xo/master/doc/architecture/assets/xo-arch.jpg

On Wed, Feb 25, 2015 at 4:25 PM, Marcus Granado
<marcus.granado@citrix.com> wrote:
> I like the idea of implementing this access control mechanism as close as
> possible to the objects being accessed, ie in XAPI.
>
> There's a proposal for creating a restricting scope mechanism in XAPI
> similar to what Shiva described, on top of (and compatible with) the
> existing RBAC mechanism:
> http://lists.xen.org/archives/html/xen-api/2010-05/msg00093.html
>
>
>
> On 25/02/15 14:16, Thomas Sanders wrote:
>>
>> Cloudstack/Cloudplatform does something like this.
>> XenServer itself doesn't have the necessary information in the
>> datamodel: a VM doesn't have an "owner". Therefore XenServer's existing RBAC
>> feature can't do what you want at present.
>>
>> It might be less work to add the feature to XenServer than to implement it
>> by writing new gateway software that mediates between the users and
>> XenServer... but it sounds as if Olivier is adding it to his existing
>> gateway/mediator software Xen-Orchestra.
>>
>>
>>> -----Original Message-----
>>> From: xen-api-bounces@lists.xen.org
>>> [mailto:xen-api-bounces@lists.xen.org]
>>> On Behalf Of Olivier Lambert
>>> Sent: 25 February 2015 12:12 PM
>>> To: Shiva Bhanujan
>>> Cc: xen-api@lists.xenproject.org
>>> Subject: Re: [Xen-API] User Based Access Control
>>>
>>> Hi,
>>>
>>> https://xen-orchestra.com/blog/xo-4-x-starts-to-show-up/
>>>
>>> It actually works and we are in closed Beta so far. I will create a
>>> small video to show you how it works.
>>>
>>> Should be out to the end of the month.
>>>
>>> Regards,
>>>
>>>
>>> Olivier.
>>>
>>> On Wed, Feb 18, 2015 at 7:55 PM, Shiva Bhanujan <sxb075@gmail.com> wrote:
>>>>
>>>> Hello,
>>>>
>>>> I'm trying to figure out if we can have a mechanism such that when user
>>>> A
>>>> creates a VM, or a network or any object from dom0, another user B would
>>>
>>> not
>>>>
>>>> have any access to objects created by user A. Is there such a mechanism
>>>> available?
>>>>
>>>> I've looked at the RBAC mechanism in PAM, and Xen Orchestra, but I doubt
>>>
>>> if
>>>>
>>>> they address this need. Is anybody aware of anything that might satisfy
>>>> this need?
>>>>
>>>> Regards,
>>>> Shiva
>>>>
>>>>
>>>> _______________________________________________
>>>> Xen-api mailing list
>>>> Xen-api@lists.xen.org
>>>> http://lists.xen.org/cgi-bin/mailman/listinfo/xen-api
>>>>
>>> _______________________________________________
>>> Xen-api mailing list
>>> Xen-api@lists.xen.org
>>> http://lists.xen.org/cgi-bin/mailman/listinfo/xen-api
>>
>> _______________________________________________
>> Xen-api mailing list
>> Xen-api@lists.xen.org
>> http://lists.xen.org/cgi-bin/mailman/listinfo/xen-api
>
>
>
> _______________________________________________
> Xen-api mailing list
> Xen-api@lists.xen.org
> http://lists.xen.org/cgi-bin/mailman/listinfo/xen-api

_______________________________________________
Xen-api mailing list
Xen-api@lists.xen.org
http://lists.xen.org/cgi-bin/mailman/listinfo/xen-api

Hi Thomas/Olivier,

thanks for the replies. I have found a way to do sufficient UBAC (User
Based Access Control) using the features in XenServer itself (although, I
do need to use 6.2 or 6.5 - I'll explain in a bit). What I have done is to
use PAM authentication w/ a unix/linux user created on the XenServer
itself. Once I set up PAM, what I do is create a linux user called User1,
and then create a subject using User1. After that, I set the role to only
read-only, and host.call_plugin. At this time, the subject is allowed to
run only these two commands.

The model that we have, is that there are multiple control VMs w/ a
hostname, that need to create objects (network, vbd/vif, other VMs) such
that the operations being executed from said control VM can operate only on
objects that "belong" to it on the XenServer. So, what I do is encrypt the
arguments to the host-plugin using openssl asymetric encryption, so that it
can identify who it is, and then I save the hostname of the control VM in
either the description or other-config based on what kind of an object I'm
creating on XenServer. This does address the needs that I have.

However, what I have found, is that the licensing on XenServer 6.0.2
doesn't seem to be unrestricted for some commands
(subject-role-add/subject-role-remove) as it is on Xenserver 6.2 and 6.5.
Is this something that either of you, or somebody on the list is familiar
w/? The specific error that I receive is as follows :

[root@XenServer ~]# xe subject-role-remove
uuid=3e34169d-e0ac-a1ba-8b3a-86237342db51 role-name=pool-admin
This operation is not allowed under your license. Please contact your
support representative.
[root@XenServer ~]#

This is even though the installation says that it is xenenterprise. The
license does say that it is 'Citrix XenServer'. Am I missing something?

Regards,
Shiva


On Wed, Feb 25, 2015 at 6:16 AM, Thomas Sanders <thomas.sanders@citrix.com>
wrote:

> Cloudstack/Cloudplatform does something like this.
>
> XenServer itself doesn't have the necessary information in the datamodel:
> a VM doesn't have an "owner". Therefore XenServer's existing RBAC feature
> can't do what you want at present.
>
> It might be less work to add the feature to XenServer than to implement it
> by writing new gateway software that mediates between the users and
> XenServer... but it sounds as if Olivier is adding it to his existing
> gateway/mediator software Xen-Orchestra.
>
>
> > -----Original Message-----
> > From: xen-api-bounces@lists.xen.org [mailto:
> xen-api-bounces@lists.xen.org]
> > On Behalf Of Olivier Lambert
> > Sent: 25 February 2015 12:12 PM
> > To: Shiva Bhanujan
> > Cc: xen-api@lists.xenproject.org
> > Subject: Re: [Xen-API] User Based Access Control
> >
> > Hi,
> >
> > https://xen-orchestra.com/blog/xo-4-x-starts-to-show-up/
> >
> > It actually works and we are in closed Beta so far. I will create a
> > small video to show you how it works.
> >
> > Should be out to the end of the month.
> >
> > Regards,
> >
> >
> > Olivier.
> >
> > On Wed, Feb 18, 2015 at 7:55 PM, Shiva Bhanujan <sxb075@gmail.com>
> wrote:
> > > Hello,
> > >
> > > I'm trying to figure out if we can have a mechanism such that when
> user A
> > > creates a VM, or a network or any object from dom0, another user B
> would
> > not
> > > have any access to objects created by user A. Is there such a
> mechanism
> > > available?
> > >
> > > I've looked at the RBAC mechanism in PAM, and Xen Orchestra, but I
> doubt
> > if
> > > they address this need. Is anybody aware of anything that might
> satisfy
> > > this need?
> > >
> > > Regards,
> > > Shiva
> > >
> > >
> > > _______________________________________________
> > > Xen-api mailing list
> > > Xen-api@lists.xen.org
> > > http://lists.xen.org/cgi-bin/mailman/listinfo/xen-api
> > >
> >
> > _______________________________________________
> > Xen-api mailing list
> > Xen-api@lists.xen.org
> > http://lists.xen.org/cgi-bin/mailman/listinfo/xen-api
>