On Fri, Sep 11, 2009 at 10:49 PM, Grant McWilliams
<
grantmasterflash@xxxxxxxxx> wrote:
>>
>>
>> So, no root or other stuff like that. In my case, I choose to make
>> things simple : just an htaccess (so far).
>>
>> With the API, you've got access to the entire Xen daemon, but I think
>> it's not so hard to restrict an user to a VM (or more). It's "just" an
>> added layer, can be interfaced with ldap, mysql or pgsql database,
>> with adaquates informations on users.
>>
>> For your "feature request", I think I'll do, but in a first time, my
>> goal is to admin Xen easily. But ASAP, I'll try to respond to your
>> request.
>> And as it's a open source project, everyone can contribute, so.. more
>> we are, more the project will be great :)
>>
>> Regards,
>
> So currently you're using .htaccess to limit who can connect and control the
> VMs but if I understand you there's no limit what that person can do?
> If Bob (we like calling him Bob) logs into Orchestra he can restart ALL VMs?
> I don't know if this helps me any since I could just grant people sudo
> access to the xm command.
>
> If however you set it up so there's a database table that lists access
> rights and when creating a VM you assign admins to it this would be ideal.
> If Bob logs in your code would look up the database record to see what bob
> could do and restrict his actions to his own VM. Like you said I don't think
> this would be difficult code but for my project definitely needed. It's
> already very easy to start/stop domUs. I could set up a web page in about 30
> seconds that does the same thing (locally) without even using the API. I
> realize this is not what you're doing and that the project will grow but I'm
> hoping that this will be a feature you add fairly soon or I can if I have
> time. If I don't have that then it's no more useful than what I have now.
> :-)
>
> Grant McWilliams.
>
Home