cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nate Gordon <nate.gor...@appcore.com>
Subject Re: [Proposal] Ability to retrieve user data via Admin API - 4.4
Date Tue, 14 Jan 2014 00:28:15 GMT
I would also agree that user/account/domain access to this data via api
would be welcome. Requiring that the request originate from the VM requires
going to every VM to pull that data. With some of the setups I have seen to
drive puppet from this data, a simple util could query for all VMs that
they manage and display that to an account user to see what data is being
sent to the VM. Beyond that, I always like to accompany a set operation
with a get operation simply to not limit users later for situations I
haven't thought about yet.

I also don't see any obvious security issues since the api to set is right
there as well. That seems far more dangerous to me.
On Jan 13, 2014 6:20 PM, "Alena Prokharchyk" <Alena.Prokharchyk@citrix.com>
wrote:

> I was just assuming if end user needs to retrieve his metadata, he can
> always do it through the VM. While if Admin needs to access user¹s
> meatadata - to DR the vm from one cloud to another for example - he can¹t
> do it because he has no access to user¹s network.
>
> There is no problem for me to make API available to an end user, if it
> doesn¹t expose any possible security risks I might not be aware of. So
> waiting for further comments from the community.
>
> -Alena.
>
>
> On 1/13/14, 2:32 PM, "David Nalley" <david@gnsa.us> wrote:
>
> >The end-user has an even more compelling reason to be able to query
> >that information without resorting to querying from the host than an
> >admin ever will.
> >
> >Why would a cloud administrator need to see/care about userdata? I can
> >see the end-user/instance admin caring, but not the root admin.
> >
> >--David
> >
> >
> >
> >On Mon, Jan 13, 2014 at 5:25 PM, Alena Prokharchyk
> ><Alena.Prokharchyk@citrix.com> wrote:
> >> User can always access it through his Vm. The feature is more meant to
> >> cover the case when Admin needs to get all the user data info for all
> >>vms
> >> of a) network b) system
> >>
> >> On 1/13/14, 1:55 PM, "David Nalley" <david@gnsa.us> wrote:
> >>
> >>>On Mon, Jan 13, 2014 at 12:56 PM, Alena Prokharchyk
> >>><Alena.Prokharchyk@citrix.com> wrote:
> >>>> I would like to propose to introduce API (Admin only, 4.4) that
> >>>>returns
> >>>>user data to the admin. Current UserData behavior:
> >>>>
> >>>>  * userData is passed to the deployVm/updateVm call
> >>>>  * its stored in CS db and on the VR
> >>>>  * the only one way to retrieve the data, is to request it from the
> >>>>user vm inside the network by sending http request to the Virtual
> >>>>Router.
> >>>>
> >>>>  We've adopted this model from Amazon EC2 APIs. But along the way I've
> >>>>noticed that some third party integrators needed to read UserData by
> >>>>Admin to get the information about all vms in the system/network. To
> >>>>solve the problem, people were using different kinds of workarounds -
> >>>>db
> >>>>scripts to read userData from cloudstack DB, or writing CS API
> >>>>extensions: https://github.com/jasonhancock/cloudstack-api-extension.
> >>>>
> >>>> So the API I'm proposing, will let you to retrieve User Data via Admin
> >>>>API. It will be available to Root admin only.
> >>>>
> >>>> If anyone has any objection, or see the flaws in the proposal, please
> >>>>signal.
> >>>>
> >>>> -Alena.
> >>>
> >>>
> >>>Why make this root admin-only? Why shouldn't the user be able to see
> >>>their own instances user-data?
> >>>
> >>>While the ability to see user-data is compelling; limiting it to
> >>>root-admin only is much less desirable IMO.
> >>>
> >>>--David
> >>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message