cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alena Prokharchyk <Alena.Prokharc...@citrix.com>
Subject Re: [Proposal] Ability to retrieve user data via Admin API - 4.4
Date Mon, 13 Jan 2014 22:52:18 GMT
I was just assuming if end user needs to retrieve his metadata, he can
always do it through the VM. While if Admin needs to access user¹s
meatadata - to DR the vm from one cloud to another for example - he can¹t
do it because he has no access to user¹s network.

There is no problem for me to make API available to an end user, if it
doesn¹t expose any possible security risks I might not be aware of. So
waiting for further comments from the community.

-Alena.


On 1/13/14, 2:32 PM, "David Nalley" <david@gnsa.us> wrote:

>The end-user has an even more compelling reason to be able to query
>that information without resorting to querying from the host than an
>admin ever will.
>
>Why would a cloud administrator need to see/care about userdata? I can
>see the end-user/instance admin caring, but not the root admin.
>
>--David
>
>
>
>On Mon, Jan 13, 2014 at 5:25 PM, Alena Prokharchyk
><Alena.Prokharchyk@citrix.com> wrote:
>> User can always access it through his Vm. The feature is more meant to
>> cover the case when Admin needs to get all the user data info for all
>>vms
>> of a) network b) system
>>
>> On 1/13/14, 1:55 PM, "David Nalley" <david@gnsa.us> wrote:
>>
>>>On Mon, Jan 13, 2014 at 12:56 PM, Alena Prokharchyk
>>><Alena.Prokharchyk@citrix.com> wrote:
>>>> I would like to propose to introduce API (Admin only, 4.4) that
>>>>returns
>>>>user data to the admin. Current UserData behavior:
>>>>
>>>>  * userData is passed to the deployVm/updateVm call
>>>>  * its stored in CS db and on the VR
>>>>  * the only one way to retrieve the data, is to request it from the
>>>>user vm inside the network by sending http request to the Virtual
>>>>Router.
>>>>
>>>>  We've adopted this model from Amazon EC2 APIs. But along the way I've
>>>>noticed that some third party integrators needed to read UserData by
>>>>Admin to get the information about all vms in the system/network. To
>>>>solve the problem, people were using different kinds of workarounds -
>>>>db
>>>>scripts to read userData from cloudstack DB, or writing CS API
>>>>extensions: https://github.com/jasonhancock/cloudstack-api-extension.
>>>>
>>>> So the API I'm proposing, will let you to retrieve User Data via Admin
>>>>API. It will be available to Root admin only.
>>>>
>>>> If anyone has any objection, or see the flaws in the proposal, please
>>>>signal.
>>>>
>>>> -Alena.
>>>
>>>
>>>Why make this root admin-only? Why shouldn't the user be able to see
>>>their own instances user-data?
>>>
>>>While the ability to see user-data is compelling; limiting it to
>>>root-admin only is much less desirable IMO.
>>>
>>>--David
>>


Mime
View raw message