cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rohit Yadav <rohit.ya...@shapeblue.com>
Subject Re: [Propose] Improvements in XenServer + ACS integration
Date Mon, 24 Nov 2014 08:44:05 GMT
Great idea and work Marco!

The gist of the proposal is that we can allow non-root users to add hosts and Marco successfully
shows us how that is possible.

> On 23-Nov-2014, at 5:42 pm, Marco Sinhoreli <marco.sinhoreli@shapeblue.com> wrote:
>
> Hi community,
>
> I’m starting this discussion to share some ideas about XenServer integration in ACS.
Since XenServer has some nice features to do that like RBAC, host plugin and XenStore, I demonstrate
these to some community members at CCCEU14.
>
> Some references you can look in these links:
> https://blog.xenproject.org/2011/11/09/xcp-rbac-and-pam-authentication-in-the-xenapi/
> https://wiki.xenserver.org/index.php?title=RBAC
> http://wiki.xen.org/wiki/XAPI_Host_Plugins
> http://wiki.xen.org/wiki/XenStore
>
> Actual status in ACS:
> During the XenServer setup, is possible to define a user to connect to the xapi. In XenCenter,
is possible to use a different user (no-root) using external authentication like AD our PAM
since the RBAC is configured properly for this. In ACS it’s not possible because many command
need be called by root using SSH. Another issue in this approach is about security: root password
is stored in DB and, in this approach we have a security compliance issue. The root used used
to call shell scripts in the XenServer host are all hard-coded.
>
> What we can do?
> - Substitute host SSH connection to XAPI host plugins
> In my view, I prefer use just one-way to connect to XenServer, in this case, changing
host SSH interactions to use exclusively XAPI. XAPI implements Host Plugins where could be
used to as a security layer to call commands into host.
>
> An example of host plugin:
> # cat xen_plugin_demo
> #!/usr/bin/python
>
> import XenAPIPlugin
> import subprocess
>
> def main(session, args):
>     try:
> p = subprocess.Popen(args["cmd"].split(" "), stdout=subprocess.PIPE,  stderr=subprocess.PIPE)
> out, err = p.communicate()
>         return out
>     except KeyError:
>         raise RuntimeError("No argument found with key.")
>
> if __name__ == "__main__":
>     XenAPIPlugin.dispatch({"main": main})
>
> And a client:
> $ cat call_plugin.py
> import XenAPI
> import sys
>
> session = XenAPI.Session('https://192.168.56.12')
> session.login_with_password('cloud', 'password')
> host, = session.xenapi.host.get_all()
>
> print
> print session.xenapi.host.call_plugin(host, 'xen_plugin_demo', 'main', {'cmd' : " ".join(sys.argv[1:])})
>
> Calling:
> $ python call_plugin.py ls /root
>
> add_roles.sh
> support.tar.bz2
>
> - Setup RBAC to use a non-root to manage the XenServer host
> As a suggestion, for this approach, need to have a user pre-seted in PAM or configure
XenServer AD. Follow what need be running in the XenServer shell to setup the user, external
auth, associate RBAC role to this user:
> adduser cloudstack
> password cloudstack
> xe pool-enable-external-auth auth-type=PAM config:user=cloudstack service-name=CloudStack
> xe subject-add subject-name=cloudstack
> subject_uuid=$(xe subject-list  | awk '/^uuid/{print $5}')
> role_uuid=$(xe role-list  name=pool-admin params=uuid | awk '/^uuid/{print $5}')
> xe subject-role-add uuid=${subject_uuid} role-uuid=${role_uuid}
>
> We can in this case, maintain the scripts used today, needing change the way to call
them from ACS.
>
> Best regards,
>
>
> Marco Sinhoreli
> Consultant Manager
>
>
>
> Phone: +55 21 2586 6390 | Fax: +55 21 2586 6002 | Mobile: +55 21 98276 3636 | Mobile:
+55 21 99711 4645
> Praia de Botafogo 501, bloco 1 - sala 101, Botafogo, Rio de Janeiro, RJ - Brazil - CEP
22250-040
> marco.sinhoreli@shapeblue.com | www.shapeblue.com | Twitter:@shapeBlue
>
> Find out more about ShapeBlue and our range of CloudStack related services
>
> IaaS Cloud Design & Build
> CSForge – rapid IaaS deployment framework
> CloudStack Consulting
> CloudStack Software Engineering
> CloudStack Infrastructure Support
> CloudStack Bootcamp Training Courses
>
> This email and any attachments to it may be confidential and are intended solely for
the use of the individual to whom it is addressed. Any views or opinions expressed are solely
those of the author and do not necessarily represent those of Shape Blue Ltd or related companies.
If you are not the intended recipient of this email, you must neither take any action based
upon its contents, nor copy or show it to anyone. Please contact the sender if you believe
you have received this email in error. Shape Blue Ltd is a company incorporated in England
& Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated
under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated
in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company
registered by The Republic of South Africa and is traded under license from Shape Blue Ltd.
ShapeBlue is a registered trademark.

Regards,
Rohit Yadav
Software Architect, ShapeBlue
M. +91 88 262 30892 | rohit.yadav@shapeblue.com
Blog: bhaisaab.org | Twitter: @_bhaisaab



Find out more about ShapeBlue and our range of CloudStack related services

IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Software Engineering<http://shapeblue.com/cloudstack-software-engineering/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>

This email and any attachments to it may be confidential and are intended solely for the use
of the individual to whom it is addressed. Any views or opinions expressed are solely those
of the author and do not necessarily represent those of Shape Blue Ltd or related companies.
If you are not the intended recipient of this email, you must neither take any action based
upon its contents, nor copy or show it to anyone. Please contact the sender if you believe
you have received this email in error. Shape Blue Ltd is a company incorporated in England
& Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated
under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated
in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company
registered by The Republic of South Africa and is traded under license from Shape Blue Ltd.
ShapeBlue is a registered trademark.

Mime
View raw message