Return-Path: X-Original-To: apmail-cloudstack-dev-archive@www.apache.org Delivered-To: apmail-cloudstack-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id C1E6B10035 for ; Mon, 24 Nov 2014 08:48:00 +0000 (UTC) Received: (qmail 33897 invoked by uid 500); 24 Nov 2014 08:48:00 -0000 Delivered-To: apmail-cloudstack-dev-archive@cloudstack.apache.org Received: (qmail 33844 invoked by uid 500); 24 Nov 2014 08:48:00 -0000 Mailing-List: contact dev-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cloudstack.apache.org Delivered-To: mailing list dev@cloudstack.apache.org Received: (qmail 33824 invoked by uid 99); 24 Nov 2014 08:47:59 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 24 Nov 2014 08:47:59 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=RCVD_IN_DNSWL_NONE,SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of rohit.yadav@shapeblue.com designates 157.56.112.140 as permitted sender) Received: from [157.56.112.140] (HELO emea01-am1-obe.outbound.protection.outlook.com) (157.56.112.140) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 24 Nov 2014 08:47:55 +0000 Received: from DBXPR07MB480.eurprd07.prod.outlook.com (10.141.231.154) by DBXPR07MB479.eurprd07.prod.outlook.com (10.141.231.150) with Microsoft SMTP Server (TLS) id 15.1.26.15; Mon, 24 Nov 2014 08:44:05 +0000 Received: from DBXPR07MB480.eurprd07.prod.outlook.com ([10.141.231.154]) by DBXPR07MB480.eurprd07.prod.outlook.com ([10.141.231.154]) with mapi id 15.01.0026.003; Mon, 24 Nov 2014 08:44:05 +0000 From: Rohit Yadav To: "dev@cloudstack.apache.org" Subject: Re: [Propose] Improvements in XenServer + ACS integration Thread-Topic: [Propose] Improvements in XenServer + ACS integration Thread-Index: AQHQBxaxAAX2OH41MUq9VGt9CTx1C5xvd2wA Date: Mon, 24 Nov 2014 08:44:05 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-mailer: Apple Mail (2.1990.1) x-ms-exchange-messagesentrepresentingtype: 1 x-originating-ip: [122.161.242.84] x-microsoft-antispam: BCL:0;PCL:0;RULEID:;SRVR:DBXPR07MB479; x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:;SRVR:DBXPR07MB479; x-forefront-prvs: 040513D301 x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(6019001)(6009001)(377454003)(189002)(24454002)(13734003)(51704005)(199003)(57306001)(101416001)(36756003)(76176999)(97736003)(92726001)(15395725005)(87936001)(87286001)(106116001)(15974865002)(561944003)(2656002)(50986999)(107886001)(2351001)(107046002)(122556002)(89996001)(66066001)(33656002)(15975445006)(88136002)(82746002)(110136001)(83716003)(21056001)(120916001)(92566001)(2501002)(77156002)(62966003)(20776003)(64706001)(4396001)(40100003)(46102003)(19580405001)(19580395003)(104166001)(50226001)(15202345003)(93916002)(95666004)(105586002)(31966008)(86362001)(106356001)(551544002)(450100001)(16799955002)(99396003)(104396001);DIR:OUT;SFP:1102;SCL:1;SRVR:DBXPR07MB479;H:DBXPR07MB480.eurprd07.prod.outlook.com;FPR:;SPF:None;MLV:sfv;PTR:InfoNoRecords;MX:1;A:1;LANG:en; Content-Type: text/plain; charset="Windows-1252" Content-ID: <6F6BB3D628DBBE41A3BABD995047EECF@eurprd07.prod.outlook.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: shapeblue.com X-Virus-Checked: Checked by ClamAV on apache.org Great idea and work Marco! The gist of the proposal is that we can allow non-root users to add hosts a= nd Marco successfully shows us how that is possible. > On 23-Nov-2014, at 5:42 pm, Marco Sinhoreli wrote: > > Hi community, > > I=92m starting this discussion to share some ideas about XenServer integr= ation in ACS. Since XenServer has some nice features to do that like RBAC, = host plugin and XenStore, I demonstrate these to some community members at = CCCEU14. > > Some references you can look in these links: > https://blog.xenproject.org/2011/11/09/xcp-rbac-and-pam-authentication-in= -the-xenapi/ > https://wiki.xenserver.org/index.php?title=3DRBAC > http://wiki.xen.org/wiki/XAPI_Host_Plugins > http://wiki.xen.org/wiki/XenStore > > Actual status in ACS: > During the XenServer setup, is possible to define a user to connect to th= e xapi. In XenCenter, is possible to use a different user (no-root) using e= xternal authentication like AD our PAM since the RBAC is configured properl= y for this. In ACS it=92s not possible because many command need be called = by root using SSH. Another issue in this approach is about security: root p= assword is stored in DB and, in this approach we have a security compliance= issue. The root used used to call shell scripts in the XenServer host are = all hard-coded. > > What we can do? > - Substitute host SSH connection to XAPI host plugins > In my view, I prefer use just one-way to connect to XenServer, in this ca= se, changing host SSH interactions to use exclusively XAPI. XAPI implements= Host Plugins where could be used to as a security layer to call commands i= nto host. > > An example of host plugin: > # cat xen_plugin_demo > #!/usr/bin/python > > import XenAPIPlugin > import subprocess > > def main(session, args): > try: > p =3D subprocess.Popen(args["cmd"].split(" "), stdout=3Dsubprocess.PIPE, = stderr=3Dsubprocess.PIPE) > out, err =3D p.communicate() > return out > except KeyError: > raise RuntimeError("No argument found with key.") > > if __name__ =3D=3D "__main__": > XenAPIPlugin.dispatch({"main": main}) > > And a client: > $ cat call_plugin.py > import XenAPI > import sys > > session =3D XenAPI.Session('https://192.168.56.12') > session.login_with_password('cloud', 'password') > host, =3D session.xenapi.host.get_all() > > print > print session.xenapi.host.call_plugin(host, 'xen_plugin_demo', 'main', {'= cmd' : " ".join(sys.argv[1:])}) > > Calling: > $ python call_plugin.py ls /root > > add_roles.sh > support.tar.bz2 > > - Setup RBAC to use a non-root to manage the XenServer host > As a suggestion, for this approach, need to have a user pre-seted in PAM = or configure XenServer AD. Follow what need be running in the XenServer she= ll to setup the user, external auth, associate RBAC role to this user: > adduser cloudstack > password cloudstack > xe pool-enable-external-auth auth-type=3DPAM config:user=3Dcloudstack ser= vice-name=3DCloudStack > xe subject-add subject-name=3Dcloudstack > subject_uuid=3D$(xe subject-list | awk '/^uuid/{print $5}') > role_uuid=3D$(xe role-list name=3Dpool-admin params=3Duuid | awk '/^uuid= /{print $5}') > xe subject-role-add uuid=3D${subject_uuid} role-uuid=3D${role_uuid} > > We can in this case, maintain the scripts used today, needing change the = way to call them from ACS. > > Best regards, > > > Marco Sinhoreli > Consultant Manager > > > > Phone: +55 21 2586 6390 | Fax: +55 21 2586 6002 | Mobile: +55 21 98276 36= 36 | Mobile: +55 21 99711 4645 > Praia de Botafogo 501, bloco 1 - sala 101, Botafogo, Rio de Janeiro, RJ -= Brazil - CEP 22250-040 > marco.sinhoreli@shapeblue.com | www.shapeblue.com | Twitter:@shapeBlue > > Find out more about ShapeBlue and our range of CloudStack related service= s > > IaaS Cloud Design & Build > CSForge =96 rapid IaaS deployment framework > CloudStack Consulting > CloudStack Software Engineering > CloudStack Infrastructure Support > CloudStack Bootcamp Training Courses > > This email and any attachments to it may be confidential and are intended= solely for the use of the individual to whom it is addressed. Any views or= opinions expressed are solely those of the author and do not necessarily r= epresent those of Shape Blue Ltd or related companies. If you are not the i= ntended recipient of this email, you must neither take any action based upo= n its contents, nor copy or show it to anyone. Please contact the sender if= you believe you have received this email in error. Shape Blue Ltd is a com= pany incorporated in England & Wales. ShapeBlue Services India LLP is a com= pany incorporated in India and is operated under license from Shape Blue Lt= d. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil a= nd is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a= company registered by The Republic of South Africa and is traded under lic= ense from Shape Blue Ltd. ShapeBlue is a registered trademark. Regards, Rohit Yadav Software Architect, ShapeBlue M. +91 88 262 30892 | rohit.yadav@shapeblue.com Blog: bhaisaab.org | Twitter: @_bhaisaab Find out more about ShapeBlue and our range of CloudStack related services IaaS Cloud Design & Build CSForge =96 rapid IaaS deployment framework CloudStack Consulting CloudStack Software Engineering CloudStack Infrastructure Support CloudStack Bootcamp Training Courses This email and any attachments to it may be confidential and are intended s= olely for the use of the individual to whom it is addressed. Any views or o= pinions expressed are solely those of the author and do not necessarily rep= resent those of Shape Blue Ltd or related companies. If you are not the int= ended recipient of this email, you must neither take any action based upon = its contents, nor copy or show it to anyone. Please contact the sender if y= ou believe you have received this email in error. Shape Blue Ltd is a compa= ny incorporated in England & Wales. ShapeBlue Services India LLP is a compa= ny incorporated in India and is operated under license from Shape Blue Ltd.= Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and= is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a c= ompany registered by The Republic of South Africa and is traded under licen= se from Shape Blue Ltd. ShapeBlue is a registered trademark.