I was just assuming if end user needs to retrieve his metadata, he can always do it through the VM. While if Admin needs to access user¹s meatadata - to DR the vm from one cloud to another for example - he can¹t do it because he has no access to user¹s network.
There is no problem for me to make API available to an end user, if it doesn¹t expose any possible security risks I might not be aware of. So waiting for further comments from the community. -Alena. On 1/13/14, 2:32 PM, "David Nalley" <da...@gnsa.us> wrote: >The end-user has an even more compelling reason to be able to query >that information without resorting to querying from the host than an >admin ever will. > >Why would a cloud administrator need to see/care about userdata? I can >see the end-user/instance admin caring, but not the root admin. > >--David > > > >On Mon, Jan 13, 2014 at 5:25 PM, Alena Prokharchyk ><alena.prokharc...@citrix.com> wrote: >> User can always access it through his Vm. The feature is more meant to >> cover the case when Admin needs to get all the user data info for all >>vms >> of a) network b) system >> >> On 1/13/14, 1:55 PM, "David Nalley" <da...@gnsa.us> wrote: >> >>>On Mon, Jan 13, 2014 at 12:56 PM, Alena Prokharchyk >>><alena.prokharc...@citrix.com> wrote: >>>> I would like to propose to introduce API (Admin only, 4.4) that >>>>returns >>>>user data to the admin. Current UserData behavior: >>>> >>>> * userData is passed to the deployVm/updateVm call >>>> * its stored in CS db and on the VR >>>> * the only one way to retrieve the data, is to request it from the >>>>user vm inside the network by sending http request to the Virtual >>>>Router. >>>> >>>> We've adopted this model from Amazon EC2 APIs. But along the way I've >>>>noticed that some third party integrators needed to read UserData by >>>>Admin to get the information about all vms in the system/network. To >>>>solve the problem, people were using different kinds of workarounds - >>>>db >>>>scripts to read userData from cloudstack DB, or writing CS API >>>>extensions: https://github.com/jasonhancock/cloudstack-api-extension. >>>> >>>> So the API I'm proposing, will let you to retrieve User Data via Admin >>>>API. It will be available to Root admin only. >>>> >>>> If anyone has any objection, or see the flaws in the proposal, please >>>>signal. >>>> >>>> -Alena. >>> >>> >>>Why make this root admin-only? Why shouldn't the user be able to see >>>their own instances user-data? >>> >>>While the ability to see user-data is compelling; limiting it to >>>root-admin only is much less desirable IMO. >>> >>>--David >>
