Hi, Our approach will be to implement a File Datastore, where users can store files, share them... The files will be used in context using the IMAGE_ID/IMAGE_NAME in the Datastore. This datastore will be used also to store kernels and ramdisks...
Cheers Ruben On Mon, Oct 29, 2012 at 4:21 PM, Steffen Claus < [email protected]> wrote: > Hi, > of course, you're right. Allowing users to define the FILES is a potential > security issue. > It would still be nice to enable users to update the other template > parameters (e.g. image ID). > > I know that this is way more complicated, as each individual parameter > would have to be checked. > > BR, > Steffen > > ------------------------------ > > Hi > > Not all CONTEXT attributes are restricted, it is only FILES. So we only > let oneadmin use CONTEXT/FILES. The rationale behind this is that > CONTEXT/FILES means accessing the filesystem using oneadmin priviledges, > and so you can use: > > CONTEXT= [ > FILES = "/var/lib/one/one.db /etc/passwd" > ] > > and now you have access to the whole one.db or passwd file of the > frontend. > > However this maybe safe depending on your setup, e.g. you only let users > access through EC2 or OCCI... > > If you can live with that, simply drop the > > VM_RESTRICTED_ATTR = "CONTEXT/FILES" > > in oned.conf > > Cheers > > Ruben > > On Fri, Oct 26, 2012 at 2:53 PM, Steffen Claus < > [email protected]> wrote: > >> Hi, >> i have a general question regarding the handling of VM-templates with >> CONTEXT parameters. >> I know that the owner has to be either "oneadmin" or a member of the >> "oneadmin" group. >> Since ONE 3.4 it is possible to grant USE-rights on such templates for >> normal users. >> So far, so good. >> >> But now I would also like to change the owner of the template to a normal >> user. Why is this not possible? What are the main concerns that led to the >> decision to only allow "oneadmin" to define CONTEXT parameters, >> respectively, possess templates with such parameters? Are there any best >> practices how to handle this problem? >> >> BR, >> Steffen Claus >> >> >> >> -- >> Steffen Claus >> >> Fraunhofer-Institut für Algorithmen und Wissenschaftliches Rechnen (SCAI) >> Schloss Birlinghoven >> D-53754 Sankt Augustin >> Tel: +49 2241 14-2511 >> [email protected] >> http://www.scai.fraunhofer.de >> _______________________________________________ >> Users mailing list >> [email protected] >> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org >> > > > > -- > Ruben S. Montero, PhD > Project co-Lead and Chief Architect > OpenNebula - The Open Source Solution for Data Center Virtualization > www.OpenNebula.org | [email protected] | @OpenNebula > > > > > -- > Steffen Claus > > Fraunhofer-Institut für Algorithmen und Wissenschaftliches Rechnen (SCAI) > Schloss Birlinghoven > D-53754 Sankt Augustin > Tel: +49 2241 14-2511 > [email protected] > http://www.scai.fraunhofer.de > -- Ruben S. Montero, PhD Project co-Lead and Chief Architect OpenNebula - The Open Source Solution for Data Center Virtualization www.OpenNebula.org | [email protected] | @OpenNebula
_______________________________________________ Users mailing list [email protected] http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
