Request #428

Include an authorization plugin that prevents users from overriding scheduler decisions

Added by Borja Sotomayor over 8 years ago. Updated over 7 years ago.

Status:ClosedStart date:12/08/2010
Priority:NormalDue date:
Assignee:Javi Fontan% Done:

0%

Category:Drivers - Auth
Target version:Release 3.0
Pull request:

Description

When OpenNebula runs with Haizea as a scheduling backend, if a request is denied or postponed, a user can still override the scheduler by manually running "onevm deploy". This is actually also an issue when running with the default scheduler.

The OpenNebula team has stated that this could be solved by writing an authorization plugin that restricts "deploy" permissions to only oneadmin (which would work with Haizea, since Haizea uses the oneadmin account to deploy VMs). This seems like a big enough gap that OpenNebula should just include such a plugin by default, giving administrators the option to enable it if they want to prevent users from running "onevm deploy" on their own.

Of course, we could think of fancier schemes down the road (where administrators can specify specific privileges and assign them to certain users, or even groups of users, but not to others) but, for now, I believe that just a plugin included with the regular OpenNebula distribution would be enough.

Associated revisions

Revision 19396e38
Added by Abel Coronado over 1 year ago

B #5291 Solved order VM bug in cloud view (#428)

Revision 6198e03e
Added by Abel Coronado over 1 year ago

B #5291 Solved order VM bug in cloud view (#428)

(cherry picked from commit 19396e386457ed3e6e761ee0ea7a94d833946ba7)

History

#1 Updated by Borja Sotomayor over 8 years ago

  • Subject changed from Include an authentication plugin that prevents users from overriding scheduler decisions to Include an authorization plugin that prevents users from overriding scheduler decisions

#2 Updated by Zaina Afoulki over 8 years ago

+1 for this

I agree with Borja on implementing this feature. I believe it is a major issue.

Another related thing is: when Haizea or the default scheduler refuses/denies a lease, its STATE remains "pend" with "onevm list". I think it should change to "fail" or another status or even better be removed from the list showed by OpenNebula (there is no use in keeping it in the list).

Thanks!

#3 Updated by Ruben S. Montero over 7 years ago

  • Status changed from New to Closed
  • Target version set to Release 3.0

This is now solved as part of #718. Closing this one

Also available in: Atom PDF