From: "Doron Fediuck" <dfediuck(a)redhat.com>
To: "Andrew Cathrow" <acathrow(a)redhat.com>
Cc: "Juan Hernandez" <jhernand(a)redhat.com>, engine-devel(a)ovirt.org
Sent: Monday, February 11, 2013 9:27:32 AM
Subject: Re: [Engine-devel] Local Authentication Feature
----- Original Message -----
> From: "Andrew Cathrow" <acathrow(a)redhat.com>
> To: "Doron Fediuck" <dfediuck(a)redhat.com>
> Cc: "Juan Hernandez" <jhernand(a)redhat.com>, engine-devel(a)ovirt.org
> Sent: Sunday, February 10, 2013 7:21:32 PM
> Subject: Re: [Engine-devel] Local Authentication Feature
>
>
>
> ----- Original Message -----
> > From: "Doron Fediuck" <dfediuck(a)redhat.com>
> > To: "Yair Zaslavsky" <yzaslavs(a)redhat.com>
> > Cc: "Juan Hernandez" <jhernand(a)redhat.com>,
> > engine-devel(a)ovirt.org
> > Sent: Sunday, February 10, 2013 11:02:39 AM
> > Subject: Re: [Engine-devel] Local Authentication Feature
> >
> >
> >
> > ----- Original Message -----
> > > From: "Yair Zaslavsky" <yzaslavs(a)redhat.com>
> > > To: "Doron Fediuck" <dfediuck(a)redhat.com>
> > > Cc: "Juan Hernandez" <jhernand(a)redhat.com>,
> > > engine-devel(a)ovirt.org
> > > Sent: Sunday, February 10, 2013 5:37:10 PM
> > > Subject: Re: [Engine-devel] Local Authentication Feature
> > >
> > >
> > >
> > > ----- Original Message -----
> > > > From: "Doron Fediuck" <dfediuck(a)redhat.com>
> > > > To: "Juan Hernandez" <jhernand(a)redhat.com>
> > > > Cc: engine-devel(a)ovirt.org
> > > > Sent: Sunday, February 10, 2013 5:26:52 PM
> > > > Subject: Re: [Engine-devel] Local Authentication Feature
> > > >
> > > >
> > > >
> > > > ----- Original Message -----
> > > > > From: "Juan Hernandez" <jhernand(a)redhat.com>
> > > > > To: engine-devel(a)ovirt.org
> > > > > Sent: Friday, February 8, 2013 7:50:36 PM
> > > > > Subject: [Engine-devel] Local Authentication Feature
> > > > >
> > > > > Hello,
> > > > >
> > > > > I would like to propose a new feature that allows
> > > > > authentication
> > > > > using
> > > > > the local user database. The details are here:
> > > > >
> > > > >
http://www.ovirt.org/Features/Local_Authentication
> > > > >
> > > > > And the proposed change is available for review here:
> > > > >
> > > > >
http://gerrit.ovirt.org/11863
> > > > >
> > > > > I appreciate feedback.
> > > > >
> > > > > Thanks in advance,
> > > > > Juan Hernandez
> > > > > --
> > > > > Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea
> > > > > 3,
> > > > > planta
> > > > > 3ºD, 28016 Madrid, Spain
> > > > > Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941
> > > > > -
> > > > > Red
> > > > > Hat
> > > > > S.L.
> > > >
> > > > Hi Juan,
> > > > Very happy to see this one which actually closes an annoying
> > > > gap!
> > > > One thing which is missing is user management-
> > > > add/remove/change
> > > > users and groups. If we do not plan to handle it within
> > > > ovirt,
> > > > the
> > > > design should state it and explain how user management should
> > > > work.
> > >
> > > Shouldn't this be the same as in case of external directory
> > > service?
> > > i.e - you manage user/group at the directory service, and then
> > > you
> > > "populate" engine with it (by adding permissions to
> > > users/groups
> > > or
> > > adding explicitly new users/groups to engine?)
> > >
> > > > Also, what happens when a user is removed from the local DB-
> > > > will
> > > > all references to him be removed? Groups?
> > >
> > > IMHO the behavior in this case should be as in case of current
> > > LdapBroker.
> > >
> >
> > This could be a decision but it's missing from the design.
> > The diff I see from current supported directory servers are that
> > they actually have their own management tools, which is not the
> > case for local DB. Again, you may state that the various userXXX
> > and groupXXX commandline utilities are the way to manage it, but
> > this is lacking from the design.
>
> Local user support is a feature we certainly need, but somehow
> ssh'ing into the node feels wrong.
> A local db is better than the (creative) ssh hack.
>
>
IIUC it's an internal SSH just for the authentication part.
If it succeeds the user is authenticated. Otherwise the user
will fail to login. That's the only use of the ssh. everything
else should work as it used to so far.
I also wouldn't say it is a hack, but on the other hand requiring it for such a
feature feels wrong to me as well.
Some sysadmins also choose to disable SSH for security reasons, so it won't work for
them.
Isn't there an option to use PAM instead? Something similar?
As for using local DB, I think it is a different feature than this one, so they can both
co-exist.
Oved
_______________________________________________
Engine-devel mailing list
Engine-devel(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/engine-devel