Re: [Users] ovirt-shell as ForceCommand for ssh logins
On 12/19/2012 05:00 PM, Jiri Belka wrote:
On Wed, 19 Dec 2012 16:35:43 +0200
Michael Pasternak <mpastern(a)redhat.com> wrote:
>> ForceCommand for ssh session can force command for logging user.
>>
>> Problem is ovirt-shell enables shell commands, that's not nice if we
>> would just want to give sysadmins some "restricted" cli for managing
>> oVirt environment.
>
> Why wouldn't you restrict user's permissions via oVirt MLA?,
> then you just give him permissions to perform certain actions
> what is works across the stack ui/api/sdk/cli ...
No, this is misunderstanding. I'm talking about normal ssh here but
instead of normal login shell the user would get ovirt-shell.
So as I don't want to let an user to have normal ssh access - login
shell -> ovirt-shell, I was thinking to force him to just use directly
ovirt-shell and forbid him any "escapes" (running any command on ssh
host). (Chrooting/selinux would be too much.)
ok, got you now, but note that ovirt-shell has own proxy to the linux shell
via '!' or 'shell' commands (see help),
you may want to file another RFE blocking it or requesting for ovirt-shell-sudo,
(just keep in mind that running without linux shell in ovirt-shell will disable text
processing via pipe, scripting, file redirections, etc.)
ovirt-shell without running any shell commands.
>> 2. Could be implemented an ovirt-shell command like 'set' to set
>> configuration from ovirt-shell and save it(yes, user in
>> ovirt-shell should not touch filesystem directly)?
>>
>> Example:
>>
>> > set username = "foo@domain"
>> > save -a # save all runtime settings
>>
>> 3. Aliases like in lftp client?
>>
>> > alias lsvmmyvm list vms --query "name=myvm*"
>> > save alias lsvmmyvm
>
> Sounds interesting, can you file RFE on this?
OK, I'll do it.
jbelka
--
Michael Pasternak
RedHat, ENG-Virtualization R&D