On Wed, 19 Dec 2012 16:35:43 +0200 Michael Pasternak <mpastern@redhat.com> wrote:
ForceCommand for ssh session can force command for logging user.
Problem is ovirt-shell enables shell commands, that's not nice if we would just want to give sysadmins some "restricted" cli for managing oVirt environment.
Why wouldn't you restrict user's permissions via oVirt MLA?, then you just give him permissions to perform certain actions what is works across the stack ui/api/sdk/cli ...
No, this is misunderstanding. I'm talking about normal ssh here but instead of normal login shell the user would get ovirt-shell. So as I don't want to let an user to have normal ssh access - login shell -> ovirt-shell, I was thinking to force him to just use directly ovirt-shell and forbid him any "escapes" (running any command on ssh host). (Chrooting/selinux would be too much.) ovirt-shell without running any shell commands.
2. Could be implemented an ovirt-shell command like 'set' to set configuration from ovirt-shell and save it(yes, user in ovirt-shell should not touch filesystem directly)?
Example:
set username = "foo@domain" save -a # save all runtime settings
3. Aliases like in lftp client?
alias lsvmmyvm list vms --query "name=myvm*" save alias lsvmmyvm
Sounds interesting, can you file RFE on this?
OK, I'll do it. jbelka