Re: [Users] ovirt-shell as ForceCommand for ssh logins
On Wed, 19 Dec 2012 16:35:43 +0200
Michael Pasternak <mpastern(a)redhat.com> wrote:
> ForceCommand for ssh session can force command for logging
user.
>
> Problem is ovirt-shell enables shell commands, that's not nice if we
> would just want to give sysadmins some "restricted" cli for managing
> oVirt environment.
Why wouldn't you restrict user's permissions via oVirt MLA?,
then you just give him permissions to perform certain actions
what is works across the stack ui/api/sdk/cli ...
No, this is misunderstanding. I'm talking about normal ssh here but
instead of normal login shell the user would get ovirt-shell.
So as I don't want to let an user to have normal ssh access - login
shell -> ovirt-shell, I was thinking to force him to just use directly
ovirt-shell and forbid him any "escapes" (running any command on ssh
host). (Chrooting/selinux would be too much.)
ovirt-shell without running any shell commands.
> 2. Could be implemented an ovirt-shell command like
'set' to set
> configuration from ovirt-shell and save it(yes, user in
> ovirt-shell should not touch filesystem directly)?
>
> Example:
>
> > set username = "foo@domain"
> > save -a # save all runtime settings
>
> 3. Aliases like in lftp client?
>
> > alias lsvmmyvm list vms --query "name=myvm*"
> > save alias lsvmmyvm
Sounds interesting, can you file RFE on this?
OK, I'll do it.
jbelka