[Users] ovirt-shell as ForceCommand for ssh logins
Hi, ForceCommand for ssh session can force command for logging user. Problem is ovirt-shell enables shell commands, that's not nice if we would just want to give sysadmins some "restricted" cli for managing oVirt environment. 1. Could be implemented an option to disable these shell "escapes"? Like '-S', so it would be 'comment="/usr/bin/ovirt-shell -S"' in user's authorized_keys. 2. Could be implemented an ovirt-shell command like 'set' to set configuration from ovirt-shell and save it(yes, user in ovirt-shell should not touch filesystem directly)? Example:
set username = "foo@domain" save -a # save all runtime settings
3. Aliases like in lftp client?
alias lsvmmyvm list vms --query "name=myvm*" save alias lsvmmyvm
jbelka
On 12/19/2012 12:22 PM, Jiri Belka wrote:
Hi,
ForceCommand for ssh session can force command for logging user.
Problem is ovirt-shell enables shell commands, that's not nice if we would just want to give sysadmins some "restricted" cli for managing oVirt environment.
Why wouldn't you restrict user's permissions via oVirt MLA?, then you just give him permissions to perform certain actions what is works across the stack ui/api/sdk/cli ...
1. Could be implemented an option to disable these shell "escapes"?
Like '-S', so it would be 'comment="/usr/bin/ovirt-shell -S"' in user's authorized_keys.
2. Could be implemented an ovirt-shell command like 'set' to set configuration from ovirt-shell and save it(yes, user in ovirt-shell should not touch filesystem directly)?
Example:
set username = "foo@domain" save -a # save all runtime settings
3. Aliases like in lftp client?
alias lsvmmyvm list vms --query "name=myvm*" save alias lsvmmyvm
Sounds interesting, can you file RFE on this?
jbelka
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- Michael Pasternak RedHat, ENG-Virtualization R&D
On Wed, 19 Dec 2012 16:35:43 +0200 Michael Pasternak <mpastern@redhat.com> wrote:
ForceCommand for ssh session can force command for logging user.
Problem is ovirt-shell enables shell commands, that's not nice if we would just want to give sysadmins some "restricted" cli for managing oVirt environment.
Why wouldn't you restrict user's permissions via oVirt MLA?, then you just give him permissions to perform certain actions what is works across the stack ui/api/sdk/cli ...
No, this is misunderstanding. I'm talking about normal ssh here but instead of normal login shell the user would get ovirt-shell. So as I don't want to let an user to have normal ssh access - login shell -> ovirt-shell, I was thinking to force him to just use directly ovirt-shell and forbid him any "escapes" (running any command on ssh host). (Chrooting/selinux would be too much.) ovirt-shell without running any shell commands.
2. Could be implemented an ovirt-shell command like 'set' to set configuration from ovirt-shell and save it(yes, user in ovirt-shell should not touch filesystem directly)?
Example:
set username = "foo@domain" save -a # save all runtime settings
3. Aliases like in lftp client?
alias lsvmmyvm list vms --query "name=myvm*" save alias lsvmmyvm
Sounds interesting, can you file RFE on this?
OK, I'll do it. jbelka
On 12/19/2012 05:00 PM, Jiri Belka wrote:
On Wed, 19 Dec 2012 16:35:43 +0200 Michael Pasternak <mpastern@redhat.com> wrote:
ForceCommand for ssh session can force command for logging user.
Problem is ovirt-shell enables shell commands, that's not nice if we would just want to give sysadmins some "restricted" cli for managing oVirt environment.
Why wouldn't you restrict user's permissions via oVirt MLA?, then you just give him permissions to perform certain actions what is works across the stack ui/api/sdk/cli ...
No, this is misunderstanding. I'm talking about normal ssh here but instead of normal login shell the user would get ovirt-shell.
So as I don't want to let an user to have normal ssh access - login shell -> ovirt-shell, I was thinking to force him to just use directly ovirt-shell and forbid him any "escapes" (running any command on ssh host). (Chrooting/selinux would be too much.)
ok, got you now, but note that ovirt-shell has own proxy to the linux shell via '!' or 'shell' commands (see help), you may want to file another RFE blocking it or requesting for ovirt-shell-sudo, (just keep in mind that running without linux shell in ovirt-shell will disable text processing via pipe, scripting, file redirections, etc.)
ovirt-shell without running any shell commands.
2. Could be implemented an ovirt-shell command like 'set' to set configuration from ovirt-shell and save it(yes, user in ovirt-shell should not touch filesystem directly)?
Example:
set username = "foo@domain" save -a # save all runtime settings
3. Aliases like in lftp client?
alias lsvmmyvm list vms --query "name=myvm*" save alias lsvmmyvm
Sounds interesting, can you file RFE on this?
OK, I'll do it.
jbelka
-- Michael Pasternak RedHat, ENG-Virtualization R&D
participants (2)
-
Jiri Belka -
Michael Pasternak