[Kimchi-devel] [RFC] Authorization enhancement

Shu Ming shuming at linux.vnet.ibm.com
Mon Jan 20 14:25:15 UTC 2014 

Yu Xin,

Thanks for your detail comments.

于 2014/1/20 18:20, Yu Xin Huo 写道:
>
> I have read the oVirt security model, I think basically, for
> virtualization management, it can be applied to Kimchi.
> I think Kimchi's security model can be created with some customization
> of oVirt's security model.
>
> I recommend 3 levels of administration below:
>
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.0/html/Administration_Guide/Administration_Guide-Managing_User_Access.html
> 1. console admin -- handle kimchi administration, host level physical
> resources management.

That is like the system administrator in my proposal who are also
responsible to assign roles to users..

> 2. resource admin -- OOTB roles with permission combined with resource
> type, like VMAdmin, StorageAdmin, NetworkAdmin...
> this type of users are responsible to construct environment for a
> certain task.
> their authorizations can be easily constructed with combination with
> OOTB roles, then they can start to create resources needed.
> I think it will be needed if we can set some limit on resource usages
> like max cpu, memory, bandwidth.\

I agree that the user with this role can access the resources based on
resource type instead of on resource object. For example, if the uer get
a "Storage Admin" role, he can access all the storage pools in Kimchi
not bound to one specific storage pool.

In the pother hand, in the initial effort, I don't want to define so
many roles to manage resources. In my proposal, I use one role
"infrastructure" to be a role accessing both the host level physical
resource and virtualization resources. Host level physical resources
management means disks, physical networks in the hosts. Virtualization
resources means storage pools, network pools. We can keep this in mind
and try to define more administration roles to replace the
"infrastructure role" in the next step.

>
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.0/html/Administration_Guide/Virtual_Roles.html
> 3. resource user -- at this level, I tend to think that no OOTB roles
> are needed as fine granularity of authorization will be needed.
> the authorization at this level are at a resource basis, need to
> assign permissions for each user on each resource.
> one thing to emphasize is that, resource user does not mean the user
> can only use(start/stop/vnc) the resource,
> it depends on concrete case, they can be assigned with permission to
> update/delete resources.


As you can see in Ovirt, authorization is applied based on the
combination of the three components in any action

  *
    The user performing the action
  *
    The type of action being performed
  *
    The object on which the action is being performed

Please be noted that the object is not bound to a role in oVirt. On the
other hand, you need assign a resource to a user. Here is one example to
assign a virtual machine to a user With a "UserRole" role.
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.0/html/Administration_Guide/Virtual_Roles.html

>
> I think this is a flexible and efficient authority delegation model
> with responsibilities balanced.
>
>
> On 1/15/2014 3:03 PM, Shu Ming wrote:
>>
>>
>>   Background
>>
>>
>> In Kimchi, now we have a basic authentication model based on PAM. In
>> this model, all the authenticated user get all of the privileges to
>> access the resources in Kimchi. However, it is too simple to cause
>> some security holes and classifying the user with different roles is
>> a way to address the holes. Roles with very fine grained privileges
>> need huge effort and time, so here we are trying to split the effort
>> with several steps. And we will discuss the first step of the effort
>> in the below which can be achieved in a certain time bound and
>> reserve the forward compatibility for future extensions.
>>
>>
>>   First step of the effort
>>
>>
>> In this step, the goal is to authorize the user's action on a
>> resource by roles. The user action here is applied by the REST API
>> exposed by Kimchi. Every action on Kimchi resources should be checked
>> based on the user's role. In this step, we will not try to have roles
>> in a very fine granularity. Naturally, three permanent roles will be
>> created by default, the system administrator role, the infrastructure
>> role and the user role.
>>
>> * The system administrator get the privileges to manage the roles for
>> the other users including assigning a role to a user, removing the
>> role from a user &etc. A default user "admink" will be created by
>> default with a system administrator role assigned to it. And the role
>> of the user "admink" can not be modified.
>>
>> * The infrastructure role get the privileges to manage the physical
>> resources and virtual resources including network's creation and
>> deletion, create or delete storage storage pools or storage volumes'
>> creation and deletion, adding a user to the user list of storage
>> storage pool &etc.
>>
>> * The user role get the privileges to apply action on VMs including
>> VMs' starting and stopping, viewing the VM console by VNC &etc.
>>
>> * Some of the change can be enhanced on the existing REST API like
>> "DELETE /storagepools/poo1/vo1". But we need create new REST APIs for
>> actions like adding a role for a user like " PUT /users/user1 {role:
>> "user role"}"
>>
>> * Database is needed to store the user information including roles
>> and resource user list
>>
>> Beside the privileges inherited from the user's role, Kimchi will
>> check if a user get the permission to access a resource based on a
>> tuple. The tuple is composed from both the privileges of the user and
>> the user list of the resource. An example is, if a user try ti delete
>> a storage volume from the stroage pool, Kimchi will check if it is
>> assigned a infrastructure role and if it is in the user list of the
>> storage pool.
>>
>>
>>   Next step of the effort
>>
>>
>> * The roles are defined in a very fine granularity containing the
>> privileges precisely matching what the system administrator expects.
>>
>> * Existing roles can by customized by the system administrator from a
>> set of previleges. The set of privileges should be pre-defined and
>> hierarchy.
>>
>> * The system administrator can create new roles with customized
>> privileges
>>
>>
>> _______________________________________________
>> Kimchi-devel mailing list
>> Kimchi-devel at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/kimchi-devel
>
>
>
> _______________________________________________
> Kimchi-devel mailing list
> Kimchi-devel at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/kimchi-devel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/kimchi-devel/attachments/20140120/8a16a4c0/attachment.html>

More information about the Kimchi-devel mailing list