[Users] ovirt-shell as ForceCommand for ssh logins

Jiri Belka jbelka at redhat.com
Wed Dec 19 15:00:34 UTC 2012


On Wed, 19 Dec 2012 16:35:43 +0200
Michael Pasternak <mpastern at redhat.com> wrote:

> > ForceCommand for ssh session can force command for logging user.
> > 
> > Problem is ovirt-shell enables shell commands, that's not nice if we
> > would just want to give sysadmins some "restricted" cli for managing
> > oVirt environment.
> 
> Why wouldn't you restrict user's permissions via oVirt MLA?,
> then you just give him permissions to perform certain actions
> what is works across the stack ui/api/sdk/cli ...

No, this is misunderstanding. I'm talking about normal ssh here but
instead of normal login shell the user would get ovirt-shell.

So as I don't want to let an user to have normal ssh access - login
shell -> ovirt-shell, I was thinking to force him to just use directly
ovirt-shell and forbid him any "escapes" (running any command on ssh
host). (Chrooting/selinux would be too much.)

ovirt-shell without running any shell commands.

> > 2. Could be implemented an ovirt-shell command like 'set' to set
> >    configuration from ovirt-shell and save it(yes, user in
> > ovirt-shell should not touch filesystem directly)?
> > 
> >    Example:
> > 
> >    > set username = "foo at domain"
> >    > save -a # save all runtime settings
> > 
> > 3. Aliases like in lftp client?
> > 
> >    > alias lsvmmyvm list vms --query "name=myvm*"
> >    > save alias lsvmmyvm
> 
> Sounds interesting, can you file RFE on this?

OK, I'll do it.

jbelka



More information about the Users mailing list