[Users] ovirt-shell as ForceCommand for ssh logins
Jiri Belka
jbelka at redhat.com
Wed Dec 19 15:00:34 UTC 2012
On Wed, 19 Dec 2012 16:35:43 +0200
Michael Pasternak <mpastern at redhat.com> wrote:
> > ForceCommand for ssh session can force command for logging user.
> >
> > Problem is ovirt-shell enables shell commands, that's not nice if we
> > would just want to give sysadmins some "restricted" cli for managing
> > oVirt environment.
>
> Why wouldn't you restrict user's permissions via oVirt MLA?,
> then you just give him permissions to perform certain actions
> what is works across the stack ui/api/sdk/cli ...
No, this is misunderstanding. I'm talking about normal ssh here but
instead of normal login shell the user would get ovirt-shell.
So as I don't want to let an user to have normal ssh access - login
shell -> ovirt-shell, I was thinking to force him to just use directly
ovirt-shell and forbid him any "escapes" (running any command on ssh
host). (Chrooting/selinux would be too much.)
ovirt-shell without running any shell commands.
> > 2. Could be implemented an ovirt-shell command like 'set' to set
> > configuration from ovirt-shell and save it(yes, user in
> > ovirt-shell should not touch filesystem directly)?
> >
> > Example:
> >
> > > set username = "foo at domain"
> > > save -a # save all runtime settings
> >
> > 3. Aliases like in lftp client?
> >
> > > alias lsvmmyvm list vms --query "name=myvm*"
> > > save alias lsvmmyvm
>
> Sounds interesting, can you file RFE on this?
OK, I'll do it.
jbelka
More information about the Users
mailing list