[Users] ovirt-shell as ForceCommand for ssh logins

Wed Dec 19 15:45:18 UTC 2012

On 12/19/2012 05:00 PM, Jiri Belka wrote:
> On Wed, 19 Dec 2012 16:35:43 +0200
> Michael Pasternak <mpastern at redhat.com> wrote:
> 
>>> ForceCommand for ssh session can force command for logging user.
>>>
>>> Problem is ovirt-shell enables shell commands, that's not nice if we
>>> would just want to give sysadmins some "restricted" cli for managing
>>> oVirt environment.
>>
>> Why wouldn't you restrict user's permissions via oVirt MLA?,
>> then you just give him permissions to perform certain actions
>> what is works across the stack ui/api/sdk/cli ...
> 
> No, this is misunderstanding. I'm talking about normal ssh here but
> instead of normal login shell the user would get ovirt-shell.
> 
> So as I don't want to let an user to have normal ssh access - login
> shell -> ovirt-shell, I was thinking to force him to just use directly
> ovirt-shell and forbid him any "escapes" (running any command on ssh
> host). (Chrooting/selinux would be too much.)

ok, got you now, but note that ovirt-shell has own proxy to the linux shell
via '!' or 'shell' commands (see help),

you may want to file another RFE blocking it or requesting for ovirt-shell-sudo,
(just keep in mind that running without linux shell in ovirt-shell will disable text
processing via pipe, scripting, file redirections, etc.)

> 
> ovirt-shell without running any shell commands.
> 
>>> 2. Could be implemented an ovirt-shell command like 'set' to set
>>>    configuration from ovirt-shell and save it(yes, user in
>>> ovirt-shell should not touch filesystem directly)?
>>>
>>>    Example:
>>>
>>>    > set username = "foo at domain"
>>>    > save -a # save all runtime settings
>>>
>>> 3. Aliases like in lftp client?
>>>
>>>    > alias lsvmmyvm list vms --query "name=myvm*"
>>>    > save alias lsvmmyvm
>>
>> Sounds interesting, can you file RFE on this?
> 
> OK, I'll do it.
> 
> jbelka


-- 

Michael Pasternak
RedHat, ENG-Virtualization R&D