I've noticed that we suggest our users that they should use the 'pegasus' user for connection to pegasus, for example in the Quick Start Guide [1].
But the default pegasus configuration forbids non-privileged users to create indication subscriptions. This affects the 'pegasus' user. When someone connects to the pegasus using 'pegasus' user, he can't create any subscription, unless it's explicitly allowed in the pegasus configuration:
(from man cimconfig):
enableSubscriptionsForNonprivilegedUsers
Description: If True, nonprivileged user of the system will be allowed to create Indication Subscription, otherwise privileged access is required. Default Value: False Dynamic: No
I think that this behavior is very confusing for our users, we should do one of the following options:
1) stick with current way - user must change that option in order to create subscription as 'pegasus' (or other non-root) user and document it,
2) allow 'pegasus' user to create indication subscriptions by default (don't know if pegasus supports some kind of whitelisting of users),
3) mark 'pegasus' user as privileged (not sure if possible),
4) Turn option 'enableSubscriptionsForNonprivilegedUsers' on by default,
5) something else, suggestions welcomed.
I like the 2) most, but I'm not sure if it's possible to do it easily. Maybe we should consult pegasus upstream why is it done this way.
What do you think?
FYI: I've enabled that config option on buildbot so our tests work.
Radek Novacek
On 01/03/2014 01:30 PM, Radek Novacek wrote:
I've noticed that we suggest our users that they should use the 'pegasus' user for connection to pegasus, for example in the Quick Start Guide [1].
But the default pegasus configuration forbids non-privileged users to create indication subscriptions. This affects the 'pegasus' user. When someone connects to the pegasus using 'pegasus' user, he can't create any subscription, unless it's explicitly allowed in the pegasus configuration:
(from man cimconfig):
enableSubscriptionsForNonprivilegedUsers
Description: If True, nonprivileged user of the system will beallowed to create Indication Subscription, otherwise privileged access is required. Default Value: False Dynamic: No
I think that this behavior is very confusing for our users, we should do one of the following options:
- stick with current way - user must change that option in order to create
subscription as 'pegasus' (or other non-root) user and document it,
- allow 'pegasus' user to create indication subscriptions by default (don't
know if pegasus supports some kind of whitelisting of users),
- mark 'pegasus' user as privileged (not sure if possible),
Looking into sources, Pegasus checks for uid == 0, all other users are 'unprivileged'.
Turn option 'enableSubscriptionsForNonprivilegedUsers' on by default,
something else, suggestions welcomed.
I like the 2) most, but I'm not sure if it's possible to do it easily. Maybe we should consult pegasus upstream why is it done this way.
What do you think?
Both #2 and #3 need some changes in Pegasus sources, so I would use #4 - set enableSubscriptionsForNonprivilegedUsers in default config. If an user can read an object, it should be allowed to subscribe to its events.
If an admin wants something else, he can set read-only privileges on root/interop namespace for the respective user.
Please create appropriate bugs in our Bugzilla.
Jan
On Tue, Jan 7, 2014 at 5:16 PM, Jan Safranek jsafrane@redhat.com wrote:
On 01/03/2014 01:30 PM, Radek Novacek wrote:
I've noticed that we suggest our users that they should use the
'pegasus' user
for connection to pegasus, for example in the Quick Start Guide [1].
But the default pegasus configuration forbids non-privileged users to
create
indication subscriptions. This affects the 'pegasus' user. When someone connects to the pegasus using 'pegasus' user, he can't create any subscription, unless it's explicitly allowed in the pegasus
configuration:
(from man cimconfig):
enableSubscriptionsForNonprivilegedUsers
Description: If True, nonprivileged user of the systemwill be
allowed to create Indication Subscription, otherwise privileged access is required. Default Value: False Dynamic: No
I think that this behavior is very confusing for our users, we should do
one
of the following options:
- stick with current way - user must change that option in order to
create
subscription as 'pegasus' (or other non-root) user and document it,
- allow 'pegasus' user to create indication subscriptions by default
(don't
know if pegasus supports some kind of whitelisting of users),
- mark 'pegasus' user as privileged (not sure if possible),
Looking into sources, Pegasus checks for uid == 0, all other users are 'unprivileged'.
starting from pegasus 2.11.2 and 2.12 onwards, privileged users are users with gid == 0 or uid == 0 Details at [1] and [2] Seems that you are using 2.11.0 or 2.11.1 or earlier versions of pegasus
[1] http://bugzilla.openpegasus.org/show_bug.cgi?id=9319 [2] http://bugzilla.openpegasus.org/show_bug.cgi?id=9334
Jan _______________________________________________ openlmi-devel mailing list openlmi-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/openlmi-devel
openlmi-devel@lists.fedorahosted.org
-
Devchandra L Meetei -
Jan Safranek -
Radek Novacek