ACL security issue with ansible
-
Hello!
I'm developing my own playbooks and roles for ansible using xen_orchestra inventory module.In XenOrhestra I created:
- ansible user with "User" type
- added ansible user into new ansible group
- logged in with another web browser using ansible user credentials = i see nothing (it's okay)
- I created an ACL for ansible user group with role "Viewer" for 6 standalone pools (6 standalone servers XCP-ng)
- Switched to my browser again. Ansible user able to see all 6 Hosts,Pools and all vm's running on it.
- I specified ansible user credentials in xen_orchestra inventory file
- executed
ansible-inventory -i ./path/to/my/inventory/file/xen_orchestra.yaml --graphand saw EVERYTHING (not only my 6 hosts! dozens my servers, all my vm's of all my projects which ansible user unable to see through browser)
Is it an issue or I don't understand something?
It looks like XO ACL not working well with ansible. -
Question for @julien-f
-
-
O olivierlambert moved this topic from Advanced features on
-
@nickdsl This is a known limitation: at the moment, xo-server doesn’t filter objects based on permissions: permissions are currently applied during actions.
We’re actively working on resolving this in XO6 and the new REST API to improve overall functionality.
-
@julien-f thanks.
-
Note: we are working on creating XO clients for both Go and Python, and they will (as soon as we can) rely on the REST API.
Meaning you won't have this problem anymore
Stay tuned, I hope to announce the new clients for next XO release (end of the month)
-
@olivierlambert said in ACL security issue with ansible:
the REST API.
please start this, happy to contribute for python sdk.
-
It is started, we should have repos soon and a first basic version for the end of the month
-
@olivierlambert please update once repo are made public.
-
@nathanael-h will
