XCP-ng
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    ACL security issue with ansible

    Scheduled Pinned Locked Moved Infrastructure as Code
    10 Posts 4 Posters 310 Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • nickdslN Offline
      nickdsl
      last edited by

      Hello!
      I'm developing my own playbooks and roles for ansible using xen_orchestra inventory module.

      In XenOrhestra I created:

      1. ansible user with "User" type
      2. added ansible user into new ansible group
      3. logged in with another web browser using ansible user credentials = i see nothing (it's okay)
      4. I created an ACL for ansible user group with role "Viewer" for 6 standalone pools (6 standalone servers XCP-ng)
      5. Switched to my browser again. Ansible user able to see all 6 Hosts,Pools and all vm's running on it.
      6. I specified ansible user credentials in xen_orchestra inventory file
      7. executed ansible-inventory -i ./path/to/my/inventory/file/xen_orchestra.yaml --graph and saw EVERYTHING (not only my 6 hosts! dozens my servers, all my vm's of all my projects which ansible user unable to see through browser)

      Is it an issue or I don't understand something?
      It looks like XO ACL not working well with ansible.

      julien-fJ 1 Reply Last reply Reply Quote 0
      • olivierlambertO Offline
        olivierlambert Vates 🪐 Co-Founder CEO
        last edited by

        Question for @julien-f

        1 Reply Last reply Reply Quote 0
        • nickdslN Offline
          nickdsl
          last edited by

          @julien-f ?

          1 Reply Last reply Reply Quote 0
          • olivierlambertO olivierlambert moved this topic from Advanced features on
          • julien-fJ Offline
            julien-f Vates 🪐 Co-Founder XO Team @nickdsl
            last edited by olivierlambert

            @nickdsl This is a known limitation: at the moment, xo-server doesn’t filter objects based on permissions: permissions are currently applied during actions.

            We’re actively working on resolving this in XO6 and the new REST API to improve overall functionality.

            nickdslN 1 Reply Last reply Reply Quote 0
            • nickdslN Offline
              nickdsl @julien-f
              last edited by

              @julien-f thanks.

              1 Reply Last reply Reply Quote 0
              • olivierlambertO Offline
                olivierlambert Vates 🪐 Co-Founder CEO
                last edited by

                Note: we are working on creating XO clients for both Go and Python, and they will (as soon as we can) rely on the REST API.

                Meaning you won't have this problem anymore 🙂

                Stay tuned, I hope to announce the new clients for next XO release (end of the month)

                I 1 Reply Last reply Reply Quote 0
                • I Offline
                  irtaza9 @olivierlambert
                  last edited by

                  @olivierlambert said in ACL security issue with ansible:

                  the REST API.

                  please start this, happy to contribute for python sdk.

                  1 Reply Last reply Reply Quote 0
                  • olivierlambertO Offline
                    olivierlambert Vates 🪐 Co-Founder CEO
                    last edited by

                    It is started, we should have repos soon and a first basic version for the end of the month 🙂

                    I 1 Reply Last reply Reply Quote 1
                    • I Offline
                      irtaza9 @olivierlambert
                      last edited by

                      @olivierlambert please update once repo are made public.

                      1 Reply Last reply Reply Quote 0
                      • olivierlambertO Offline
                        olivierlambert Vates 🪐 Co-Founder CEO
                        last edited by

                        @nathanael-h will

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post