[Ovirt-devel] ovirt and freeipa
Ian Main
imain at redhat.com
Thu Apr 9 19:46:24 UTC 2009
On Thu, 09 Apr 2009 15:37:45 -0400
Michael DeHaan <mdehaan at redhat.com> wrote:
> Ian Main wrote:
[snip]
> > The thing this protects against is malicious nodes.. note that a VM
> > could also register as a node so you have to trust your VMs too..
> > this is actually a problem with the current default config. Note
> > that you don't need a node image booted, you just need the ovirt
> > scripts to register with the ovirt server etc. The danger of a rogue
> > node is that it gives that node access to whatever VMs happen to get
> > created on it (take snapshot, scp it to home computer or such - image
> > stealing).
> >
> > I think it would be a good idea to enable the qpid infrastructure to
> > work without kerberos for demoing/testing/evaluating.
> >
>
> I'm really going to want this, especially speaking out to libvirt-qmf.
> Not just in OVirt context,
> but in general. IIRC this does support anything GSSAPI though, so we're
> really just talking about
> internal QMF to ovirt requiring kerberos?
Yes, it's just the way it's configured on the nodes and the server via
the default install. libvirt-qpid itself can use any of the GSSAPI
authentication systems... and actually if you run qpidd with --auth no
then you can use no authentication at all if you like. :)
> Yes, anything that makes life easier on developers would be a huge plus.
> Requiring kerberos
> (but not IPA) in the installed environment seems reasonable though...
> but one shouldn't assume
> the kerb source is IPA or that folks need to have an LDAP server.
I think we only really require kerberos at this level. Even the calls
in the scripts use straight kerberos commands to generate principals and
tickets. I'm not entirely sure it would still all work though..
Ian
More information about the ovirt-devel
mailing list