MAAS

Non-admin access to cluster controller config

Bug #1365616 reported by Dean Henrichsmeyer on 2014-09-04

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	MAAS	Fix Released	High	Julian Edwards	MAAS 1.7.0

Bug Description

Right now, the only way you can get access to static/dynamic IP ranges of interfaces is as an admin user. We need access to that information as a normal user.

See original description

Tags:

Related branches

lp:~julian-edwards/maas/relax-cluster-interface-security

Merged into lp:~maas-committers/maas/trunk at revision 2930

Gavin Panella (community): Approve on 2014-09-08

Dean Henrichsmeyer (dean) on 2014-09-04

summary:	- Networks defined in MAAS need to be made available to non-admin users - via the API + Non-admin access to cluster controller config
description:	updated

Julian Edwards (julian-edwards) on 2014-09-05

Changed in maas:
status:	New → Triaged
importance:	Undecided → High

Revision history for this message

Julian Edwards (julian-edwards) wrote on 2014-09-05:

I'd like to understand the use case for this — what are you doing with those ranges? I consider them internal to MAAS but perhaps there's something I hadn't considered. Ideally, I'd want all useful network info in the network API.

Thanks!

Revision history for this message

Julian Edwards (julian-edwards) wrote on 2014-09-05:

One point to note is that if we did this it would allow any user to know intricate details of networks in maas, which is not necessarily desirable — unless you're an attacker.

Revision history for this message

Dean Henrichsmeyer (dean) wrote on 2014-09-05:

I share in your concern of the validity of the request.

If you take the approach that a MAAS user should have access to the resources MAAS manages in order to properly use them, it makes sense.

If you're creating users in MAAS and you want to limit their access to configuration options for security concerns, that's also valid.

I wasn't going to file it but Mark wants all users in MAAS to have access to the information. The first use case is the one he's going for. He mentioned at some point having some checkpoints such as limiting the number of IPs users can consume, etc, but at any rate, he wants all of the information available.

Thanks.

Revision history for this message

Dean Henrichsmeyer (dean) wrote on 2014-09-05:

Sorry, I forgot to answer your initial question. We're configuring Neutron in OpenStack based on upon the networks defined in MAAS and the machines registered in MAAS that can see one or more of the defined networks.

A valid use case is to use one physical network for both host infrastructure and "public" IPs and for that we need to know the ranges allocated in MAAS for the managed network.

Thanks.

Julian Edwards (julian-edwards) on 2014-09-08

Changed in maas:
status:	Triaged → In Progress
assignee:	nobody → Julian Edwards (julian-edwards)
milestone:	none → 1.7.0

MAAS Lander (maas-lander) on 2014-09-08

Changed in maas:
status:	In Progress → Fix Committed

Julian Edwards (julian-edwards) on 2014-11-19

Changed in maas:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.