Comment 4 for bug 1033899

I'm not sure if I understand the issue here. If a user is logged in as root, they should be allowed to issue XenAPI commands (either through the xe CLI, or through the XML-RPC API, over the local unix domain socket) without a password. This is the current behavior, both before and after this patch has been applied.

The new PAM rules only apply to someone using the XML-RPC API remotely, either over HTTP or HTTPS. The new rule allows only the root user to issue commands. The user must provide a username and password each time he/she executes a remote API command. The old PAM rules allowed any local user on the host to issue these commands. The new rule restricts this to just the root user (and users in the group xapi, iff that line is uncommented).

Here are a few tests that one can run on the new xcp-xapi in order to see the expected behavior. All commands are run from dom0.

root# xe vm-list
<this should work>

root# xe vm-list -s localhost -u root -pw <root's password>
<this should work (remote API call authenticating with root)>

root# xe vm-list -s locahost -u guest -pw <guest's password>
<this should FAIL (remote API call authenticating with non-root)>

guest$ xe vm-list
<this should FAIL (only root has access to local unix domain socket)>

guest$ xe vm-list -s localhost -u guest -pw <guest's password>
<this should FAIL (remote API call authenticating with non-root)>

guest$ xe vm-list -s localhost -u root -pw <root's password>
<this should work (remote API call authenticating with root)>