Bug 1006233 - [RFE][UI] Give option to add a host with alternative user name (not root).
[RFE][UI] Give option to add a host with alternative user name (not root).
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: RFEs (Show other bugs)
3.3.0
x86_64 Linux
unspecified Severity high
: ---
: ---
Assigned To: Scott Herold
: FutureFeature
: 508541 794867 1099591 1134903 (view as bug list)
Depends On: 794867
Blocks: 855973 829023
  Show dependency treegraph
 
Reported: 2013-09-10 05:40 EDT by vvyazmin@redhat.com
Modified: 2016-11-29 04:38 EST (History)
23 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-11-29 04:38:20 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: Infra
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
sherold: Triaged+


Attachments (Terms of Use)
## Screenshot (315.02 KB, image/png)
2013-09-10 05:40 EDT, vvyazmin@redhat.com
no flags Details

  None (edit)
Description vvyazmin@redhat.com 2013-09-10 05:40:23 EDT
Created attachment 795912 [details]
## Screenshot

Description of problem:
Give option to add a host with alternative user name.

Version-Release number of selected component (if applicable):
RHEVM 3.3 - IS13 environment:

RHEVM:  rhevm-3.3.0-0.19.master.el6ev.noarch
PythonSDK:  rhevm-sdk-python-3.3.0.13-1.el6ev.noarch
VDSM:  vdsm-4.12.0-105.git0da1561.el6ev.x86_64
LIBVIRT:  libvirt-0.10.2-18.el6_4.9.x86_64
QEMU & KVM:  qemu-kvm-rhev-0.12.1.2-2.355.el6_4.7.x86_64
SANLOCK:  sanlock-2.8-1.el6.x86_64

How reproducible:
100%

Steps to Reproduce:
Add a new host to RHEVM via WebAdmin

Actual results:
User name (root) with which the server is being added can’t be changed 

Expected results:
Give option to add a host with alternative user name.
For security reason some companies don’t work directly with user “root”, work alternative user name that have same permissions as user “root”.

Impact on user:

Workaround:

Additional info:
Print screen attached

/var/log/ovirt-engine/engine.log

/var/log/vdsm/vdsm.log
Comment 1 Barak 2013-09-11 07:29:31 EDT
This issue depends on the functionality of the log collector in these circumstances (SSH to each host with it's specific name) and having the sos report on the remote host to function with the remote user.

Host deploy already supports adding a host with a different user name, for 3.3 it is blocked only in UI.
Comment 4 Barak 2013-12-26 06:08:12 EST
Keith,

Can you please comment on the log collector / sos report issue mentioned in comment #1
Comment 5 Keith Robertson 2014-01-09 16:23:49 EST
(In reply to Barak from comment #4)
> Keith,
> 
> Can you please comment on the log collector / sos report issue mentioned in
> comment #1

The hurdles for using a user other than 'root' as they relate to the Log Collector (and the Red Hat Support Plug-in) are as follows:

1) Both the Log Collector and the RH Support plug-in call SoS when they attempt to collect logs from the Hypervisors.  For many reasons, SoS must be run as 'root' because it vacuums up all sorts of data and log files, config files, etc. that only 'root' would have access to.  

2) You would need to store the actual user name of the non-root user somewhere on the RHEV-M. You need this because the Log Collector and the Red Hat Support plug-in would need to know the actual user name to use when attempting to SSH/SFTP into the designated hypervisor.

3) So that you don't have to type a user ID an password in every time you want to collect logs from N hypervisors, the RHEV-M installer would need to insert a public SSH key into each non-root user's /home/NON-ROOT-USER-HERE/.ssh/authorized_keys file.

4) The RHEV-H installer would need to be modified such that it actually created a non-root user.

5) The non-root user would need to have an entry in /etc/sudoers or console-helper on each RHEL-H or RHEV-H so that it could elevate it's privileges to 'root' and run SoS.  I would recommend consolehelper and have scripts for this.

These hurdles are not impossible but it would take major coordination among many  different RHEV components.  The impacted components that I can think of are as follows:
- RHEV-H installer
- The scripts which get run when the RHEV-M connects/adds a hypervisor (either RHEL-H or RHEV-H).  
- The RHEV-M needs to store the non-root user ID somewhere, and would we allow a different non-root user per-hypervisor.
Comment 6 Barak 2014-01-26 07:50:16 EST
(In reply to Keith Robertson from comment #5)
> (In reply to Barak from comment #4)
> > Keith,
> > 
> > Can you please comment on the log collector / sos report issue mentioned in
> > comment #1
> 
> The hurdles for using a user other than 'root' as they relate to the Log
> Collector (and the Red Hat Support Plug-in) are as follows:
> 
> 1) Both the Log Collector and the RH Support plug-in call SoS when they
> attempt to collect logs from the Hypervisors.  For many reasons, SoS must be
> run as 'root' because it vacuums up all sorts of data and log files, config
> files, etc. that only 'root' would have access to.  

but let's assume we have a user named kuku that has the same permissions as root,
Will Log Collector succeed collecting the data.


> 
> 2) You would need to store the actual user name of the non-root user
> somewhere on the RHEV-M. You need this because the Log Collector and the Red
> Hat Support plug-in would need to know the actual user name to use when
> attempting to SSH/SFTP into the designated hypervisor.

AFAIR this is done already, Yaniv ?


> 
> 3) So that you don't have to type a user ID an password in every time you
> want to collect logs from N hypervisors, the RHEV-M installer would need to
> insert a public SSH key into each non-root user's
> /home/NON-ROOT-USER-HERE/.ssh/authorized_keys file.
> 
> 4) The RHEV-H installer would need to be modified such that it actually
> created a non-root user.

this will be done as a part of the host deploy (if not done already), Alon ?

> 
> 5) The non-root user would need to have an entry in /etc/sudoers or
> console-helper on each RHEL-H or RHEV-H so that it could elevate it's
> privileges to 'root' and run SoS.  I would recommend consolehelper and have
> scripts for this.

Let's assume this is configured (if not final than we could alter it through host deploy

> 
> These hurdles are not impossible but it would take major coordination among
> many  different RHEV components.  The impacted components that I can think
> of are as follows:
> - RHEV-H installer
> - The scripts which get run when the RHEV-M connects/adds a hypervisor
> (either RHEL-H or RHEV-H).  
> - The RHEV-M needs to store the non-root user ID somewhere, and would we
> allow a different non-root user per-hypervisor.
Comment 7 Alon Bar-Lev 2014-01-26 08:02:58 EST
>> 4) The RHEV-H installer would need to be modified such that it actually
>> created a non-root user.

> this will be done as a part of the host deploy (if not done already), Alon ?

correct, should work for regular host.

RHEV-H will not work as:
1. it has no regular user.
2. vdsm-reg and the UI only support configurating root.

But once we re-write the entire registration of rhev-h we also take that into account.
Comment 8 Yaniv Bronhaim 2014-01-26 10:22:47 EST
> > 2) You would need to store the actual user name of the non-root user
> > somewhere on the RHEV-M. You need this because the Log Collector and the Red
> > Hat Support plug-in would need to know the actual user name to use when
> > attempting to SSH/SFTP into the designated hypervisor.
> 
> AFAIR this is done already, Yaniv ?

yes, the username that the user used to deploy the host at first time is saved in vds_static table. currently, as barak said, this is only blocked via the ui field
Comment 9 Barak 2014-04-08 07:22:54 EDT
Arthur, will the SOS report work with the suggested changes ?
Comment 10 Barak 2014-04-13 11:35:54 EDT
Keith(In reply to Keith Robertson from comment #5)
> (In reply to Barak from comment #4)
> > Keith,
> > 
> > Can you please comment on the log collector / sos report issue mentioned in
> > comment #1
> 
> The hurdles for using a user other than 'root' as they relate to the Log
> Collector (and the Red Hat Support Plug-in) are as follows:
> 
> 1) Both the Log Collector and the RH Support plug-in call SoS when they
> attempt to collect logs from the Hypervisors.  For many reasons, SoS must be
> run as 'root' because it vacuums up all sorts of data and log files, config
> files, etc. that only 'root' would have access to. 

Does it validate "root" or it assumes that the user running SOS report has admin privileges ? 
 
> 
> 2) You would need to store the actual user name of the non-root user
> somewhere on the RHEV-M. You need this because the Log Collector and the Red
> Hat Support plug-in would need to know the actual user name to use when
> attempting to SSH/SFTP into the designated hypervisor.

This is ready


> 
> 3) So that you don't have to type a user ID an password in every time you
> want to collect logs from N hypervisors, the RHEV-M installer would need to
> insert a public SSH key into each non-root user's
> /home/NON-ROOT-USER-HERE/.ssh/authorized_keys file.


This is ready

> 
> 4) The RHEV-H installer would need to be modified such that it actually
> created a non-root user.


We can not know in advanced what user the customer wants to use.
So this part is left to the customer + it should give it privileges.

Now what does it need:
- just belong to the root group ?
- additional elevation configuration in the suduers ? 


> 
> 5) The non-root user would need to have an entry in /etc/sudoers or
> console-helper on each RHEL-H or RHEV-H so that it could elevate it's
> privileges to 'root' and run SoS.  I would recommend consolehelper and have
> scripts for this.


Not sure I understand what it means ?

> 
> These hurdles are not impossible but it would take major coordination among
> many  different RHEV components.  The impacted components that I can think
> of are as follows:
> - RHEV-H installer
> - The scripts which get run when the RHEV-M connects/adds a hypervisor
> (either RHEL-H or RHEV-H).  
> - The RHEV-M needs to store the non-root user ID somewhere, and would we
> allow a different non-root user per-hypervisor.

This is done
Comment 11 Alon Bar-Lev 2014-04-13 11:47:03 EDT
(In reply to Barak from comment #6)
> (In reply to Keith Robertson from comment #5)
> > (In reply to Barak from comment #4)
> > > Keith,
> > > 
> > > Can you please comment on the log collector / sos report issue mentioned in
> > > comment #1
> > 
> > The hurdles for using a user other than 'root' as they relate to the Log
> > Collector (and the Red Hat Support Plug-in) are as follows:
> > 
> > 1) Both the Log Collector and the RH Support plug-in call SoS when they
> > attempt to collect logs from the Hypervisors.  For many reasons, SoS must be
> > run as 'root' because it vacuums up all sorts of data and log files, config
> > files, etc. that only 'root' would have access to.  
> 
> but let's assume we have a user named kuku that has the same permissions as
> root,
> Will Log Collector succeed collecting the data.

We should allow ssh with regular user and privilege escalation, not duplicate root with different name.
 
> > 2) You would need to store the actual user name of the non-root user
> > somewhere on the RHEV-M. You need this because the Log Collector and the Red
> > Hat Support plug-in would need to know the actual user name to use when
> > attempting to SSH/SFTP into the designated hypervisor.
> 
> AFAIR this is done already, Yaniv ?

Correct.

> > 3) So that you don't have to type a user ID an password in every time you
> > want to collect logs from N hypervisors, the RHEV-M installer would need to
> > insert a public SSH key into each non-root user's
> > /home/NON-ROOT-USER-HERE/.ssh/authorized_keys file.
> > 
> > 4) The RHEV-H installer would need to be modified such that it actually
> > created a non-root user.
> 
> this will be done as a part of the host deploy (if not done already), Alon ?

The ovirt-node should have a user (example: user1) with the following entry in sudoers:

/etc/sudoers.d/50-otopi.conf
---
    Defaults:user1 !requiretty
    user1 ALL=(ALL) NOPASSWD: /bin/sh
---

> > 5) The non-root user would need to have an entry in /etc/sudoers or
> > console-helper on each RHEL-H or RHEV-H so that it could elevate it's
> > privileges to 'root' and run SoS.  I would recommend consolehelper and have
> > scripts for this.
> 
> Let's assume this is configured (if not final than we could alter it through
> host deploy

The entire idea is that host-deploy will run as non root also... so we need this at image, see (4).
Comment 12 Keith Robertson 2014-04-13 12:53:47 EDT
(In reply to Alon Bar-Lev from comment #11)
> (In reply to Barak from comment #6)
> > (In reply to Keith Robertson from comment #5)
> > > (In reply to Barak from comment #4)
> > > > Keith,
> > > > 
> > > > Can you please comment on the log collector / sos report issue mentioned in
> > > > comment #1
> > > 
> > > The hurdles for using a user other than 'root' as they relate to the Log
> > > Collector (and the Red Hat Support Plug-in) are as follows:
> > > 
> > > 1) Both the Log Collector and the RH Support plug-in call SoS when they
> > > attempt to collect logs from the Hypervisors.  For many reasons, SoS must be
> > > run as 'root' because it vacuums up all sorts of data and log files, config
> > > files, etc. that only 'root' would have access to.  
> > 
> > but let's assume we have a user named kuku that has the same permissions as
> > root,
> > Will Log Collector succeed collecting the data.
> 
> We should allow ssh with regular user and privilege escalation, not
> duplicate root with different name.
>  

First, let met just submit my vote for the user 'kuku'.  I think that would be a superb addition to both the RHEV-H and RHEL-H.  One could imagine the ensuing hilarity in a support engagement.  

On a serious note, Alon is right you SSH in as non-root and you either use SUDO or console-helper to escalate privileges to root.
 

> > > 2) You would need to store the actual user name of the non-root user
> > > somewhere on the RHEV-M. You need this because the Log Collector and the Red
> > > Hat Support plug-in would need to know the actual user name to use when
> > > attempting to SSH/SFTP into the designated hypervisor.
> > 
> > AFAIR this is done already, Yaniv ?
> 
> Correct.
> 

Really?  Where and is the public key pair for this user installed on the RHEV-M?

> > > 3) So that you don't have to type a user ID an password in every time you
> > > want to collect logs from N hypervisors, the RHEV-M installer would need to
> > > insert a public SSH key into each non-root user's
> > > /home/NON-ROOT-USER-HERE/.ssh/authorized_keys file.
> > > 
> > > 4) The RHEV-H installer would need to be modified such that it actually
> > > created a non-root user.
> > 
> > this will be done as a part of the host deploy (if not done already), Alon ?
> 
> The ovirt-node should have a user (example: user1) with the following entry
> in sudoers:
> 
> /etc/sudoers.d/50-otopi.conf
> ---
>     Defaults:user1 !requiretty
>     user1 ALL=(ALL) NOPASSWD: /bin/sh
> ---
> 
> > > 5) The non-root user would need to have an entry in /etc/sudoers or
> > > console-helper on each RHEL-H or RHEV-H so that it could elevate it's
> > > privileges to 'root' and run SoS.  I would recommend consolehelper and have
> > > scripts for this.
> > 
> > Let's assume this is configured (if not final than we could alter it through
> > host deploy
> 
> The entire idea is that host-deploy will run as non root also... so we need
> this at image, see (4).

I can't comment on the host-deploy as non-root aspect but it seems reasonable that the RHEV-H would have a non-root user preconfigured for this purpose.  Also, lets not forget a RHEL-H install, you'd need an RPM(or something) to do the work of creating the non-root user and configuring either sudoers or console-helper. Not sure what the best way to accomplish this is.

Lastly, the non-root user needs to be known to the RHEV-M and that non-root user's public key needs to be available there so that both the Log Collector and Red Hat Access plug-in can use it to SSH/SFTP to the RHE[V/L]-H with no password prompting. 

For reference, here[1] are the console-helper scripts we use on the RHEV-M to collect SoS reports as the non-root user ovirt.

[1] https://code.engineering.redhat.com/gerrit/gitweb?p=redhat-support-plugin-rhev.git;a=tree;f=utils;hb=HEAD
Comment 13 Alon Bar-Lev 2014-04-13 13:03:32 EDT
(In reply to Keith Robertson from comment #12)
> (In reply to Alon Bar-Lev from comment #11)
> > (In reply to Barak from comment #6)
> > > > 2) You would need to store the actual user name of the non-root user
> > > > somewhere on the RHEV-M. You need this because the Log Collector and the Red
> > > > Hat Support plug-in would need to know the actual user name to use when
> > > > attempting to SSH/SFTP into the designated hypervisor.
> > > 
> > > AFAIR this is done already, Yaniv ?
> > 
> > Correct.
> > 
> 
> Really?  Where and is the public key pair for this user installed on the
> RHEV-M?

We have two methods:

1. ovirt-node registration - the PKI trust and SSH trust are established via ovirt-node initiative. if we to support non root account, the SSH trust should be established to this account.

2. ovirt-engine initiated - in this case the account within the ovirt-node should be enabled for password login, or the engine public key should be installed manually for that user. After host-deploy sequence the engine's public key is installed within the user's authorized_keys regardless of how it was initiated.
 
> > > > 5) The non-root user would need to have an entry in /etc/sudoers or
> > > > console-helper on each RHEL-H or RHEV-H so that it could elevate it's
> > > > privileges to 'root' and run SoS.  I would recommend consolehelper and have
> > > > scripts for this.
> > > 
> > > Let's assume this is configured (if not final than we could alter it through
> > > host deploy
> > 
> > The entire idea is that host-deploy will run as non root also... so we need
> > this at image, see (4).
> 

<snip>

> Lastly, the non-root user needs to be known to the RHEV-M and that non-root
> user's public key needs to be available there so that both the Log Collector
> and Red Hat Access plug-in can use it to SSH/SFTP to the RHE[V/L]-H with no
> password prompting. 

The other way around, the engine's public key should be installed at at that user's authorized_keys. This can be done via registration process (to be implemented) or later on by the host-deploy (already implemented).
Comment 14 Keith Robertson 2014-04-13 16:07:19 EDT
(In reply to Alon Bar-Lev from comment #13)
> (In reply to Keith Robertson from comment #12)
> > (In reply to Alon Bar-Lev from comment #11)
> > > (In reply to Barak from comment #6)
> > > > > 2) You would need to store the actual user name of the non-root user
> > > > > somewhere on the RHEV-M. You need this because the Log Collector and the Red
> > > > > Hat Support plug-in would need to know the actual user name to use when
> > > > > attempting to SSH/SFTP into the designated hypervisor.
> > > > 
> > > > AFAIR this is done already, Yaniv ?
> > > 
> > > Correct.
> > > 
> > 
> > Really?  Where and is the public key pair for this user installed on the
> > RHEV-M?
> 
> We have two methods:
> 
> 1. ovirt-node registration - the PKI trust and SSH trust are established via
> ovirt-node initiative. if we to support non root account, the SSH trust
> should be established to this account.
> 
> 2. ovirt-engine initiated - in this case the account within the ovirt-node
> should be enabled for password login, or the engine public key should be
> installed manually for that user. After host-deploy sequence the engine's
> public key is installed within the user's authorized_keys regardless of how
> it was initiated.
>

Agree to above.

Will we configure any non-root user on the node or will it always be 'kuku', 'vdsm', whatever...?
  
> > > > > 5) The non-root user would need to have an entry in /etc/sudoers or
> > > > > console-helper on each RHEL-H or RHEV-H so that it could elevate it's
> > > > > privileges to 'root' and run SoS.  I would recommend consolehelper and have
> > > > > scripts for this.
> > > > 
> > > > Let's assume this is configured (if not final than we could alter it through
> > > > host deploy
> > > 
> > > The entire idea is that host-deploy will run as non root also... so we need
> > > this at image, see (4).
> > 
> 
> <snip>
> 
> > Lastly, the non-root user needs to be known to the RHEV-M and that non-root
> > user's public key needs to be available there so that both the Log Collector
> > and Red Hat Access plug-in can use it to SSH/SFTP to the RHE[V/L]-H with no
> > password prompting. 
> 
> The other way around, the engine's public key should be installed at at that
> user's authorized_keys. This can be done via registration process (to be
> implemented) or later on by the host-deploy (already implemented).

Agree to your description of the flow.  I could have worded my description a bit better.
Comment 15 Alon Bar-Lev 2014-04-13 16:09:57 EDT
(In reply to Keith Robertson from comment #14)
> Will we configure any non-root user on the node or will it always be 'kuku',
> 'vdsm', whatever...?

Yes.

vdsm - has specific usage, so cannot be.
kuku - oh... well...
admin - might be better.
Comment 16 Yaniv Bronhaim 2014-04-22 06:54:18 EDT
afaiu, using different user (with full root privileges) should work currently, host-deploy will put engine's pk in the picked user authorized_keys, engine will save the username in db and will use it afterwards on reinstall if needed. 

for ovirt-node we need to configure the user as part of the installation in the node and try to register with it (might be better to split the rfe to ovirt-node and engine sides). 
about the logcollector or other tools that count on root access, I don't understand how we'll configure them to use this user. do we really need the console-helper scripts or just tell those tools to use different user\pass?
Comment 17 Keith Robertson 2014-04-22 08:36:16 EDT
(In reply to Yaniv Bronhaim from comment #16)
> afaiu, using different user (with full root privileges) should work
> currently, host-deploy will put engine's pk in the picked user
> authorized_keys, engine will save the username in db and will use it
> afterwards on reinstall if needed. 
> 

Are you suggesting that each hypervisor, RHE[V/L]-H, could have a different non-root user or is it safe to assume that the non-root username will *always* be admin, kuku, whatever?

I am asking because allowing each hypervisor, RHE[V/L]-H, the flexibility to have different non-root usernames will be a problem for the Log Collector and the RHEV plug-in unless there is a mechanism for these tools to look up the username for a designated hypervisor.  IMO, allowing different non-root users per hypervisor is a bad idea which adds unnecessary complexity.

> for ovirt-node we need to configure the user as part of the installation in
> the node and try to register with it (might be better to split the rfe to
> ovirt-node and engine sides). 

ACK

> about the logcollector or other tools that count on root access, I don't
> understand how we'll configure them to use this user. do we really need the
> console-helper scripts or just tell those tools to use different user\pass?

Telling the tools to use different user\pass is insufficient.  Something on the RHE[V/L]-H must install a mechanism for a designated non-root user to execute SoS as root.

== Here are the minimum requirements for the hypervisor ==
- The hypervisor must have a non-root user.
- The non-root user must be given a mechanism to execute SoS (which requires root).  There are two options for this and they are sudo or console-helper.  I don't care which is used but we have approved console helper scripts for this.

== Here are the minimum requirements for the RHEV-M ==
- There must be REST endpoint/attribute which a client can query to determine if a node is using non-root (see [1]).  This is important because during upgrade scenarios customers will likely have mixed configurations with nodes using the old root-only mechanism and new nodes which support the new non-root mechanism.  The log collector must be able to ask the REST service what authentication mechanism a particular node uses before attempting to SSH/SFTP to that node.

- A public key from the RHEV-M must be installed into the authorized key file of the non-root user on the node.  The private key must be known to the Log Collector.  This private/public key pair could be the same one that is currently used or it could be a completely different one.  Don't care.  We just need to know what to use.

[1] 
if ( api.getHost('abc123').getFullVersion() >= 3.4){ 
   doNonRootLogin()
} else{
   doRootLogin()
}
Comment 18 Itamar Heim 2014-06-22 08:18:10 EDT
*** Bug 508541 has been marked as a duplicate of this bug. ***
Comment 19 Itamar Heim 2014-06-22 08:38:14 EDT
*** Bug 794867 has been marked as a duplicate of this bug. ***
Comment 20 Itamar Heim 2014-07-04 10:16:11 EDT
*** Bug 1099591 has been marked as a duplicate of this bug. ***
Comment 22 Yaniv Lavi 2015-04-21 04:46:36 EDT
*** Bug 1134903 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.