openvnet icon indicating copy to clipboard operation
openvnet copied to clipboard
verified publisher icon axsh

Use groups instead of users for WebAPI and VNMGR

Open Metallion opened this issue 10 years ago • 0 comments

This is related to issue https://github.com/axsh/openvnet/issues/28.

Problem

In https://github.com/axsh/openvnet/pull/299 we changed WebAPI and VNMGR to run as their own user. After a discussion with @akry, it was decided that it is better to use groups. All users in the groups should be able to start their respective services.

Solution

  • Create 2 groups. vnet-webapi and vnet-vnmgr.
  • Keep the users created in https://github.com/axsh/openvnet/pull/299 but add them to their respective groups.
  • In the upstart job, check for the correct group.
    • If part of the correct group, start the process.
    • if root, start the process as the default user. (the one set as VNET_USER in the /etc/default files.)
    • if a non-root user from another group tries to start the process, fail with a proper error saying they do not have permission to do such things as those.

Metallion avatar Apr 21 '15 06:04 Metallion