From Fedora Project Wiki
(Created page with "{{QA/Test_Case |description=This test case tests whether thermostat command channel interactions fail if the agent user is missing the thermostat-cmdc-verify role. |setup= # B...") |
No edit summary |
||
(5 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
{{QA/Test_Case | {{QA/Test_Case | ||
|description=This test case tests whether thermostat | |description=This test case tests whether thermostat filters results returned based on the username the JVM is running as. | ||
|setup= | |setup= | ||
# Boot into the machine/VM you wish to test. | # Boot into the machine/VM you wish to test. | ||
Line 6: | Line 6: | ||
# Perform all actions as described in the [[QA:Testcase_thermostat_web_basic|basic web service test case]]. | # Perform all actions as described in the [[QA:Testcase_thermostat_web_basic|basic web service test case]]. | ||
|actions= | |actions= | ||
# Start the thermostat agent, connecting to webstorage: {{command|thermostat agent -d http://127.0.0.1:8080/thermostat/storage}} | # Start the thermostat agent, connecting to webstorage: {{command|thermostat agent -d http://127.0.0.1:8080/thermostat/storage}} | ||
# Start a Java process as user other than the user you use in step 6-7. | |||
# Start the thermostat shell: {{command|thermostat shell}} | # Start the thermostat shell: {{command|thermostat shell}} | ||
# Connect to the thermostat web service at the shell prompt: {{command| Thermostat > connect -d http://127.0.0.1:8080/thermostat/storage}} | # Connect to the thermostat web service at the shell prompt: {{command| Thermostat > connect -d http://127.0.0.1:8080/thermostat/storage}} | ||
# | # List all VMs: {{command| Thermostat > list-vms}} | ||
# | # From this list pick one VM_ID, say it's <code>7474af55-6869-4606-8815-df0674d56e2b</code> | ||
# Next show the VM information via the vm-info command: {{command|vm-info 7474af55-6869-4606-8815-df0674d56e2b}}. Record the "User ID" information. Say this info is "1000(jon-doe)" | |||
# | # Now in /etc/thermostat/thermostat-roles.properties change the following line of the recursive role "thermostat-client" (this needs to be done as root), save the file and run list-vms again: | ||
<pre> | <pre> | ||
# This granted a user which is member of "thermostat-client" to read all VMs running as any username on the target host. | |||
#thermostat-vms-grant-read-username-ALL | |||
# This grants a user which is member of "thermostat-client" to read all VMs running as user "jon-doe" | |||
thermostat-vms-grant-read-username-jon-doe | |||
</pre> | </pre> | ||
# | |results= | ||
# At step 7, list-vms should only show VMs which are running as "jon-doe". You can verify this by running vm-info on every VM_ID in the output of list-vms. | |||
# More information as to how thermostat*grant-read* roles work can be found on the [http://icedtea.classpath.org/wiki/?title=Thermostat/SecurityConsiderations#Thermostat_Access_Control security considerations thermostat wiki page]. | |||
}} | }} |
Latest revision as of 16:37, 2 December 2013
Description
This test case tests whether thermostat filters results returned based on the username the JVM is running as.
Setup
- Boot into the machine/VM you wish to test.
- If thermostat-webapp is not yet installed, install it.
- Perform all actions as described in the basic web service test case.
How to test
- Start the thermostat agent, connecting to webstorage:
thermostat agent -d http://127.0.0.1:8080/thermostat/storage
- Start a Java process as user other than the user you use in step 6-7.
- Start the thermostat shell:
thermostat shell
- Connect to the thermostat web service at the shell prompt:
Thermostat > connect -d http://127.0.0.1:8080/thermostat/storage
- List all VMs:
Thermostat > list-vms
- From this list pick one VM_ID, say it's
7474af55-6869-4606-8815-df0674d56e2b
- Next show the VM information via the vm-info command:
vm-info 7474af55-6869-4606-8815-df0674d56e2b
. Record the "User ID" information. Say this info is "1000(jon-doe)" - Now in /etc/thermostat/thermostat-roles.properties change the following line of the recursive role "thermostat-client" (this needs to be done as root), save the file and run list-vms again:
# This granted a user which is member of "thermostat-client" to read all VMs running as any username on the target host. #thermostat-vms-grant-read-username-ALL # This grants a user which is member of "thermostat-client" to read all VMs running as user "jon-doe" thermostat-vms-grant-read-username-jon-doe
Expected Results
- At step 7, list-vms should only show VMs which are running as "jon-doe". You can verify this by running vm-info on every VM_ID in the output of list-vms.
- More information as to how thermostat*grant-read* roles work can be found on the security considerations thermostat wiki page.