From Fedora Project Wiki
No edit summary |
No edit summary |
||
| (One intermediate revision by the same user not shown) | |||
| Line 7: | Line 7: | ||
|actions= | |actions= | ||
# Start the thermostat agent, connecting to webstorage: {{command|thermostat agent -d http://127.0.0.1:8080/thermostat/storage}} | # Start the thermostat agent, connecting to webstorage: {{command|thermostat agent -d http://127.0.0.1:8080/thermostat/storage}} | ||
# Start a Java process as user other than the user you use in step 6-7. | |||
# Start the thermostat shell: {{command|thermostat shell}} | # Start the thermostat shell: {{command|thermostat shell}} | ||
# Connect to the thermostat web service at the shell prompt: {{command| Thermostat > connect -d http://127.0.0.1:8080/thermostat/storage}} | # Connect to the thermostat web service at the shell prompt: {{command| Thermostat > connect -d http://127.0.0.1:8080/thermostat/storage}} | ||
| Line 21: | Line 22: | ||
|results= | |results= | ||
# At step 7, list-vms should only show VMs which are running as "jon-doe". You can verify this by running vm-info on every VM_ID in the output of list-vms. | # At step 7, list-vms should only show VMs which are running as "jon-doe". You can verify this by running vm-info on every VM_ID in the output of list-vms. | ||
# More information as to how thermostat*grant-read* roles work can be found on the [http://icedtea.classpath.org/wiki/?title=Thermostat/SecurityConsiderations#Thermostat_Access_Control security considerations thermostat wiki page]. | |||
}} | }} | ||
Latest revision as of 16:37, 2 December 2013
Description
This test case tests whether thermostat filters results returned based on the username the JVM is running as.
Setup
- Boot into the machine/VM you wish to test.
- If thermostat-webapp is not yet installed, install it.
- Perform all actions as described in the basic web service test case.
How to test
- Start the thermostat agent, connecting to webstorage:
thermostat agent -d http://127.0.0.1:8080/thermostat/storage - Start a Java process as user other than the user you use in step 6-7.
- Start the thermostat shell:
thermostat shell - Connect to the thermostat web service at the shell prompt:
Thermostat > connect -d http://127.0.0.1:8080/thermostat/storage - List all VMs:
Thermostat > list-vms - From this list pick one VM_ID, say it's
7474af55-6869-4606-8815-df0674d56e2b - Next show the VM information via the vm-info command:
vm-info 7474af55-6869-4606-8815-df0674d56e2b. Record the "User ID" information. Say this info is "1000(jon-doe)" - Now in /etc/thermostat/thermostat-roles.properties change the following line of the recursive role "thermostat-client" (this needs to be done as root), save the file and run list-vms again:
# This granted a user which is member of "thermostat-client" to read all VMs running as any username on the target host. #thermostat-vms-grant-read-username-ALL # This grants a user which is member of "thermostat-client" to read all VMs running as user "jon-doe" thermostat-vms-grant-read-username-jon-doe
Expected Results
- At step 7, list-vms should only show VMs which are running as "jon-doe". You can verify this by running vm-info on every VM_ID in the output of list-vms.
- More information as to how thermostat*grant-read* roles work can be found on the security considerations thermostat wiki page.