Line 54: | Line 54: | ||
== How To Test == | == How To Test == | ||
<!-- N/A (not a System Wide Change) --> | <!-- N/A (not a System Wide Change) --> | ||
1. As root, create two KVM guests named 'apache' and 'mysql' using virt-install | |||
2. As a non-root user 'fred', run | |||
virsh -c qemu:///system list --all' | |||
Note that 'fred' can see both VMs | |||
3. As root, create a file /etc/polkit-1/rules.d/100-libvirt-api.rules containing | |||
polkit.addRule(function(action, subject) { | |||
if (action.id == "org.libvirt.api.domain.getattr" && | |||
subject.user == "freq") { | |||
if (action._detail_connect_driver == 'QEMU' && | |||
action._detail_domain_name == 'apache') { | |||
return polkit.Result.YES; | |||
} else { | |||
return polkit.Result.NO; | |||
} | |||
} | |||
}); | |||
4. As a non-root user 'fred' run | |||
virsh -c qemu:///system list --all' | |||
Note that 'fred' can now only see the 'apache' VM. | |||
The same kind of rules can be applied to storage pools, volumes, networks, and more. | |||
== User Experience == | == User Experience == |
Revision as of 18:57, 9 August 2013
Role based access control with libvirt
Summary
Allow role based access control with libvirt.
Owner
- Name: Daniel P. Berrange
- Email: berrange@redhat.com
- Name: Cole Robinson
- Email: crobinso@redhat.com
- Release notes owner:
Current status
- Targeted release: Fedora 20
- Last updated: 2013-06-11
- Tracker bug: <will be assigned by the Wrangler>
Detailed Description
Libvirt role based access control will allow fine grained access control like 'user FOO can only start/stop/pause vm BAR', but for all libvirt APIs and objects.
Benefit to Fedora
- Nice, new, oft requested feature is finally available that we can advertise for Fedora 20.
Scope
- Proposal owners:
- 90% of the work is already in rawhide
- Documentation needs to be written
- Other developers: N/A (not a System Wide Change)
- Release engineering: N/A (not a System Wide Change)
- Policies and guidelines: N/A (not a System Wide Change)
Upgrade/compatibility impact
N/A (not a System Wide Change)
How To Test
1. As root, create two KVM guests named 'apache' and 'mysql' using virt-install 2. As a non-root user 'fred', run
virsh -c qemu:///system list --all'
Note that 'fred' can see both VMs
3. As root, create a file /etc/polkit-1/rules.d/100-libvirt-api.rules containing
polkit.addRule(function(action, subject) { if (action.id == "org.libvirt.api.domain.getattr" && subject.user == "freq") { if (action._detail_connect_driver == 'QEMU' && action._detail_domain_name == 'apache') { return polkit.Result.YES; } else { return polkit.Result.NO; } } });
4. As a non-root user 'fred' run
virsh -c qemu:///system list --all'
Note that 'fred' can now only see the 'apache' VM.
The same kind of rules can be applied to storage pools, volumes, networks, and more.
User Experience
N/A (not a System Wide Change)
Dependencies
N/A (not a System Wide Change)
Contingency Plan
- Contingency mechanism: N/A (not a System Wide Change)
- Contingency deadline: N/A (not a System Wide Change)
- Blocks release? N/A (not a System Wide Change)
Documentation
- https://www.redhat.com/archives/libvir-list/2013-May/msg00699.html
- General docs on access control system http://libvirt.org/acl.html
- Polkit driver usage / config http://libvirt.org/aclpolkit.html
- XXX: should blog about this when ready
Release Notes
Libvirt now supports role based access control, which allows setting rules such as 'user FOO can only start/stop/pause vm BAR'.