Changes/Virt ACLs

From FedoraProject

< Changes(Difference between revisions)
Jump to: navigation, search
(Add link to testcase)
(Replace content with link to test case)
 
Line 53: Line 53:
  
 
== How To Test ==
 
== How To Test ==
<!-- N/A (not a System Wide Change) -->
 
  
1. As root, create two KVM guests named 'apache' and 'mysql' using virt-install
+
See the test case at: https://fedoraproject.org/wiki/QA:Testcase_Virt_ACLs
2. As a non-root user 'fred', run
+
 
+
  virsh -c qemu:///system list --all'
+
 
+
Note that 'fred' can see both VMs
+
 
+
3. As root, create a file  /etc/polkit-1/rules.d/100-libvirt-api.rules containing
+
 
+
  polkit.addRule(function(action, subject) {
+
    if (action.id == "org.libvirt.api.domain.getattr" &&
+
        subject.user == "freq") {
+
          if (action._detail_connect_driver == 'QEMU' &&
+
              action._detail_domain_name == 'apache') {
+
            return polkit.Result.YES;
+
          } else {
+
            return polkit.Result.NO;
+
          }
+
    }
+
  });
+
 
+
4. As a non-root user 'fred' run
+
 
+
virsh -c qemu:///system list --all'
+
 
+
Note that 'fred' can now only see the 'apache' VM.
+
 
+
The same kind of rules can be applied to storage pools, volumes, networks, and more.
+
  
 
== User Experience ==
 
== User Experience ==

Latest revision as of 18:16, 4 October 2013

Contents

[edit] Role based access control with libvirt

[edit] Summary

Allow role based access control with libvirt.

[edit] Owner

[edit] Current status

[edit] Detailed Description

Libvirt role based access control will allow fine grained access control like 'user FOO can only start/stop/pause vm BAR', but for all libvirt APIs and objects.

[edit] Benefit to Fedora

  • Nice, new, oft requested feature is finally available that we can advertise for Fedora 20.

[edit] Scope

  • Proposal owners:
  1. 100% of the work is already in rawhide
  2. Documentation is written
  • Other developers: N/A (not a System Wide Change)
  • Release engineering: N/A (not a System Wide Change)
  • Policies and guidelines: N/A (not a System Wide Change)

[edit] Upgrade/compatibility impact

N/A (not a System Wide Change)

[edit] How To Test

See the test case at: https://fedoraproject.org/wiki/QA:Testcase_Virt_ACLs

[edit] User Experience

N/A (not a System Wide Change)

[edit] Dependencies

N/A (not a System Wide Change)

[edit] Contingency Plan

  • Contingency mechanism: N/A (not a System Wide Change)
  • Contingency deadline: N/A (not a System Wide Change)
  • Blocks release? N/A (not a System Wide Change)

[edit] Documentation

[edit] Release Notes

Libvirt now supports role based access control, which allows setting rules such as 'user FOO can only start/stop/pause vm BAR'.