Changes/Virt ACLs

From FedoraProject

< Changes(Difference between revisions)
Jump to: navigation, search
(How To Test)
(Scope)
Line 42: Line 42:
  
 
* Proposal owners:
 
* Proposal owners:
# 90% of the work is already in rawhide
+
# 100% of the work is already in rawhide
# Documentation needs to be written
+
# Documentation is written
  
 
* Other developers: N/A (not a System Wide Change)
 
* Other developers: N/A (not a System Wide Change)

Revision as of 18:57, 9 August 2013

Contents

Role based access control with libvirt

Summary

Allow role based access control with libvirt.

Owner

Current status

  • Targeted release: Fedora 20
  • Last updated: 2013-06-11
  • Tracker bug: <will be assigned by the Wrangler>

Detailed Description

Libvirt role based access control will allow fine grained access control like 'user FOO can only start/stop/pause vm BAR', but for all libvirt APIs and objects.

Benefit to Fedora

  • Nice, new, oft requested feature is finally available that we can advertise for Fedora 20.

Scope

  • Proposal owners:
  1. 100% of the work is already in rawhide
  2. Documentation is written
  • Other developers: N/A (not a System Wide Change)
  • Release engineering: N/A (not a System Wide Change)
  • Policies and guidelines: N/A (not a System Wide Change)

Upgrade/compatibility impact

N/A (not a System Wide Change)

How To Test

1. As root, create two KVM guests named 'apache' and 'mysql' using virt-install 2. As a non-root user 'fred', run

 virsh -c qemu:///system list --all'

Note that 'fred' can see both VMs

3. As root, create a file /etc/polkit-1/rules.d/100-libvirt-api.rules containing

 polkit.addRule(function(action, subject) {
   if (action.id == "org.libvirt.api.domain.getattr" &&
       subject.user == "freq") {
         if (action._detail_connect_driver == 'QEMU' &&
             action._detail_domain_name == 'apache') {
           return polkit.Result.YES;
         } else {
           return polkit.Result.NO;
         }
   }
 });

4. As a non-root user 'fred' run

virsh -c qemu:///system list --all'

Note that 'fred' can now only see the 'apache' VM.

The same kind of rules can be applied to storage pools, volumes, networks, and more.

User Experience

N/A (not a System Wide Change)

Dependencies

N/A (not a System Wide Change)

Contingency Plan

  • Contingency mechanism: N/A (not a System Wide Change)
  • Contingency deadline: N/A (not a System Wide Change)
  • Blocks release? N/A (not a System Wide Change)

Documentation

Release Notes

Libvirt now supports role based access control, which allows setting rules such as 'user FOO can only start/stop/pause vm BAR'.