< Changes
Role based access control with libvirt
Summary
Allow role based access control with libvirt.
Owner
- Name: Daniel P. Berrange
- Email: berrange@redhat.com
- Name: Cole Robinson
- Email: crobinso@redhat.com
- Release notes owner:
Current status
Detailed Description
Libvirt role based access control will allow fine grained access control like 'user FOO can only start/stop/pause vm BAR', but for all libvirt APIs and objects.
Benefit to Fedora
- Nice, new, oft requested feature is finally available that we can advertise for Fedora 20.
Scope
- Proposal owners:
- 100% of the work is already in rawhide
- Documentation is written
- Other developers: N/A (not a System Wide Change)
- Release engineering: N/A (not a System Wide Change)
- Policies and guidelines: N/A (not a System Wide Change)
Upgrade/compatibility impact
N/A (not a System Wide Change)
How To Test
1. As root, create two KVM guests named 'apache' and 'mysql' using virt-install 2. As a non-root user 'fred', run
virsh -c qemu:///system list --all'
Note that 'fred' can see both VMs
3. As root, create a file /etc/polkit-1/rules.d/100-libvirt-api.rules containing
polkit.addRule(function(action, subject) {
if (action.id == "org.libvirt.api.domain.getattr" &&
subject.user == "freq") {
if (action._detail_connect_driver == 'QEMU' &&
action._detail_domain_name == 'apache') {
return polkit.Result.YES;
} else {
return polkit.Result.NO;
}
}
});
4. As a non-root user 'fred' run
virsh -c qemu:///system list --all'
Note that 'fred' can now only see the 'apache' VM.
The same kind of rules can be applied to storage pools, volumes, networks, and more.
User Experience
N/A (not a System Wide Change)
Dependencies
N/A (not a System Wide Change)
Contingency Plan
- Contingency mechanism: N/A (not a System Wide Change)
- Contingency deadline: N/A (not a System Wide Change)
- Blocks release? N/A (not a System Wide Change)
Documentation
- https://www.redhat.com/archives/libvir-list/2013-May/msg00699.html
- General docs on access control system http://libvirt.org/acl.html
- Polkit driver usage / config http://libvirt.org/aclpolkit.html
- https://fedoraproject.org/wiki/QA:Testcase_Virt_ACLs
Release Notes
Libvirt now supports role based access control, which allows setting rules such as 'user FOO can only start/stop/pause vm BAR'.