(Create the page) |
(Add links to feature page) |
||
Line 2: | Line 2: | ||
|description= | |description= | ||
Use libvirt ACLs to grant a user access to only a single VM. | Use libvirt ACLs to grant a user access to only a single VM. | ||
This is for the Fedora 20 feature [[Changes/Virt_ACLs|Virt ACLs]] | |||
|setup= | |setup= | ||
Line 98: | Line 100: | ||
* http://libvirt.org/acl.html | * http://libvirt.org/acl.html | ||
* http://libvirt.org/aclpolkit.html | * http://libvirt.org/aclpolkit.html | ||
* http://fedoraproject.org/wiki/Changes/Virt_ACLs | |||
}} | }} | ||
[[Category:Virtualization Test Cases]] | [[Category:Virtualization Test Cases]] |
Revision as of 18:14, 4 October 2013
Description
Use libvirt ACLs to grant a user access to only a single VM.
This is for the Fedora 20 feature Virt ACLs
Setup
Functioning virt host and VM. All VM OS welcome. Requires at least Fedora 20 for the host.
How to test
Configure libvirt to use ACLs
By default the ACL backend is turned off. Let's turn it on:
- Switch to root:
su -
- Open /etc/libvirt/libvirtd.conf
- Uncomment the line:
#access_drivers = [ "polkit" ]
- Restart libvirtd:
service libvirtd restart
Give restricted access to a single VM
We define the access logic in polkit rules files. Here we are going to: allow the user to connect to qemu:///system, but _only_ print info about the VM test-day-vm
- As root, edit a new file: /etc/polkit-1/rules.d/99-my-test-day-libvirt.rules
- Paste the following content, replacing MY-USER with your unix username:
// Allow passwordless connection to qemu:///system polkit.addRule(function(action, subject) { if (action.id == "org.libvirt.unix.manage" && subject.user == "MY-USER") { return polkit.Result.YES; } }); // Allow user to read basic info about 'test-day-vm' polkit.addRule(function(action, subject) { if (action.id == "org.libvirt.api.domain.getattr" && subject.user == "MY_USER") { if (action.lookup("connect_driver") == 'QEMU' && action.lookup("domain_name") == 'test-day-vm') { return polkit.Result.YES; } else { return polkit.Result.NO; } } });
- Save that file and exit. Restarting libvirtd is not required.
- Verify that libvirt is filtering the domain list:
$ virsh --connect qemu:///system list --all Id Name State ---------------------------------------------------- 58 test-day-vm running
- However note that an action like 'suspend' is denied
$ virsh --connect qemu:///system suspend test-day-vm error: Failed to suspend domain test-day-vm error: access denied
Provide full access to a single VM
- As root, open /etc/polkit-1/rules.d/99-my-test-day-libvirt.rules
- Remove the replace the last rule block with the following block, again replacing MY-USER with your username:
// Give full access to 'test-day-vm' polkit.addRule(function(action, subject) { if (action.id.indexOf("org.libvirt.api.domain.") = 0 && subject.user == "MY_USER") { if (action.lookup("connect_driver") == 'QEMU' && action.lookup("domain_name") == 'test-day-vm') { return polkit.Result.YES; } else { return polkit.Result.NO; } } });
- Verify that you can now perform an action on the VM, like suspend (pause) or start
$ virsh --connect qemu:///system suspend test-day-vm Domain test-day-vm suspended
Cleanup
- /etc/polkit-1/rules.d/99-my-test-day-libvirt.rules
- Undo the libvirtd conf changes listed above and restart libvirtd.
Expected Results
No obvious errors occur, all results are as indicated.
Additional info
This is the tip of the iceberg for ACLs. Complete docs are at: