Changes/Virt ACLs

From FedoraProject

< Changes(Difference between revisions)
Jump to: navigation, search
(Documentation)
(How To Test)
Line 54: Line 54:
 
== How To Test ==
 
== How To Test ==
 
<!-- N/A (not a System Wide Change) -->
 
<!-- N/A (not a System Wide Change) -->
TBD when work is testable.
+
 
 +
1. As root, create two KVM guests named 'apache' and 'mysql' using virt-install
 +
2. As a non-root user 'fred', run
 +
 
 +
  virsh -c qemu:///system list --all'
 +
 
 +
Note that 'fred' can see both VMs
 +
 
 +
3. As root, create a file  /etc/polkit-1/rules.d/100-libvirt-api.rules containing
 +
 
 +
  polkit.addRule(function(action, subject) {
 +
    if (action.id == "org.libvirt.api.domain.getattr" &&
 +
        subject.user == "freq") {
 +
          if (action._detail_connect_driver == 'QEMU' &&
 +
              action._detail_domain_name == 'apache') {
 +
            return polkit.Result.YES;
 +
          } else {
 +
            return polkit.Result.NO;
 +
          }
 +
    }
 +
  });
 +
 
 +
4. As a non-root user 'fred' run
 +
 
 +
virsh -c qemu:///system list --all'
 +
 
 +
Note that 'fred' can now only see the 'apache' VM.
 +
 
 +
The same kind of rules can be applied to storage pools, volumes, networks, and more.
  
 
== User Experience ==
 
== User Experience ==

Revision as of 18:57, 9 August 2013

Contents

Role based access control with libvirt

Summary

Allow role based access control with libvirt.

Owner

Current status

  • Targeted release: Fedora 20
  • Last updated: 2013-06-11
  • Tracker bug: <will be assigned by the Wrangler>

Detailed Description

Libvirt role based access control will allow fine grained access control like 'user FOO can only start/stop/pause vm BAR', but for all libvirt APIs and objects.

Benefit to Fedora

  • Nice, new, oft requested feature is finally available that we can advertise for Fedora 20.

Scope

  • Proposal owners:
  1. 90% of the work is already in rawhide
  2. Documentation needs to be written
  • Other developers: N/A (not a System Wide Change)
  • Release engineering: N/A (not a System Wide Change)
  • Policies and guidelines: N/A (not a System Wide Change)

Upgrade/compatibility impact

N/A (not a System Wide Change)

How To Test

1. As root, create two KVM guests named 'apache' and 'mysql' using virt-install 2. As a non-root user 'fred', run

 virsh -c qemu:///system list --all'

Note that 'fred' can see both VMs

3. As root, create a file /etc/polkit-1/rules.d/100-libvirt-api.rules containing

 polkit.addRule(function(action, subject) {
   if (action.id == "org.libvirt.api.domain.getattr" &&
       subject.user == "freq") {
         if (action._detail_connect_driver == 'QEMU' &&
             action._detail_domain_name == 'apache') {
           return polkit.Result.YES;
         } else {
           return polkit.Result.NO;
         }
   }
 });

4. As a non-root user 'fred' run

virsh -c qemu:///system list --all'

Note that 'fred' can now only see the 'apache' VM.

The same kind of rules can be applied to storage pools, volumes, networks, and more.

User Experience

N/A (not a System Wide Change)

Dependencies

N/A (not a System Wide Change)

Contingency Plan

  • Contingency mechanism: N/A (not a System Wide Change)
  • Contingency deadline: N/A (not a System Wide Change)
  • Blocks release? N/A (not a System Wide Change)

Documentation

Release Notes

Libvirt now supports role based access control, which allows setting rules such as 'user FOO can only start/stop/pause vm BAR'.