From Fedora Project Wiki
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Role based access control with libvirt

Summary

Allow role based access control with libvirt.

Owner

Current status

  • Targeted release: Fedora 20
  • Last updated: 2013-06-11
  • Tracker bug: <will be assigned by the Wrangler>

Detailed Description

Libvirt role based access control will allow fine grained access control like 'user FOO can only start/stop/pause vm BAR', but for all libvirt APIs and objects.

Benefit to Fedora

  • Nice, new, oft requested feature is finally available that we can advertise for Fedora 20.

Scope

  • Proposal owners:
  1. 90% of the work is already in rawhide
  2. Documentation needs to be written
  • Other developers: N/A (not a System Wide Change)
  • Release engineering: N/A (not a System Wide Change)
  • Policies and guidelines: N/A (not a System Wide Change)

Upgrade/compatibility impact

N/A (not a System Wide Change)

How To Test

1. As root, create two KVM guests named 'apache' and 'mysql' using virt-install 2. As a non-root user 'fred', run

 virsh -c qemu:///system list --all'

Note that 'fred' can see both VMs

3. As root, create a file /etc/polkit-1/rules.d/100-libvirt-api.rules containing

 polkit.addRule(function(action, subject) {
   if (action.id == "org.libvirt.api.domain.getattr" &&
       subject.user == "freq") {
         if (action._detail_connect_driver == 'QEMU' &&
             action._detail_domain_name == 'apache') {
           return polkit.Result.YES;
         } else {
           return polkit.Result.NO;
         }
   }
 });

4. As a non-root user 'fred' run

virsh -c qemu:///system list --all'

Note that 'fred' can now only see the 'apache' VM.

The same kind of rules can be applied to storage pools, volumes, networks, and more.

User Experience

N/A (not a System Wide Change)

Dependencies

N/A (not a System Wide Change)

Contingency Plan

  • Contingency mechanism: N/A (not a System Wide Change)
  • Contingency deadline: N/A (not a System Wide Change)
  • Blocks release? N/A (not a System Wide Change)

Documentation

Release Notes

Libvirt now supports role based access control, which allows setting rules such as 'user FOO can only start/stop/pause vm BAR'.