libvirt users - May 2018 - Re: Libvirt access control drivers

Ok, excuse me for misunderstanding, how it is possible then to set up
access control when I use remote connection to KVM ( not in UNIX domain)?
Is there any way within libvirt, maybe based on authentication or
certificates?

2018-05-09 11:14 GMT+03:00 Daniel P. Berrangé <berrange@redhat.com>:
> On Wed, May 09, 2018 at 11:13:01AM +0300, Anastasiya Ruzhanskaya wrote:
> > I read this page https://libvirt.org/aclpolkit.html
> > And it is written :"At this point in time, the only attribute
provided by
> > libvirt to identify the user invoking the operation is the PID of the
> > client program. This means that the polkit access control driver is
only
> > useful if connections to libvirt are restricted to its UNIX domain
> socket."
>
> You're mis-interpreted what that means. Libvirt provides the PID to
polkit
> (well actually pid + starttime), polkit uses this to identify the process
> and determine its username and group membership, which is then used to
> make access control decisions.
>
> Regards,
> Daniel
> --
> |: https://berrange.com      -o-    https://www.flickr.com/photos/
> dberrange :|
> |: https://libvirt.org         -o-
> https://fstop138.berrange.com :|
> |: https://entangle-photo.org    -o-    https://www.instagram.com/
> dberrange :|
>

On Wed, May 09, 2018 at 11:21:22AM +0300, Anastasiya Ruzhanskaya
wrote:
> Ok, excuse me for misunderstanding, how it is possible then to set up
> access control when I use remote connection to KVM ( not in UNIX domain)?
> Is there any way within libvirt, maybe based on authentication or
> certificates?
Unfortunately we don't have a solution for fine grained access control
when using remote TCP access. We had a feature request against polkit
to allow passing it identity information such as certificate distinguished
name, but that was rejected :-(

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

Here https://libvirt.org/acl.html is stated that you designed this access
control system as pluggable. Are there any options ( even with modifying
libvirt code) to plug in any custom driver?
I just need to take a try and design something that will support remote
access control.
I am not sure if sVirt is the right thing I should look at.

2018-05-09 11:27 GMT+03:00 Daniel P. Berrangé <berrange@redhat.com>:
> On Wed, May 09, 2018 at 11:21:22AM +0300, Anastasiya Ruzhanskaya wrote:
> > Ok, excuse me for misunderstanding, how it is possible then to set up
> > access control when I use remote connection to KVM ( not in UNIX
domain)?
> > Is there any way within libvirt, maybe based on authentication or
> > certificates?
>
> Unfortunately we don't have a solution for fine grained access control
> when using remote TCP access. We had a feature request against polkit
> to allow passing it identity information such as certificate distinguished
> name, but that was rejected :-(
>
> Regards,
> Daniel
> --
> |: https://berrange.com      -o-    https://www.flickr.com/photos/
> dberrange :|
> |: https://libvirt.org         -o-
> https://fstop138.berrange.com :|
> |: https://entangle-photo.org    -o-    https://www.instagram.com/
> dberrange :|
>

Hello!
Excuse me for renewing this discussion.
You mentioned that you can't send identity information over the remote
channel in libvirt.
In virt-manager, which directly uses libvirt remote functionality, there
are such fields (attached, "username").
What they are used for? Are they used somehow in the sent packets?



ср, 9 мая 2018 г. в 11:27, Daniel P. Berrangé <berrange@redhat.com>:
> On Wed, May 09, 2018 at 11:21:22AM +0300, Anastasiya Ruzhanskaya wrote:
> > Ok, excuse me for misunderstanding, how it is possible then to set up
> > access control when I use remote connection to KVM ( not in UNIX
domain)?
> > Is there any way within libvirt, maybe based on authentication or
> > certificates?
>
> Unfortunately we don't have a solution for fine grained access control
> when using remote TCP access. We had a feature request against polkit
> to allow passing it identity information such as certificate distinguished
> name, but that was rejected :-(
>
> Regards,
> Daniel
> --
> |: https://berrange.com      -o-
> https://www.flickr.com/photos/dberrange :|
> |: https://libvirt.org         -o-
> https://fstop138.berrange.com :|
> |: https://entangle-photo.org    -o-
> https://www.instagram.com/dberrange :|
>