Anastasiya Ruzhanskaya
2018-May-09 08:50 UTC
Re: [libvirt-users] Libvirt access control drivers
Here https://libvirt.org/acl.html is stated that you designed this access control system as pluggable. Are there any options ( even with modifying libvirt code) to plug in any custom driver? I just need to take a try and design something that will support remote access control. I am not sure if sVirt is the right thing I should look at. 2018-05-09 11:27 GMT+03:00 Daniel P. Berrangé <berrange@redhat.com>:> On Wed, May 09, 2018 at 11:21:22AM +0300, Anastasiya Ruzhanskaya wrote: > > Ok, excuse me for misunderstanding, how it is possible then to set up > > access control when I use remote connection to KVM ( not in UNIX domain)? > > Is there any way within libvirt, maybe based on authentication or > > certificates? > > Unfortunately we don't have a solution for fine grained access control > when using remote TCP access. We had a feature request against polkit > to allow passing it identity information such as certificate distinguished > name, but that was rejected :-( > > Regards, > Daniel > -- > |: https://berrange.com -o- https://www.flickr.com/photos/ > dberrange :| > |: https://libvirt.org -o- > https://fstop138.berrange.com :| > |: https://entangle-photo.org -o- https://www.instagram.com/ > dberrange :| >
Daniel P. Berrangé
2018-May-09 09:00 UTC
Re: [libvirt-users] Libvirt access control drivers
On Wed, May 09, 2018 at 11:50:33AM +0300, Anastasiya Ruzhanskaya wrote:> Here https://libvirt.org/acl.html is stated that you designed this access > control system as pluggable. Are there any options ( even with modifying > libvirt code) to plug in any custom driver? > I just need to take a try and design something that will support remote > access control. > I am not sure if sVirt is the right thing I should look at.It is pluggable in the sense that we can write more backends for it without having to refactor the rest of libvirt codebase. It isn't pluggable from POV of an end user wishing to change it - it needs contribution to libvirt code to add more options. I did look at creating an SELinux plugin many years ago, but the number of new SELinux AVs to be defined was huge and I wasn't sure the complexity of policy would be practical to handle in real world. Also, SELinux with TCP adds an extra level of complexity as you now need to figure out IPSec setup to pass SELinux labels across the network from the client. Probably what we would more usefully add is a simple RBAC based module natively in libvirt.> 2018-05-09 11:27 GMT+03:00 Daniel P. Berrangé <berrange@redhat.com>: > > > On Wed, May 09, 2018 at 11:21:22AM +0300, Anastasiya Ruzhanskaya wrote: > > > Ok, excuse me for misunderstanding, how it is possible then to set up > > > access control when I use remote connection to KVM ( not in UNIX domain)? > > > Is there any way within libvirt, maybe based on authentication or > > > certificates? > > > > Unfortunately we don't have a solution for fine grained access control > > when using remote TCP access. We had a feature request against polkit > > to allow passing it identity information such as certificate distinguished > > name, but that was rejected :-( > > > > Regards, > > Daniel > > -- > > |: https://berrange.com -o- https://www.flickr.com/photos/ > > dberrange :| > > |: https://libvirt.org -o- > > https://fstop138.berrange.com :| > > |: https://entangle-photo.org -o- https://www.instagram.com/ > > dberrange :| > >Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
Daniel P. Berrangé
2018-May-09 11:41 UTC
Re: [libvirt-users] Libvirt access control drivers
On Wed, May 09, 2018 at 10:00:19AM +0100, Daniel P. Berrangé wrote:> On Wed, May 09, 2018 at 11:50:33AM +0300, Anastasiya Ruzhanskaya wrote: > > Here https://libvirt.org/acl.html is stated that you designed this access > > control system as pluggable. Are there any options ( even with modifying > > libvirt code) to plug in any custom driver? > > I just need to take a try and design something that will support remote > > access control. > > I am not sure if sVirt is the right thing I should look at. > > It is pluggable in the sense that we can write more backends for it > without having to refactor the rest of libvirt codebase. It isn't > pluggable from POV of an end user wishing to change it - it needs > contribution to libvirt code to add more options. > > I did look at creating an SELinux plugin many years ago, but the > number of new SELinux AVs to be defined was huge and I wasn't sure > the complexity of policy would be practical to handle in real world. > Also, SELinux with TCP adds an extra level of complexity as you now > need to figure out IPSec setup to pass SELinux labels across the > network from the client. > > Probably what we would more usefully add is a simple RBAC based > module natively in libvirt.I forgot to say that if you want to look at writing a new impl the code is kept in $GIT/src/access/. The current polkit impl is viraccessdriverpolkit.c. Implementing a new driver involves creating a new source file with a virAccessDriver struct that contains pointers to the methods that implement the desired logic. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|