libvirt users - Apr 2013 - Accessing libvirtd from multiple agents

Hi,
I was wondering if multiple remote agents can access the same libvirtd. How
do we prevent conflicting commands from the different agents. Can different
access permission be set for the agents? (The documentation usually goes
over the case where one agent can access multiple libvirtd and not this
case)
Thanks
Arvind
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://listman.redhat.com/archives/libvirt-users/attachments/20130411/52c4a15e/attachment.htm>

On 11.04.2013 19:47, arvind viswanathan wrote:
> Hi,
> I was wondering if multiple remote agents can access the same libvirtd.
> How do we prevent conflicting commands from the different agents. Can
> different access permission be set for the agents? (The documentation
> usually goes over the case where one agent can access multiple libvirtd
> and not this case)
> Thanks
> Arvind
> 
Currently, there is no way to assign several permission bits to
different users. The only division we have is RO vs RW connection. In RO
connection users can just gather info about domains/networks/etc. while
in RW they can do anything. However, the ACLs have been requested
several times and they are being worked on. But it's a huge amount of
work so I don't really know the exact date when they're released. In
fact, it's Dan Berrange who's working on it so he has some more details.

Michal

On 04/11/2013 11:47 AM, arvind viswanathan wrote:
> Hi,
> I was wondering if multiple remote agents can access the same libvirtd. How
> do we prevent conflicting commands from the different agents. Can different
> access permission be set for the agents? (The documentation usually goes
> over the case where one agent can access multiple libvirtd and not this
> case)
Yes, multiple connections can access the same libvirtd (up to
max_clients in /etc/libvirt/libvirtd.conf), whether local or remote.  In
fact, for some APIs, such as migration, you HAVE to have two connections
if you want to track progress of a long-running command (the second
connection can issue non-blocking queries while the first connection is
still blocked).  Conflict between connection is prevented by using
proper mutex locking around critical sections within libvirtd.

As for differing permissions per connection, we aren't quite there yet.
 Daniel Berrange is working on a patch series that will add fine-grained
ACL (access control list) permissions per connection, but it is not yet
complete; read the libvir-list at redhat.com archives for more details on
what will be added sometime in the future.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 621 bytes
Desc: OpenPGP digital signature
URL:
<http://listman.redhat.com/archives/libvirt-users/attachments/20130411/d4d13874/attachment.sig>