As a Systems Administrator, I would like to grant permissions to a certain VM using unix groups. In this example there is a hypervisor with VMs A,B,C,D and there is a group called fortadmins. The solution I am searching forI would just allow fortadmins to use libvirt/virsh commands on VM D. Does libvirt/virsh provide any way to easily accomplish this goal? Regards, Jamie Ian Fargen
Daniel P. Berrange
2015-Oct-20 08:30 UTC
Re: [libvirt-users] selective virsh host permissions
On Mon, Oct 19, 2015 at 01:10:15PM -0400, Jamie Fargen wrote:> As a Systems Administrator, I would like to grant permissions to a certain > VM using unix groups. In this example there is a hypervisor with VMs > A,B,C,D and there is a group called fortadmins. The solution I am searching > forI would just allow fortadmins to use libvirt/virsh commands on VM D. > > Does libvirt/virsh provide any way to easily accomplish this goal?You can accomplish this using polkit http://libvirt.org/acl.html http://libvirt.org/aclpolkit.html Please note, however, that you should not grant the ability to define XML or otherwise make changes to the guest XML, as this privilege is effectively equivalant to having root. Giving users the ability to start/stop VMs is just fine. You can even prevent users from seeing each other's VMs by restricting the 'getattr' and 'read' privileges. In current libvirt GIT there is a example file 'examples/polkit/libvirt-acl.rules' Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
Martin Kletzander
2015-Oct-20 08:49 UTC
Re: [libvirt-users] selective virsh host permissions
On Mon, Oct 19, 2015 at 01:10:15PM -0400, Jamie Fargen wrote:>As a Systems Administrator, I would like to grant permissions to a certain >VM using unix groups. In this example there is a hypervisor with VMs >A,B,C,D and there is a group called fortadmins. The solution I am searching >forI would just allow fortadmins to use libvirt/virsh commands on VM D. > >Does libvirt/virsh provide any way to easily accomplish this goal? >There are ACLs for that and libvirt has currently a polkit driver. So if you have and are using PolicyKit, you are only few steps away from setting this whole thing up. There are various links that might help you with it: https://libvirt.org/acl.html https://libvirt.org/aclpolkit.html Then there is an example rule file in our git tree that was recently enhanced: https://libvirt.org/git/?p=libvirt.git;a=blob_plain;f=examples/polkit/libvirt-acl.rules;hb=HEAD HTH, Martin> > >Regards, >Jamie Ian Fargen>_______________________________________________ >libvirt-users mailing list >libvirt-users@redhat.com >https://www.redhat.com/mailman/listinfo/libvirt-users