Anastasiya Ruzhanskaya
2018-May-09 06:46 UTC
[libvirt-users] Libvirt access control drivers
Hello! According to the documentation access control drivers are not in really "good condition". There is a polkit, but it can distinguish users only according the pid. However, I have met some articles about more fine-grained control and about selinux drivers for libvirt? So, what is the status now? Should I implement something by myself if I want access based on login, are their instructions how to write these drivers or there is smth already?
Daniel P. Berrangé
2018-May-09 08:00 UTC
Re: [libvirt-users] Libvirt access control drivers
On Wed, May 09, 2018 at 09:46:28AM +0300, Anastasiya Ruzhanskaya wrote:> Hello! > According to the documentation access control drivers are not in really > "good condition". There is a polkit, but it can distinguish users only > according the pid. However, I have met some articles about more > fine-grained control and about selinux drivers for libvirt? So, what is the > status now? Should I implement something by myself if I want access based > on login, are their instructions how to write these drivers or there is > smth already?The polkit access control driver is the only one we support, and it is not something that end users can replace as this is not a public plugin system. Any alternate impl would have to be part of libvirt core. I'm not sure what docs you are referring to, but the polkit driver is in perfectly good condition. It is not restricted to just checking PIDs, in fact PID is largely irrelevant - user name and group membership are the important things to check. Ther is an example in the source tree at examples/polkit/libvirt-acl.rules showing a simple RBAC approach to using polkit. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
Anastasiya Ruzhanskaya
2018-May-09 08:13 UTC
Re: [libvirt-users] Libvirt access control drivers
I read this page https://libvirt.org/aclpolkit.html And it is written :"At this point in time, the only attribute provided by libvirt to identify the user invoking the operation is the PID of the client program. This means that the polkit access control driver is only useful if connections to libvirt are restricted to its UNIX domain socket." 2018-05-09 11:00 GMT+03:00 Daniel P. Berrangé <berrange@redhat.com>:> On Wed, May 09, 2018 at 09:46:28AM +0300, Anastasiya Ruzhanskaya wrote: > > Hello! > > According to the documentation access control drivers are not in really > > "good condition". There is a polkit, but it can distinguish users only > > according the pid. However, I have met some articles about more > > fine-grained control and about selinux drivers for libvirt? So, what is > the > > status now? Should I implement something by myself if I want access based > > on login, are their instructions how to write these drivers or there is > > smth already? > > The polkit access control driver is the only one we support, and it is not > something that end users can replace as this is not a public plugin system. > Any alternate impl would have to be part of libvirt core. > > I'm not sure what docs you are referring to, but the polkit driver is in > perfectly good condition. It is not restricted to just checking PIDs, > in fact PID is largely irrelevant - user name and group membership are > the important things to check. Ther is an example in the source tree at > examples/polkit/libvirt-acl.rules showing a simple RBAC approach to using > polkit. > > Regards, > Daniel > -- > |: https://berrange.com -o- https://www.flickr.com/photos/ > dberrange :| > |: https://libvirt.org -o- > https://fstop138.berrange.com :| > |: https://entangle-photo.org -o- https://www.instagram.com/ > dberrange :| >