libvirt users - May 2018 - Re: Libvirt access control drivers

I read this page https://libvirt.org/aclpolkit.html
And it is written :"At this point in time, the only attribute provided by
libvirt to identify the user invoking the operation is the PID of the
client program. This means that the polkit access control driver is only
useful if connections to libvirt are restricted to its UNIX domain socket."

2018-05-09 11:00 GMT+03:00 Daniel P. Berrangé <berrange@redhat.com>:
> On Wed, May 09, 2018 at 09:46:28AM +0300, Anastasiya Ruzhanskaya wrote:
> > Hello!
> > According to the documentation access control drivers are not in
really
> > "good condition". There is a polkit, but it can distinguish
users only
> > according the pid. However, I have met some articles about more
> > fine-grained control and about selinux drivers for libvirt? So, what
is
> the
> > status now? Should I implement something by myself if I want access
based
> > on login, are their instructions how to write these drivers or there
is
> > smth already?
>
> The polkit access control driver is the only one we support, and it is not
> something that end users can replace as this is not a public plugin system.
> Any alternate impl would have to be part of libvirt core.
>
> I'm not sure what docs you are referring to, but the polkit driver is
in
> perfectly good condition. It is not restricted to just checking PIDs,
> in fact PID is largely irrelevant - user name and group membership are
> the important things to check. Ther is an example in the source tree at
> examples/polkit/libvirt-acl.rules showing a simple RBAC approach to using
> polkit.
>
> Regards,
> Daniel
> --
> |: https://berrange.com      -o-    https://www.flickr.com/photos/
> dberrange :|
> |: https://libvirt.org         -o-
> https://fstop138.berrange.com :|
> |: https://entangle-photo.org    -o-    https://www.instagram.com/
> dberrange :|
>

On Wed, May 09, 2018 at 11:13:01AM +0300, Anastasiya Ruzhanskaya
wrote:
> I read this page https://libvirt.org/aclpolkit.html
> And it is written :"At this point in time, the only attribute provided
by
> libvirt to identify the user invoking the operation is the PID of the
> client program. This means that the polkit access control driver is only
> useful if connections to libvirt are restricted to its UNIX domain
socket."
You're mis-interpreted what that means. Libvirt provides the PID to polkit
(well actually pid + starttime), polkit uses this to identify the process
and determine its username and group membership, which is then used to
make access control decisions.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

Ok, excuse me for misunderstanding, how it is possible then to set up
access control when I use remote connection to KVM ( not in UNIX domain)?
Is there any way within libvirt, maybe based on authentication or
certificates?

2018-05-09 11:14 GMT+03:00 Daniel P. Berrangé <berrange@redhat.com>:
> On Wed, May 09, 2018 at 11:13:01AM +0300, Anastasiya Ruzhanskaya wrote:
> > I read this page https://libvirt.org/aclpolkit.html
> > And it is written :"At this point in time, the only attribute
provided by
> > libvirt to identify the user invoking the operation is the PID of the
> > client program. This means that the polkit access control driver is
only
> > useful if connections to libvirt are restricted to its UNIX domain
> socket."
>
> You're mis-interpreted what that means. Libvirt provides the PID to
polkit
> (well actually pid + starttime), polkit uses this to identify the process
> and determine its username and group membership, which is then used to
> make access control decisions.
>
> Regards,
> Daniel
> --
> |: https://berrange.com      -o-    https://www.flickr.com/photos/
> dberrange :|
> |: https://libvirt.org         -o-
> https://fstop138.berrange.com :|
> |: https://entangle-photo.org    -o-    https://www.instagram.com/
> dberrange :|
>