Re: [libvirt] Group for accessing one/all VM graphics and not virsh
On Mon, Dec 05, 2011 at 06:41:54PM +0100, Reeted wrote:
Hello libvirt people,
is there a (preferably simple) way in Linux to allow a certain set
of users to be able to do:
virt-viewer --connect qemu+ssh://username@virthost/system vmname
for connecting to virt-viewer BUT without letting them do all the
other things that can be done with virsh?
I know that if I add them to the libvirtd and kvm groups, they will
be able to connect with virt-viewer to any virtual machine AND ALSO
do any virsh command on any virtual machine. This is too much
permission.
I can accept the first part (a way to allow a group of user to
connect with virt-viewer to all the virtual machines of the host)
since more restriction can be enforced by using VNC passwords... But
if they are also able to do anything in virsh that's too much.
virt-viewer only requires a read-only connection to libvirt. So
you only need to give them permissions to access the read-only
UNIX domain socket.
I'm currently working on finer grained access controls for libvirt
that will allow even tighter restrictions in the future, but that's
a couple of months away.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|