On Fri, May 09, 2008 at 09:49:19AM +0900, Atsushi SAKAI wrote:
I have a question of libvirt with Polkit.
Currently, the libvirt w/ Polkit has 2 access control permissions.
(Read Only and Read Write)
Have you planned to expand the access control more finer?
In my use case, Policy should define by domain, operation, operator.
Of course, operator is already considered on current libvirt w/ Polkit.
So at this point, it needs to add domain and operation policy.
The use case is for many(about 100 or more) domain operation.
I just want to know how to minimize granting access control permission
of each user on libvirt in future.
PolicyKit at this time is only used to authenticate local access from
applications running in the host's desktop session. While it allows
you to make up many fine grained permissions, it doesn't let you dynamicaly
associate the permissions with individual objects. eg there is a policykit
check to determine whether a user is allowed to mount removable disks - that
applies to all removal disks - you can say disk A, but not disk B.
While we could add lots more privileges that just read-write and read-only
this would only get us part way to where we really need to be. The ideal
goal is that we can have fine grained privileges applied to individual
virtual machines, storage pools, networks, etc. The only framework that
really comes close to this level of flexibility is SELinux, so one of the
long term TODO items is to investigate whether we can integrate with SELinux
for fine grained access control.
As an example DBus uses SELinux to control who can access services on the
system bus, and what actisons they can perform. Another example is SEPostgresql
which uses SELinux to control accesss to individual tuples & colums in the
database. So it is clearly able to provide the flexibility we need and scales
to huge performance critical applications such as databases. This doesn't
make it a quick or easy task to use in libvirt though. It'll involve alot
of thought, design & development.
In the mean time, it is possible that PolicyKit might actually gain the
ability to apply authorizaation to individual objects, and also gain ability
to use SELinux as its underlying policy engine. So we have to watch what
happens there too.
There's not really any firm timeline for any of this work, but its stuff
we definitely want to get into libvirt
Dan.
--
|: Red Hat, Engineering, Boston -o-
http://people.redhat.com/berrange/ :|
|:
http://libvirt.org -o-
http://virt-manager.org -o-
http://ovirt.org :|
|:
http://autobuild.org -o-
http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|