Re: [libvirt] Implementing VNC per VM access control lists
On Wed, Dec 29, 2010 at 04:45:26PM +0000, Neil Wilson wrote:
Hi,
At the moment SASL VNC authentication in libvirt allows any of the
userids to access any of the VNC consoles on a particular libvirt host.
There is a section in the qemu_command code marked "TODO: Support ACLs
later" and we would really like the ability to have per VM user
authorization to the VNC console from within libvirt.
Essentially the people who are accessing the VNC consoles are not
administrators and have no access to the Host server - so these ACLs
need to be completely based on a separate list of userids to any access
mechanism for the libvirtd itself.
Given that the VNC restrictions are enforced within qemu from the
monitor system, I'm presuming the authorization list is going to have to
be passed in via XML and be capable of being updated throughout the life
of a VM session. Unless there's another way of doing it...
What's the feeling about how this feature should be provided within
libvirt?
Well I'd like us to have fine grained access control across users,
objects & operations, probably using the role based access control
model. Once you have such fine grained access control, then I
don't believe you have a clearcut boundary between users of libvirtd
and users of VNC. eg, you may well give the VNC admin access to the
'virDomainDestroy' and 'virDomainStart' commands for his own domains,
but not other people's domains. So I think we should think about the
solution to the authorization problem for both libvirtd & VNC at the
same time.
Regards,
Daniel