4:54 p.m.
Hi all,
for a shared desktop configuration, is there an option to grant the permission to start,
stop, pause or resume the kvm guest only?
User roles in shared desktop environment configuration:
Power user - fully manage libvirt / KVM guests
Regular user - start, stop, pause and resume libvirt / KVM guests
In other words, we are looking for an opportunity to:
a) prevent regular users from modifying the libvirt / kvm guest but
b) enable them to start, stop, pause, resume libvirt / kvm guests
Currently I see two options:
a) No specific libvirt permission:
Regular users cannot start a virtual guest (without help).
If users forget to shutdown the kvm client and try to poweroff the Linux
system, they are asked for an admin/management user password to stop the
virtual machine. So they need help to shutdown their machine - not good.
b) Enable libvirt manage via policy kit:
"manage" permission can be granted via overruling the
default org.libvirt.unix.manage policy kit action.
The manage right enables to modify the libvirt / kvm guest, which is too much in our
case.
Is there an option to grant the start/stop/pause/resume permission only? Does libvirt
offer this kind of granularity?
Kind regards,
Thorsten Hesemeyer
5:07 p.m.
On 12.04.2013 13:24, Thorsten Hesemeyer wrote:
Hi all,
for a shared desktop configuration, is there an option to grant the permission to start,
stop, pause or resume the kvm guest only?
Short answer: No.
Long answer: No. This question pops up from time to time. Last time it
emerged just two days ago:
https://www.redhat.com/archives/libvirt-users/2013-April/msg00118.html
Michal
8:47 p.m.
On Fri, Apr 12, 2013 at 01:37:07PM +0200, Michal Privoznik wrote:
On 12.04.2013 13:24, Thorsten Hesemeyer wrote:
> Hi all,
>
> for a shared desktop configuration, is there an option to grant the permission to
start, stop, pause or resume the kvm guest only?
Short answer: No.
Long answer: No. This question pops up from time to time. Last time it
emerged just two days ago:
https://www.redhat.com/archives/libvirt-users/2013-April/msg00118.html
Longer answer, I think the ACL work Dan is currently doing will
support this, although I'm only guessing at that.
Dave
9:41 p.m.
On Fri, Apr 12, 2013 at 11:17:12AM -0400, Dave Allan wrote:
On Fri, Apr 12, 2013 at 01:37:07PM +0200, Michal Privoznik wrote:
> On 12.04.2013 13:24, Thorsten Hesemeyer wrote:
> > Hi all,
> >
> > for a shared desktop configuration, is there an option to grant the permission
to start, stop, pause or resume the kvm guest only?
>
> Short answer: No.
> Long answer: No. This question pops up from time to time. Last time it
> emerged just two days ago:
>
> https://www.redhat.com/archives/libvirt-users/2013-April/msg00118.html
Longer answer, I think the ACL work Dan is currently doing will
support this, although I'm only guessing at that.
Yes, this usecase is an explicit goal
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
4291
days inactive
4291
days old
3 comments
4 participants
participants (4)
-
Daniel P. Berrange -
Dave Allan -
Michal Privoznik -
Thorsten Hesemeyer