[libvirt] libvirt authorization

Is there any authorization mechanism in libvirt? I've got TLS going so that only those with a cert signed by my CA are allowed in, but there appears to be no way for me to only allow them access to certain VMs. Can I limit folks to specific VMs or VNC ports? Ideally I can allow access only to those VMs which they own. This is really not _that_ big of a deal because I'm advising all my admins to log out of their systems but it would give me and them peace of mind. Thoughts? Scott

On Fri, 2009-03-20 at 09:44 -0700, Scott Beardsley wrote:
Is there any authorization mechanism in libvirt? I've got TLS going so that only those with a cert signed by my CA are allowed in, but there appears to be no way for me to only allow them access to certain VMs. Can I limit folks to specific VMs or VNC ports? Ideally I can allow access only to those VMs which they own.
Hey Scott, SASL is being supported. Check out http://fedoraproject.org/wiki/Features/VirtVNCAuth I don't know how users will be mapped to domains or if that's been discussed. http://libvirt.org/formatdomain.html But http://libvirt.org/auth.html does mention how to auth users to libirtd in general.

SASL is being supported. Check out http://fedoraproject.org/wiki/Features/VirtVNCAuth
Doesn't SASL only provide an authentication (aka authN) layer? I'm looking for an authorization (aka authZ) layer. I'm using client SSL certs for authN.
I don't know how users will be mapped to domains or if that's been discussed. http://libvirt.org/formatdomain.html
I am happy to provide the user to domain map outside of libvirt. I mainly want libvirt to provide a way to enforce such relationships, and limit the management features for TLS/TCP connections.
But http://libvirt.org/auth.html does mention how to auth users to libirtd in general.
Again this appears to focus on authN (with the exception of PolicyKit which provides both). I'm not sure PolicyKit will work with TLS/TCP connections since it appears to target unix sockets only (ie local users). Scott

On Sun, Mar 22, 2009 at 12:13:26PM -0700, Scott Beardsley wrote:
SASL is being supported. Check out http://fedoraproject.org/wiki/Features/VirtVNCAuth
Doesn't SASL only provide an authentication (aka authN) layer? I'm looking for an authorization (aka authZ) layer. I'm using client SSL certs for authN.
That is correct. libvirtd currently provides TLS and SASL for their encryption and authentication capabilities. Fine grained access control is a TODO item...
Again this appears to focus on authN (with the exception of PolicyKit which provides both). I'm not sure PolicyKit will work with TLS/TCP connections since it appears to target unix sockets only (ie local users).
That is correct, PolicyKit is for UNIX domain sockets only. Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

On Fri, Mar 20, 2009 at 09:44:07AM -0700, Scott Beardsley wrote:
Is there any authorization mechanism in libvirt? I've got TLS going so that only those with a cert signed by my CA are allowed in, but there appears to be no way for me to only allow them access to certain VMs. Can I limit folks to specific VMs or VNC ports? Ideally I can allow access only to those VMs which they own.
Afraid that fine grained / role based access ccontrol over objects like domains, network, storage pools is still a TODO item Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
participants (3)
-
Dale Bewley
-
Daniel P. Berrange
-
Scott Beardsley