11:44 a.m.
Is there any authorization mechanism in libvirt? I've got TLS going so
that only those with a cert signed by my CA are allowed in, but there
appears to be no way for me to only allow them access to certain VMs.
Can I limit folks to specific VMs or VNC ports? Ideally I can allow
access only to those VMs which they own.
This is really not _that_ big of a deal because I'm advising all my
admins to log out of their systems but it would give me and them peace
of mind.
Thoughts?
Scott
8:35 p.m.
On Fri, 2009-03-20 at 09:44 -0700, Scott Beardsley wrote:
Is there any authorization mechanism in libvirt? I've got TLS
going so
that only those with a cert signed by my CA are allowed in, but there
appears to be no way for me to only allow them access to certain VMs.
Can I limit folks to specific VMs or VNC ports? Ideally I can allow
access only to those VMs which they own.
Hey Scott,
SASL is being supported.
Check out http://fedoraproject.org/wiki/Features/VirtVNCAuth
I don't know how users will be mapped to domains or if that's been
discussed.
http://libvirt.org/formatdomain.html
But http://libvirt.org/auth.html does mention how to auth users to
libirtd in general.
2:13 p.m.
SASL is being supported.
Check out http://fedoraproject.org/wiki/Features/VirtVNCAuth
Doesn't SASL only provide an authentication (aka authN) layer? I'm
looking for an authorization (aka authZ) layer. I'm using client SSL
certs for authN.
I don't know how users will be mapped to domains or if that's
been
discussed.
http://libvirt.org/formatdomain.html
I am happy to provide the user to domain map outside of libvirt. I
mainly want libvirt to provide a way to enforce such relationships, and
limit the management features for TLS/TCP connections.
But http://libvirt.org/auth.html does mention how to auth users to
libirtd in general.
Again this appears to focus on authN (with the exception of PolicyKit
which provides both). I'm not sure PolicyKit will work with TLS/TCP
connections since it appears to target unix sockets only (ie local users).
Scott
4:29 a.m.
On Sun, Mar 22, 2009 at 12:13:26PM -0700, Scott Beardsley wrote:
> SASL is being supported.
> Check out http://fedoraproject.org/wiki/Features/VirtVNCAuth
Doesn't SASL only provide an authentication (aka authN) layer? I'm
looking for an authorization (aka authZ) layer. I'm using client SSL
certs for authN.
That is correct. libvirtd currently provides TLS and SASL for their
encryption and authentication capabilities.
Fine grained access control is a TODO item...
Again this appears to focus on authN (with the exception of
PolicyKit
which provides both). I'm not sure PolicyKit will work with TLS/TCP
connections since it appears to target unix sockets only (ie local users).
That is correct, PolicyKit is for UNIX domain sockets only.
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
4:30 a.m.
On Fri, Mar 20, 2009 at 09:44:07AM -0700, Scott Beardsley wrote:
Is there any authorization mechanism in libvirt? I've got TLS
going so
that only those with a cert signed by my CA are allowed in, but there
appears to be no way for me to only allow them access to certain VMs.
Can I limit folks to specific VMs or VNC ports? Ideally I can allow
access only to those VMs which they own.
Afraid that fine grained / role based access ccontrol over objects like
domains, network, storage pools is still a TODO item
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
5724
days inactive
5727
days old
4 comments
3 participants
participants (3)
-
Dale Bewley -
Daniel P. Berrange -
Scott Beardsley