Re: [libvirt-users] [Freeipa-users] libvirt with vnc freeipa
On Fri, Nov 30, 2012 at 4:20 PM, Daniel P. Berrange <berrange(a)redhat.com> wrote:
On Fri, Nov 30, 2012 at 04:16:56PM +0100, Natxo Asenjo wrote:
> Thanks. If I may just hijack this thread: is it possible to
whitelist
> groups instead of individual users to use virsh/virtual manager?
>
> I know sasl only deals with the authentication stuff, buy here you are
> also authorizing in the whitelist. If this authorization could go
> further to allow ipa groups, that would be ideal from an admin point
> of view ;-)
It is desirable, but we don't have any way to find out information about
groups. The authorization problem is something we've yet to really get
a good pluggable solution for, though perhaps policykit would help here.
well, if I create a policykit policy like this:
/etc/polkit-1/localauthority/50-local.d/50-libvirt-remote-access.pkla
[libvirt Management Access]
Identity=unix-group:libvirt
Action=org.libvirt.unix.manage
ResultAny=yes
ResultInactive=yes
ResultActive=yes
and I create an ipa group, I can achieve in fact what I want. Members
of the group may use virsh and if you have a kerberos ticket it is
truly sso (I get a ticket from ssh, libvirt and vnc) with the original
configuration (so no sasl, just using ssh).
--
groet,
natxo