And it is written :"At this point in time, the only attribute provided by
libvirt to identify the user invoking the operation is the PID of the
client program. This means that the polkit access control driver is only
useful if connections to libvirt are restricted to its UNIX domain socket."
2018-05-09 11:00 GMT+03:00 Daniel P. Berrangé <berrange(a)redhat.com>:
On Wed, May 09, 2018 at 09:46:28AM +0300, Anastasiya Ruzhanskaya
wrote:
> Hello!
> According to the documentation access control drivers are not in really
> "good condition". There is a polkit, but it can distinguish users only
> according the pid. However, I have met some articles about more
> fine-grained control and about selinux drivers for libvirt? So, what is
the
> status now? Should I implement something by myself if I want access based
> on login, are their instructions how to write these drivers or there is
> smth already?
The polkit access control driver is the only one we support, and it is not
something that end users can replace as this is not a public plugin system.
Any alternate impl would have to be part of libvirt core.
I'm not sure what docs you are referring to, but the polkit driver is in
perfectly good condition. It is not restricted to just checking PIDs,
in fact PID is largely irrelevant - user name and group membership are
the important things to check. Ther is an example in the source tree at
examples/polkit/libvirt-acl.rules showing a simple RBAC approach to using
polkit.
Regards,
Daniel
--
|:
https://berrange.com -o-
https://www.flickr.com/photos/
dberrange :|
|:
https://libvirt.org -o-
https://fstop138.berrange.com :|
|:
https://entangle-photo.org -o-
https://www.instagram.com/
dberrange :|