Re: [libvirt-users] [Freeipa-users] libvirt with vnc freeipa

On Fri, Nov 30, 2012 at 4:20 PM, Daniel P. Berrange <berrange(a)redhat.com&gt; wrote: > On Fri, Nov 30, 2012 at 04:16:56PM +0100, Natxo Asenjo wrote: >> Thanks. If I may just hijack this thread: is it possible to whitelist >> groups instead of individual users to use virsh/virtual manager? >> >> I know sasl only deals with the authentication stuff, buy here you are >> also authorizing in the whitelist. If this authorization could go >> further to allow ipa groups, that would be ideal from an admin point >> of view ;-) > > It is desirable, but we don't have any way to find out information about > groups. The authorization problem is something we've yet to really get > a good pluggable solution for, though perhaps policykit would help here. well, if I create a policykit policy like this: /etc/polkit-1/localauthority/50-local.d/50-libvirt-remote-access.pkla [libvirt Management Access] Identity=unix-group:libvirt Action=org.libvirt.unix.manage ResultAny=yes ResultInactive=yes ResultActive=yes and I create an ipa group, I can achieve in fact what I want. Members of the group may use virsh and if you have a kerberos ticket it is truly sso (I get a ticket from ssh, libvirt and vnc) with the original configuration (so no sasl, just using ssh).