On Fri, Nov 30, 2012 at 4:20 PM, Daniel P. Berrange <berrange@redhat.com> wrote:
On Fri, Nov 30, 2012 at 04:16:56PM +0100, Natxo Asenjo wrote:
Thanks. If I may just hijack this thread: is it possible to whitelist groups instead of individual users to use virsh/virtual manager?
I know sasl only deals with the authentication stuff, buy here you are also authorizing in the whitelist. If this authorization could go further to allow ipa groups, that would be ideal from an admin point of view ;-)
It is desirable, but we don't have any way to find out information about groups. The authorization problem is something we've yet to really get a good pluggable solution for, though perhaps policykit would help here.
well, if I create a policykit policy like this: /etc/polkit-1/localauthority/50-local.d/50-libvirt-remote-access.pkla [libvirt Management Access] Identity=unix-group:libvirt Action=org.libvirt.unix.manage ResultAny=yes ResultInactive=yes ResultActive=yes and I create an ipa group, I can achieve in fact what I want. Members of the group may use virsh and if you have a kerberos ticket it is truly sso (I get a ticket from ssh, libvirt and vnc) with the original configuration (so no sasl, just using ssh). -- groet, natxo