[libvirt-users] UserID Permissions: Virtual Machine Manager vs virsh and Python

I have added a user to the libvirt group on my CentOS 7.2 server and that user can successfully access the Virtual Machine Manager without authenticating as expected. This allows the user to perform all functions in the VMS as if they were root. This is acceptable as this is a private server with no outside access so security is not a real issue. But when that same user tries to perform functions with virsh or using a Python script that uses the libvirt module, the connection is just read-only. Why are the permissions different for these environments and what must I do to give the user r/w access in virsh or the Python script? David Ashley

On Tue, Jan 19, 2016 at 02:36:02PM -0600, David Ashley wrote:
I have added a user to the libvirt group on my CentOS 7.2 server and that user can successfully access the Virtual Machine Manager without authenticating as expected. This allows the user to perform all functions in the VMS as if they were root. This is acceptable as this is a private server with no outside access so security is not a real issue.
But when that same user tries to perform functions with virsh or using a Python script that uses the libvirt module, the connection is just read-only.
Why are the permissions different for these environments and what must I do to give the user r/w access in virsh or the Python script?
I'm guessing (really just guessing), that virt-manager tries connecting to qemu:///system, but you are connecting to your default uri which is qemu:///session for non-root users. You can try connecting to qemu:///system and that should work. If you don't want to modify the code, you can change the default uri in ~/.config/libvirt/libvirt.conf or in environment variable LIBVIRT_DEFAULT_URI (hand-typed, please re-check). Martin
David Ashley
_______________________________________________ libvirt-users mailing list libvirt-users@redhat.com https://www.redhat.com/mailman/listinfo/libvirt-users

On 01/20/2016 04:47 AM, Martin Kletzander wrote:
On Tue, Jan 19, 2016 at 02:36:02PM -0600, David Ashley wrote:
I have added a user to the libvirt group on my CentOS 7.2 server and that user can successfully access the Virtual Machine Manager without authenticating as expected. This allows the user to perform all functions in the VMS as if they were root. This is acceptable as this is a private server with no outside access so security is not a real issue.
But when that same user tries to perform functions with virsh or using a Python script that uses the libvirt module, the connection is just read-only.
Why are the permissions different for these environments and what must I do to give the user r/w access in virsh or the Python script?
I'm guessing (really just guessing), that virt-manager tries connecting to qemu:///system, but you are connecting to your default uri which is qemu:///session for non-root users. You can try connecting to qemu:///system and that should work. If you don't want to modify the code, you can change the default uri in ~/.config/libvirt/libvirt.conf or in environment variable LIBVIRT_DEFAULT_URI (hand-typed, please re-check).
Martin
David Ashley
_______________________________________________ libvirt-users mailing list libvirt-users@redhat.com https://www.redhat.com/mailman/listinfo/libvirt-users Thanks, that was the problem. Connecting with qemu:///system works.
David Ashley

All - I just published a new blog that provides a solution for running commands on multiple domains. This will enable you to perform the same or different commands on multiple domains using automation. The solution uses Python and its libvirt module. The blog is located at http://www.holmes4.com/wda/blogs/index.html. I hope to present more of these examples of how to use the libvirt interface to perform meaningful tasks in the future. W. David Ashley

On 19.02.2016 20:47, David Ashley wrote:
All -
I just published a new blog that provides a solution for running commands on multiple domains. This will enable you to perform the same or different commands on multiple domains using automation. The solution uses Python and its libvirt module. The blog is located at http://www.holmes4.com/wda/blogs/index.html.
I hope to present more of these examples of how to use the libvirt interface to perform meaningful tasks in the future.
Nice. But if my NSS plugin finds its way in you will no longer need the interfaceAddressses() API as you'll be able to translate domain names into IP addresses directly via NSS (glibc feature responsible for many other things too, but in this specific case we care about gethostbyname() only). Michal
participants (3)
-
David Ashley
-
Martin Kletzander
-
Michal Privoznik