[libvirt] Implementing VNC per VM access control lists

Daniel P. Berrange berrange at redhat.com
Fri Jan 7 11:47:12 UTC 2011


On Thu, Jan 06, 2011 at 06:00:12PM +0000, Neil Wilson wrote:
> Having looked through this, I'm thinking that the simplest thing that
> would be useful at the moment is simply to have an option in
> the /etc/libvirt/qemu.conf that adds the acl option to the vnc switch in
> qemu.
> 
> It means that user will have to manipulate the acls directly via the
> monitor command for the time being until the access layer is designed,
> but at least you would be able to use acls on a machine launched by
> libvirt ('change vnc' doesn't appear to activate acls unless the option
> is active on the command line to start with.).
> 
> I can't find a way of doing it with 'qemu:commandline' either - since it
> is an option to an existing switch.
> 
> So I'm thinking a new option in qemu.conf (vnc_acl) which would add
> ',acl' to the vnc switch on the qemu command. By default this would bar
> access to VNC until you'd issued monitor commands to manipulate the
> access lists.

That sounds reasonable, and would not adversely impact future work
on enabling RBAC for VNC, since we likely want such a config option
anyway.

> The option only really makes sense if either vnc_tls_x509_verify or
> vnc_sasl is set as well, so it may be worth only activating 'acl' in the
> code if either of those two are also on.

If you enable 'acl' and don't add any rules to the ACL, then
no one will be able to connect. So we can't automatically
add ',acl' when either of those two options you mention are
present, because that would break all existing usage.

Regards,
Daniel




More information about the libvir-list mailing list