[libvirt] ACLs for libvirt
Daniel Veillard
veillard at redhat.com
Thu Nov 24 06:08:31 UTC 2011
On Wed, Nov 23, 2011 at 12:27:27PM -0500, Dave Allan wrote:
> On Wed, Nov 23, 2011 at 06:17:46PM +0100, Michal Privoznik wrote:
> > Hi all,
> >
> > I'd like to implement this new feature for libvirt. However, I think we
> > should settle down on design first. My biggest concern is choosing the
> > right level on on which ACLs will be implemented. Should be interested
> > only in (user, API), or with more granularity (user, API, API's parameters)?
> > Or should we take the RBAC path?
> > How should we even identify and authorize users?
> >
> > My initial though is to create framework which can be used then to
> > implement ACLs on any level we want.
>
> My $.02 is that this has the potential to be such a huge project that
> we need to come up with a design that lets us bite off as much as we
> want at one time, leaving the rest of libvirt's functionality
> operating as it always has. So, for example, we could start by
> creating an ACL that would let a particular user boot and shutdown but
> not edit a VM; later when we wanted to let particular users connect to
> the VM's console, we could implement that, and so on. It needs to be
> done in a consistent way so that future additions are clearly slotted
> into the existing design.
I tend to agree, I think like for the security module, we should provide
an access control driver API with exhaustive parameters, but as a first
step implement a simple user based driver. We just need to make sure
that it would allow to implement a full RBAC kind of driver.
It seems to me that the driver just need to plug in the API entry
points, i.e. mostly libvirt.c.
I would probably not pass all APIs parameters at the API level
but some function ID, and main arguments:
- connection
- domain
- network
- interface
- pool
- vol
- device
- snapshot
- secret
- stream
- ...
- and some kind of string (could be used for xml, uuid, device path, or
migration URI for example)
The first use of that driver could be to implemenent the read-only
mode of connections internally. Might indicate that being able to
stack multiple access control driver as an interesting feature (i.e.
how to finer restrict read-only mode with extra rules).
I think a lot of the code in the driver front-end should be fairly
mechanical ... dunno if we should generate it from the API description
though, just an idea.
Daniel
--
Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
daniel at veillard.com | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library http://libvirt.org/
More information about the libvir-list
mailing list