[libvirt-users] [Freeipa-users] libvirt with vnc freeipa
Natxo Asenjo
natxo.asenjo at gmail.com
Fri Nov 30 17:56:28 UTC 2012
On Fri, Nov 30, 2012 at 4:20 PM, Daniel P. Berrange <berrange at redhat.com> wrote:
> On Fri, Nov 30, 2012 at 04:16:56PM +0100, Natxo Asenjo wrote:
>> Thanks. If I may just hijack this thread: is it possible to whitelist
>> groups instead of individual users to use virsh/virtual manager?
>>
>> I know sasl only deals with the authentication stuff, buy here you are
>> also authorizing in the whitelist. If this authorization could go
>> further to allow ipa groups, that would be ideal from an admin point
>> of view ;-)
>
> It is desirable, but we don't have any way to find out information about
> groups. The authorization problem is something we've yet to really get
> a good pluggable solution for, though perhaps policykit would help here.
well, if I create a policykit policy like this:
/etc/polkit-1/localauthority/50-local.d/50-libvirt-remote-access.pkla
[libvirt Management Access]
Identity=unix-group:libvirt
Action=org.libvirt.unix.manage
ResultAny=yes
ResultInactive=yes
ResultActive=yes
and I create an ipa group, I can achieve in fact what I want. Members
of the group may use virsh and if you have a kerberos ticket it is
truly sso (I get a ticket from ssh, libvirt and vnc) with the original
configuration (so no sasl, just using ssh).
--
groet,
natxo
More information about the libvirt-users
mailing list