[libvirt-users] Libvirt access control drivers
Anastasiya Ruzhanskaya
anastasiya.ruzhanskaya at frtk.ru
Fri May 11 14:25:25 UTC 2018
I see. I also know OpenStack uses libvirt, nova-compute has a driver for
communication.
I have briefly looked through these 10 thousand lines of code in overall on
github for openstack's libvirt driver and didn't notice any user info as
well.
To make the picture full don't you know is there the same scheme there:
some high level openstack api with user information and passing only
actions to libvirt? Or nova-compute may carry some user info to libvirt
though it's interfaces ( which you then could use in your future role-based
module)?
2018-05-11 16:37 GMT+03:00 Daniel P. Berrangé <berrange at redhat.com>:
> On Fri, May 11, 2018 at 04:26:36PM +0300, Anastasiya Ruzhanskaya wrote:
> > Excuse me for renewing this discussion, but I am curious if you would add
> > new module, which will be able to process users not based on unix
> > processes, from where do you plan to get usernames? I mean, virt-manager
> > could give them, as there is authentication in GUI, but for example when
> > using oVirt, none of the usernames reach libvirt through the
> communication
> > between server and nodes.
>
> The identity attributes would have to use information that libvirt acquires
> from its authentication modules. When using TLS, if client certificates
> are
> requested by libvirtd, then we can check the x509 cert distinguished name
> field. When using SASL, if the SASL mechanism returns a username, we can
> check that.
>
> NB, we would *not* be trying to check the end user that oVirt knows about,
> rather we are authenticating oVirt itself.
>
> To check end users defined by the higher level mgmt app would require an
> extra set of functionality in the public API, to allow oVirt to do user
> impersonation with libvirt. eg libvirt would first authenticate ovirt,
> ovirt would then sya it wants to impersonate "fred" and from there all
> APIs get checked against "fred".
>
> This gets pretty difficult though, because oVirt and most similar mgmt
> apps generally only have a single connection to libvirt but are doing
> work for 100's of different users on it. So in reality it is not very
> practical for libvirt to try to validate ovirt's users.
>
> Regards,
> Daniel
> --
> |: https://berrange.com -o- https://www.flickr.com/photos/
> dberrange :|
> |: https://libvirt.org -o-
> https://fstop138.berrange.com :|
> |: https://entangle-photo.org -o- https://www.instagram.com/
> dberrange :|
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20180511/cb8fc22a/attachment.htm>
More information about the libvirt-users
mailing list