[libvirt-users] Libvirt access control drivers

Anastasiya Ruzhanskaya anastasiya.ruzhanskaya at frtk.ru
Fri May 11 13:26:36 UTC 2018


Excuse me for renewing this discussion, but I am curious if you would add
new module, which will be able to process users not based on unix
processes, from where do you plan to get usernames? I mean, virt-manager
could give them, as there is authentication in GUI, but for example when
using oVirt, none of the usernames reach libvirt through the communication
between server and nodes.


2018-05-09 14:46 GMT+03:00 Anastasiya Ruzhanskaya <
anastasiya.ruzhanskaya at frtk.ru>:

> Great, thanks for pointing this out. I will certainly look at it.
>
> 2018-05-09 14:41 GMT+03:00 Daniel P. Berrangé <berrange at redhat.com>:
>
>> On Wed, May 09, 2018 at 10:00:19AM +0100, Daniel P. Berrangé wrote:
>> > On Wed, May 09, 2018 at 11:50:33AM +0300, Anastasiya Ruzhanskaya wrote:
>> > > Here https://libvirt.org/acl.html is stated that you designed this
>> access
>> > > control system as pluggable. Are there any options ( even with
>> modifying
>> > > libvirt code) to plug in any custom driver?
>> > > I just need to take a try and design something that will support
>> remote
>> > > access control.
>> > > I am not sure if sVirt is the right thing I should look at.
>> >
>> > It is pluggable in the sense that we can write more backends for it
>> > without having to refactor the rest of libvirt codebase. It isn't
>> > pluggable from POV of an end user wishing to change it - it needs
>> > contribution to libvirt code to add more options.
>> >
>> > I did look at creating an SELinux plugin many years ago, but the
>> > number of new SELinux AVs to be defined was huge and I wasn't sure
>> > the complexity of policy would be practical to handle in real world.
>> > Also, SELinux with TCP adds an extra level of complexity as you now
>> > need to figure out IPSec setup to pass SELinux labels across the
>> > network from the client.
>> >
>> > Probably what we would more usefully add is a simple RBAC based
>> > module natively in libvirt.
>>
>> I forgot to say that if you want to look at writing a new impl the code
>> is kept in $GIT/src/access/.
>>
>> The current polkit impl is viraccessdriverpolkit.c. Implementing a new
>> driver involves creating a new source file with a virAccessDriver
>> struct that contains pointers to the methods that implement the desired
>> logic.
>>
>>
>> Regards,
>> Daniel
>> --
>> |: https://berrange.com      -o-    https://www.flickr.com/photos/
>> dberrange :|
>> |: https://libvirt.org         -o-
>> https://fstop138.berrange.com :|
>> |: https://entangle-photo.org    -o-    https://www.instagram.com/dber
>> range :|
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20180511/aeba751e/attachment.htm>


More information about the libvirt-users mailing list