[Libvir] [Suggestion] The "ISP scenario"

Richard W.M. Jones rjones at redhat.com
Mon Nov 19 14:56:10 UTC 2007 

This pattern has come up a few times now:

ISP provides a Xen hosting service to customers.  ISP wants to provide 
some basic statistics to their customers.  The statistics could be 
provided to a customer through the libvirt remote protocol, eg:

   customer$ virsh -c xen://dom0/ dominfo mydom

But the problem with this is that (as libvirt is currently architected) 
_any_ access to dom0, if it authenticates, gives access to information 
from all domains.

We've previously discussed adding access control using something like 
SELinux (see for example: 
https://www.redhat.com/archives/libvir-list/2007-August/msg00030.html) 
but nothing much has come of it so far.

But can we solve the single common case above directly, without 
thwarting our ability to solve the bigger picture later?

My suggestion is that we add an option to /etc/libvirt/libvirtd.conf, 
something like:

   tls_restrict_dn: [
     "DN1", "name:customer1",
     "DN2", "uuid:12345678",
     "DN3", "*"
   ]

with the meaning that (presumably a customer) connecting with 
certificate DN1 could only find out information about the domain 
"customer1", DN2 similarly, DN3 is a privileged client, and any other DN 
would be rejected.

(Compare and contrast to tls_allowed_dn_list: 
http://libvirt.org/remote.html#Remote_libvirtd_configuration)

An implementation of this would modify the call to virConnectOpen to add 
an additional flag (or call?) allowing the access control to be passed, 
and this would have to be checked in the relevant virDomain* calls.

This is not dissimilar to how read-only connections are implemented in 
libvirtd currently.

I would also suggest as a matter of course that we modify all public API 
calls in src/libvirt.c to add a call to a generic permission checking 
routine, for example:

int
virDomainSuspend(virDomainPtr domain)
{
     virConnectPtr conn;
     DEBUG("domain=%p", domain);

     if (!VIR_IS_CONNECTED_DOMAIN(domain)) {
         virLibDomainError(NULL, VIR_ERR_INVALID_DOMAIN, __FUNCTION__);
         return (-1);
     }
-    if (domain->conn->flags & VIR_CONNECT_RO) {
-        virLibDomainError(domain, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
-        return (-1);
-    }
+    if (!check_permission (domain, OP_SUSPEND)) return -1;

With the initial implementation of check_permission just doing the 
VIR_CONNECT_RO check to start with, but able to do other checks in future.

Also relevant to this is SASL support, see: 
https://www.redhat.com/archives/libvir-list/2007-November/msg00005.html 
since AIUI this changes the possible formats for Distinguished Names, or 
could even make DNs irrelevant.

Rich.

-- 
Emerging Technologies, Red Hat - http://et.redhat.com/~rjones/
Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod
Street, Windsor, Berkshire, SL4 1TE, United Kingdom.  Registered in
England and Wales under Company Registration No. 03798903
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3237 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20071119/ab34bb71/attachment-0001.bin>

More information about the libvir-list mailing list