[libvirt] Group for accessing one/all VM graphics and not virsh
Daniel P. Berrange
berrange at redhat.com
Tue Dec 6 10:12:59 UTC 2011
On Mon, Dec 05, 2011 at 06:41:54PM +0100, Reeted wrote:
> Hello libvirt people,
>
> is there a (preferably simple) way in Linux to allow a certain set
> of users to be able to do:
>
> virt-viewer --connect qemu+ssh://username@virthost/system vmname
>
> for connecting to virt-viewer BUT without letting them do all the
> other things that can be done with virsh?
>
> I know that if I add them to the libvirtd and kvm groups, they will
> be able to connect with virt-viewer to any virtual machine AND ALSO
> do any virsh command on any virtual machine. This is too much
> permission.
>
> I can accept the first part (a way to allow a group of user to
> connect with virt-viewer to all the virtual machines of the host)
> since more restriction can be enforced by using VNC passwords... But
> if they are also able to do anything in virsh that's too much.
virt-viewer only requires a read-only connection to libvirt. So
you only need to give them permissions to access the read-only
UNIX domain socket.
I'm currently working on finer grained access controls for libvirt
that will allow even tighter restrictions in the future, but that's
a couple of months away.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvir-list
mailing list