[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] Group for accessing one/all VM graphics and not virsh



On Mon, Dec 05, 2011 at 06:41:54PM +0100, Reeted wrote:
> Hello libvirt people,
> 
> is there a (preferably simple) way in Linux to allow a certain set
> of users to be able to do:
> 
> virt-viewer --connect qemu+ssh://username virthost/system vmname
> 
> for connecting to virt-viewer BUT without letting them do all the
> other things that can be done with virsh?
> 
> I know that if I add them to the libvirtd and kvm groups, they will
> be able to connect with virt-viewer to any virtual machine AND ALSO
> do any virsh command on any virtual machine. This is too much
> permission.
> 
> I can accept the first part (a way to allow a group of user to
> connect with virt-viewer to all the virtual machines of the host)
> since more restriction can be enforced by using VNC passwords... But
> if they are also able to do anything in virsh that's too much.


virt-viewer only requires a read-only connection to libvirt. So
you only need to give them permissions to access the read-only
UNIX domain socket.


I'm currently working on finer grained access controls for libvirt
that will allow even tighter restrictions in the future, but that's
a couple of months away.

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]