[libvirt] Implementing VNC per VM access control lists
Daniel P. Berrange
berrange at redhat.com
Tue Jan 4 16:22:40 UTC 2011
On Wed, Dec 29, 2010 at 04:45:26PM +0000, Neil Wilson wrote:
> Hi,
>
> At the moment SASL VNC authentication in libvirt allows any of the
> userids to access any of the VNC consoles on a particular libvirt host.
> There is a section in the qemu_command code marked "TODO: Support ACLs
> later" and we would really like the ability to have per VM user
> authorization to the VNC console from within libvirt.
>
> Essentially the people who are accessing the VNC consoles are not
> administrators and have no access to the Host server - so these ACLs
> need to be completely based on a separate list of userids to any access
> mechanism for the libvirtd itself.
>
> Given that the VNC restrictions are enforced within qemu from the
> monitor system, I'm presuming the authorization list is going to have to
> be passed in via XML and be capable of being updated throughout the life
> of a VM session. Unless there's another way of doing it...
>
> What's the feeling about how this feature should be provided within
> libvirt?
Well I'd like us to have fine grained access control across users,
objects & operations, probably using the role based access control
model. Once you have such fine grained access control, then I
don't believe you have a clearcut boundary between users of libvirtd
and users of VNC. eg, you may well give the VNC admin access to the
'virDomainDestroy' and 'virDomainStart' commands for his own domains,
but not other people's domains. So I think we should think about the
solution to the authorization problem for both libvirtd & VNC at the
same time.
Regards,
Daniel
More information about the libvir-list
mailing list