libvirt ACLs

Latest response

I was looking at /etc/libvirt/libvirtd.conf on a RHEL 7.0 machine (libvirt 1.1.1) and a RHEL 7.1 beta machine (libvirt 1.2.8), and I saw that there is an option to enable libvirt ACLs.

# Change the API access control scheme
#
# By default an authenticated user is allowed access
# to all APIs. Access drivers can place restrictions
# on this. By default the 'nop' driver is enabled,
# meaning no access control checks are done once a
# client has authenticated with libvirtd
#
#access_drivers = [ "polkit" ]

However, I cannot find any documentation on libvirt ACLs in the RHEL documentation. I can only find libvirt project documentation and some info from the Fedora project.
http://libvirt.org/aclpolkit.html
http://libvirt.org/acl.html
http://fedoraproject.org/wiki/Changes/Virt_ACLs
http://fedoraproject.org/wiki/QA:Testcase_Virt_ACLs

As a sysadmin who maintains only 1 RHEL KVM host at work (and therefore would not use full-blown RHEV), this sounds like a great feature. Has anyone used libvirt ACLs successfully?

MD
Log in to join the conversation

Responses

ln Red Hat Community Member 50 points
12 April 2015 10:32 AM

Hi Mike,
I document the Libvirt/Virtualization information for RHEL 7. To better answer your question, why do you want access to the libvirt API and what are you trying to do with it?

Laura

MD Active Contributor 119 points
12 April 2015 12:01 PM

Hi Laura,

In the future, I want to configure a libvirt/KVM host so that it can run both VMs that the sysadmins manage, and VMs that the developers manage. Currently, it is only running sysadmin-managed VMs.

The developers should be prohibited from doing the following with their VMs, and I am hoping that I can prohibit them via ACLs:
1. Make any changes to the sysadmin-manged VMs. (Perhaps using rules based on the name of the VM? ("domain_name"))
2. Connect the developer-managed VMs to the bridged Ethernet adapter. (They should be able to connect them to the isolated network though.)
3. Store developer-managed VMs on one specific storage domain (there will be a different storage domain that they can use.)

Thanks,
-Mike

ln Red Hat Community Member 50 points
12 April 2015 12:48 PM

Hi Mike,
Thanks for getting back to me so quickly.
Some additional questions:
How are you planning to manage the VMs?
How many VMs do you plan to deploy?
Thanks in advance
Laura

MD Active Contributor 119 points
12 April 2015 2:24 PM

Hi Laura,

  1. Via virt-manager, and possibly virsh. Developers will probably use virt-viewer for Windows too.
  2. Between 5 and 10 VMs. The developer-managed VMs will likely be created and deleted often.

Thank you,
-Mike

ln Red Hat Community Member 50 points
14 April 2015 10:10 AM

Hi Mike,
Thanks for all the information. I am working with the libvirt team and will have a reply for you shortly.
Best Regards,
Laura

ln Red Hat Community Member 50 points
23 April 2015 4:59 PM

Hi Mike,
The best thing for you to do is to open a case with the customer portal. Please click this link - https://access.redhat.com/support/cases/#/case/new?intcmp=hp|a|a3|case& and fill in the form.
I appreciate your patience and hope this will be resolved to your satisfaction.
Thanks again,
Laura

ln Red Hat Community Member 50 points
17 November 2015 10:53 AM

Hi Mike,
I have not seen a new comment about you from this issue. Have you filed a case? Has it been solved? Please let me know so I can direct you to the person who can help.
Thanks
Laura

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.