On Fri, Nov 30, 2012 at 4:20 PM, Daniel P. Berrange <berra...@redhat.com> wrote:
> On Fri, Nov 30, 2012 at 04:16:56PM +0100, Natxo Asenjo wrote:
>> Thanks. If I may just hijack this thread: is it possible to whitelist
>> groups instead of individual users to use virsh/virtual manager?
>> I know sasl only deals with the authentication stuff, buy here you are
>> also authorizing in the whitelist. If this authorization could go
>> further to allow ipa groups, that would be ideal from an admin point
>> of view ;-)
> It is desirable, but we don't have any way to find out information about
> groups. The authorization problem is something we've yet to really get
> a good pluggable solution for, though perhaps policykit would help here.
well, if I create a policykit policy like this:
[libvirt Management Access]
and I create an ipa group, I can achieve in fact what I want. Members
of the group may use virsh and if you have a kerberos ticket it is
truly sso (I get a ticket from ssh, libvirt and vnc) with the original
configuration (so no sasl, just using ssh).
Freeipa-users mailing list