On Fri, Nov 30, 2012 at 4:20 PM, Daniel P. Berrange <berra...@redhat.com> wrote:
> On Fri, Nov 30, 2012 at 04:16:56PM +0100, Natxo Asenjo wrote:

>> Thanks. If I may just hijack this thread: is it possible to whitelist
>> groups instead of individual users to use virsh/virtual manager?
>>
>> I know sasl only deals with the authentication stuff, buy here you are
>> also authorizing in the whitelist. If this authorization could go
>> further to allow ipa groups, that would be ideal from an admin point
>> of view ;-)
>
> It is desirable, but we don't have any way to find out information about
> groups. The authorization problem is something we've yet to really get
> a good pluggable solution for, though perhaps policykit would help here.

well, if I create a policykit policy like this:

/etc/polkit-1/localauthority/50-local.d/50-libvirt-remote-access.pkla

[libvirt Management Access]
Identity=unix-group:libvirt
Action=org.libvirt.unix.manage
ResultAny=yes
ResultInactive=yes
ResultActive=yes

and I create  an ipa group, I can achieve in fact what I want. Members
of the group may use virsh and if you have a kerberos ticket it is
truly sso (I get a ticket from ssh, libvirt and vnc) with the original
configuration (so no sasl, just using ssh).

-- 
groet,
natxo

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to