On Fri, Nov 30, 2012 at 06:56:28PM +0100, Natxo Asenjo wrote: > On Fri, Nov 30, 2012 at 4:20 PM, Daniel P. Berrange <berra...@redhat.com> > wrote: > > On Fri, Nov 30, 2012 at 04:16:56PM +0100, Natxo Asenjo wrote: > > >> Thanks. If I may just hijack this thread: is it possible to whitelist > >> groups instead of individual users to use virsh/virtual manager? > >> > >> I know sasl only deals with the authentication stuff, buy here you are > >> also authorizing in the whitelist. If this authorization could go > >> further to allow ipa groups, that would be ideal from an admin point > >> of view ;-) > > > > It is desirable, but we don't have any way to find out information about > > groups. The authorization problem is something we've yet to really get > > a good pluggable solution for, though perhaps policykit would help here. > > well, if I create a policykit policy like this: > > /etc/polkit-1/localauthority/50-local.d/50-libvirt-remote-access.pkla > > [libvirt Management Access] > Identity=unix-group:libvirt > Action=org.libvirt.unix.manage > ResultAny=yes > ResultInactive=yes > ResultActive=yes > > and I create an ipa group, I can achieve in fact what I want. Members > of the group may use virsh and if you have a kerberos ticket it is > truly sso (I get a ticket from ssh, libvirt and vnc) with the original > configuration (so no sasl, just using ssh).
Yep, as you say, this only works for real UNIX users. We basically want to make it posible todo the same, but using the SASL / GSSAPI users instead. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| _______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users