Excuse me for renewing this discussion, but I am curious if you would add new module, which will be able to process users not based on unix processes, from where do you plan to get usernames? I mean, virt-manager could give them, as there is authentication in GUI, but for example when using oVirt, none of the usernames reach libvirt through the communication between server and nodes.
2018-05-09 14:46 GMT+03:00 Anastasiya Ruzhanskaya < anastasiya.ruzhansk...@frtk.ru>: > Great, thanks for pointing this out. I will certainly look at it. > > 2018-05-09 14:41 GMT+03:00 Daniel P. Berrangé <berra...@redhat.com>: > >> On Wed, May 09, 2018 at 10:00:19AM +0100, Daniel P. Berrangé wrote: >> > On Wed, May 09, 2018 at 11:50:33AM +0300, Anastasiya Ruzhanskaya wrote: >> > > Here https://libvirt.org/acl.html is stated that you designed this >> access >> > > control system as pluggable. Are there any options ( even with >> modifying >> > > libvirt code) to plug in any custom driver? >> > > I just need to take a try and design something that will support >> remote >> > > access control. >> > > I am not sure if sVirt is the right thing I should look at. >> > >> > It is pluggable in the sense that we can write more backends for it >> > without having to refactor the rest of libvirt codebase. It isn't >> > pluggable from POV of an end user wishing to change it - it needs >> > contribution to libvirt code to add more options. >> > >> > I did look at creating an SELinux plugin many years ago, but the >> > number of new SELinux AVs to be defined was huge and I wasn't sure >> > the complexity of policy would be practical to handle in real world. >> > Also, SELinux with TCP adds an extra level of complexity as you now >> > need to figure out IPSec setup to pass SELinux labels across the >> > network from the client. >> > >> > Probably what we would more usefully add is a simple RBAC based >> > module natively in libvirt. >> >> I forgot to say that if you want to look at writing a new impl the code >> is kept in $GIT/src/access/. >> >> The current polkit impl is viraccessdriverpolkit.c. Implementing a new >> driver involves creating a new source file with a virAccessDriver >> struct that contains pointers to the methods that implement the desired >> logic. >> >> >> Regards, >> Daniel >> -- >> |: https://berrange.com -o- https://www.flickr.com/photos/ >> dberrange :| >> |: https://libvirt.org -o- >> https://fstop138.berrange.com :| >> |: https://entangle-photo.org -o- https://www.instagram.com/dber >> range :| >> > >
_______________________________________________ libvirt-users mailing list libvirt-users@redhat.com https://www.redhat.com/mailman/listinfo/libvirt-users
