Re: [libvirt] Question about more finer access control permission on libvirt
On Fri, May 16, 2008 at 10:36:09AM +0900, Atsushi SAKAI wrote: Hi, Dan Thank you for commenting this. I am eased to hear this. I also agrees this issue has many task. p.s. I want to know the possibility of fine grained access control in libvirt, since our young guy is investigating the access control in Dom0-Xen. For the libvirt MAC / fine grained ACL stuff I'm talking about, I don't want us to build something that is tied / specific to Xen. The goal in the work should be to build the support such that it can reasonably apply to all the drivers in libvirt, so we get coverage across Xen, KVM, LXC, etc. Perhaps it might integrate with the Xen XSM support, but its too early to say whether XSM will be useful or not. KVM of course is just a user space process like any other, so it is trivially secured with existing SELinux support. Regards, Daniel. -- |: Red Hat, Engineering, Boston -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :| -- Libvir-list mailing list Libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] Question about more finer access control permission on libvirt
On Fri, May 09, 2008 at 09:49:19AM +0900, Atsushi SAKAI wrote: I have a question of libvirt with Polkit. Currently, the libvirt w/ Polkit has 2 access control permissions. (Read Only and Read Write) Have you planned to expand the access control more finer? In my use case, Policy should define by domain, operation, operator. Of course, operator is already considered on current libvirt w/ Polkit. So at this point, it needs to add domain and operation policy. The use case is for many(about 100 or more) domain operation. I just want to know how to minimize granting access control permission of each user on libvirt in future. PolicyKit at this time is only used to authenticate local access from applications running in the host's desktop session. While it allows you to make up many fine grained permissions, it doesn't let you dynamicaly associate the permissions with individual objects. eg there is a policykit check to determine whether a user is allowed to mount removable disks - that applies to all removal disks - you can say disk A, but not disk B. While we could add lots more privileges that just read-write and read-only this would only get us part way to where we really need to be. The ideal goal is that we can have fine grained privileges applied to individual virtual machines, storage pools, networks, etc. The only framework that really comes close to this level of flexibility is SELinux, so one of the long term TODO items is to investigate whether we can integrate with SELinux for fine grained access control. As an example DBus uses SELinux to control who can access services on the system bus, and what actisons they can perform. Another example is SEPostgresql which uses SELinux to control accesss to individual tuples colums in the database. So it is clearly able to provide the flexibility we need and scales to huge performance critical applications such as databases. This doesn't make it a quick or easy task to use in libvirt though. It'll involve alot of thought, design development. In the mean time, it is possible that PolicyKit might actually gain the ability to apply authorizaation to individual objects, and also gain ability to use SELinux as its underlying policy engine. So we have to watch what happens there too. There's not really any firm timeline for any of this work, but its stuff we definitely want to get into libvirt Dan. -- |: Red Hat, Engineering, Boston -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :| -- Libvir-list mailing list Libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] Question about more finer access control permission on libvirt
Hi, Dan Thank you for commenting this. I am eased to hear this. I also agrees this issue has many task. p.s. I want to know the possibility of fine grained access control in libvirt, since our young guy is investigating the access control in Dom0-Xen. Thanks Atsushi SAKAI Daniel P. Berrange [EMAIL PROTECTED] wrote: On Fri, May 09, 2008 at 09:49:19AM +0900, Atsushi SAKAI wrote: I have a question of libvirt with Polkit. Currently, the libvirt w/ Polkit has 2 access control permissions. (Read Only and Read Write) Have you planned to expand the access control more finer? In my use case, Policy should define by domain, operation, operator. Of course, operator is already considered on current libvirt w/ Polkit. So at this point, it needs to add domain and operation policy. The use case is for many(about 100 or more) domain operation. I just want to know how to minimize granting access control permission of each user on libvirt in future. PolicyKit at this time is only used to authenticate local access from applications running in the host's desktop session. While it allows you to make up many fine grained permissions, it doesn't let you dynamicaly associate the permissions with individual objects. eg there is a policykit check to determine whether a user is allowed to mount removable disks - that applies to all removal disks - you can say disk A, but not disk B. While we could add lots more privileges that just read-write and read-only this would only get us part way to where we really need to be. The ideal goal is that we can have fine grained privileges applied to individual virtual machines, storage pools, networks, etc. The only framework that really comes close to this level of flexibility is SELinux, so one of the long term TODO items is to investigate whether we can integrate with SELinux for fine grained access control. As an example DBus uses SELinux to control who can access services on the system bus, and what actisons they can perform. Another example is SEPostgresql which uses SELinux to control accesss to individual tuples colums in the database. So it is clearly able to provide the flexibility we need and scales to huge performance critical applications such as databases. This doesn't make it a quick or easy task to use in libvirt though. It'll involve alot of thought, design development. In the mean time, it is possible that PolicyKit might actually gain the ability to apply authorizaation to individual objects, and also gain ability to use SELinux as its underlying policy engine. So we have to watch what happens there too. There's not really any firm timeline for any of this work, but its stuff we definitely want to get into libvirt Dan. -- |: Red Hat, Engineering, Boston -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :| -- Libvir-list mailing list Libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
[libvirt] Question about more finer access control permission on libvirt
Hi, Dan I have a question of libvirt with Polkit. Currently, the libvirt w/ Polkit has 2 access control permissions. (Read Only and Read Write) Have you planned to expand the access control more finer? In my use case, Policy should define by domain, operation, operator. Of course, operator is already considered on current libvirt w/ Polkit. So at this point, it needs to add domain and operation policy. The use case is for many(about 100 or more) domain operation. I just want to know how to minimize granting access control permission of each user on libvirt in future. Any comment appreciated. Thanks Atsushi SAKAI -- Libvir-list mailing list Libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list