This pattern has come up a few times now:ISP provides a Xen hosting service to customers. ISP wants to provide some basic statistics to their customers. The statistics could be provided to a customer through the libvirt remote protocol, eg:
customer$ virsh -c xen://dom0/ dominfo mydomBut the problem with this is that (as libvirt is currently architected) _any_ access to dom0, if it authenticates, gives access to information from all domains.
We've previously discussed adding access control using something like SELinux (see for example: https://www.redhat.com/archives/libvir-list/2007-August/msg00030.html) but nothing much has come of it so far.
But can we solve the single common case above directly, without thwarting our ability to solve the bigger picture later?
My suggestion is that we add an option to /etc/libvirt/libvirtd.conf, something like:
tls_restrict_dn: [ "DN1", "name:customer1", "DN2", "uuid:12345678", "DN3", "*" ]with the meaning that (presumably a customer) connecting with certificate DN1 could only find out information about the domain "customer1", DN2 similarly, DN3 is a privileged client, and any other DN would be rejected.
(Compare and contrast to tls_allowed_dn_list: http://libvirt.org/remote.html#Remote_libvirtd_configuration)
An implementation of this would modify the call to virConnectOpen to add an additional flag (or call?) allowing the access control to be passed, and this would have to be checked in the relevant virDomain* calls.
This is not dissimilar to how read-only connections are implemented in libvirtd currently.
I would also suggest as a matter of course that we modify all public API calls in src/libvirt.c to add a call to a generic permission checking routine, for example:
int virDomainSuspend(virDomainPtr domain) { virConnectPtr conn; DEBUG("domain=%p", domain); if (!VIR_IS_CONNECTED_DOMAIN(domain)) { virLibDomainError(NULL, VIR_ERR_INVALID_DOMAIN, __FUNCTION__); return (-1); } - if (domain->conn->flags & VIR_CONNECT_RO) { - virLibDomainError(domain, VIR_ERR_OPERATION_DENIED, __FUNCTION__); - return (-1); - } + if (!check_permission (domain, OP_SUSPEND)) return -1;With the initial implementation of check_permission just doing the VIR_CONNECT_RO check to start with, but able to do other checks in future.
Also relevant to this is SASL support, see: https://www.redhat.com/archives/libvir-list/2007-November/msg00005.html since AIUI this changes the possible formats for Distinguished Names, or could even make DNs irrelevant.
Rich. -- Emerging Technologies, Red Hat - http://et.redhat.com/~rjones/ Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SL4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 03798903
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
-- Libvir-list mailing list Libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list