On Fri, May 09, 2008 at 09:49:19AM +0900, Atsushi SAKAI wrote: > I have a question of libvirt with Polkit. > Currently, the libvirt w/ Polkit has 2 access control permissions. > (Read Only and Read Write) > > Have you planned to expand the access control more finer? > In my use case, Policy should define by domain, operation, operator. > Of course, operator is already considered on current libvirt w/ Polkit. > So at this point, it needs to add domain and operation policy. > > The use case is for many(about 100 or more) domain operation. > > I just want to know how to minimize granting access control permission > of each user on libvirt in future. PolicyKit at this time is only used to authenticate local access from applications running in the host's desktop session. While it allows you to make up many fine grained permissions, it doesn't let you dynamicaly associate the permissions with individual objects. eg there is a policykit check to determine whether a user is allowed to mount removable disks - that applies to all removal disks - you can say disk A, but not disk B. While we could add lots more privileges that just read-write and read-only this would only get us part way to where we really need to be. The ideal goal is that we can have fine grained privileges applied to individual virtual machines, storage pools, networks, etc. The only framework that really comes close to this level of flexibility is SELinux, so one of the long term TODO items is to investigate whether we can integrate with SELinux for fine grained access control. As an example DBus uses SELinux to control who can access services on the system bus, and what actisons they can perform. Another example is SEPostgresql which uses SELinux to control accesss to individual tuples & colums in the database. So it is clearly able to provide the flexibility we need and scales to huge performance critical applications such as databases. This doesn't make it a quick or easy task to use in libvirt though. It'll involve alot of thought, design & development. In the mean time, it is possible that PolicyKit might actually gain the ability to apply authorizaation to individual objects, and also gain ability to use SELinux as its underlying policy engine. So we have to watch what happens there too. There's not really any firm timeline for any of this work, but its stuff we definitely want to get into libvirt Dan. -- |: Red Hat, Engineering, Boston -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :| -- Libvir-list mailing list Libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list