The policy checker employs two files. Role_definition.xml defines what
and how VMs a role is allowed to operate. User_definition.xml defines
what roles are available to a user. Operations are currently
represented by numbers. They are defined in src/xr_internal.h in
libvirt part, though it is hardly readable.
<?xml version="1.0" ?>
<RolePolicyDefinition>
<RolePolicyHeader>
<Version>2.0</Version>
</RolePolicyHeader>
<RoleDefinition>
<Role name="UserAdmin">
<PolicyID id="ee6b8747-8789-445e-a660-2e1ee034930e"/>
<ManageVM type="whole"/>
<ControlOperation>
<Accept>
<operation id="16"/>
</Accept>
</ControlOperation>
</Role>
<Role name="PolicyAdmin">
<PolicyID id="607c3ecd-9765-4712-9b5b-18e818189564"/>
<ManageVM type="whole"/>
<ControlOperation>
<Accept>
<operation id="16"/>
</Accept>
</ControlOperation>
</Role>
<Role name="HostOSManager">
<PolicyID id="719e3158-29e3-427e-b609-929a3064616f"/>
<ManageVM type="individual">
<VM name="Domain-0"/>
</ManageVM>
<ControlOperation>
<Accept>
<operation id="16"/>
<operation id="17"/>
<operation id="18"/>
<operation id="19"/>
<operation id="20"/>
<operation id="21"/>
<operation id="22"/>
<operation id="23"/>
<operation id="31"/>
<operation id="33"/>
<operation id="36"/>
<operation id="37"/>
<operation id="38"/>
<operation id="39"/>
<operation id="41"/>
<operation id="61"/>
<operation id="62"/>
<operation id="63"/>
</Accept>
</ControlOperation>
</Role>
</RoleDefinition>
</RolePolicyDefinition>
<?xml version="1.0" ?>
<UserConfiguration>
<User name="user-admin">
<UserRole role="UserAdmin"/>
</User>
<User name="policy-admin">
<UserRole role="PolicyAdmin"/>
</User>
<User name="root">
<UserRole role="HostOSManager"/>
</User>
</UserConfiguration>
--
Libvir-list mailing list
Libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list