On Thu, Apr 06, 2017 at 03:09:12PM +0300, Vasiliy Tolstov wrote: > 2017-04-06 15:06 GMT+03:00 Vasiliy Tolstov <v.tolstov@xxxxxxxxx>: > >> We already have a fine grained access control system that can be used to > >> restrict feature access... > > > Also i don't think that libvirt access control have ability to deny > access based on function and payload. For example i need to deny for > some users ability to create domain with memory more then 10G or > network with type nat. Trying todo that kind of config access control at the libvirt API level is doomed to failure. The ability to pass in an XML document describing a guest gives you privileges equivalent to root. There are so many ways you can use the XML document give a guest access to host resources, that trying to do access restrictions based on XML content is impractical. You are inevitably going to miss the existance of certain XML features and thus think you have a locked down system where in fact you've left plenty of backdoors to exploit it. Every time QEMU or libvirt are upgraded new features are introduced so again what you thought was secure may now suddenly be insecure. This is why we explicitly don't expose this info to the access control framework. You need to have a much higher level representation of the guest configuration data & related resources in order to do practical access control on usage of individual guest config features. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://entangle-photo.org -o- http://search.cpan.org/~danberr/ :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
