Re: Implementing VNC per VM access control lists

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Jan 05, 2011 at 11:01:38AM +0000, Neil Wilson wrote:
> On Tue, 2011-01-04 at 16:22 +0000, Daniel P. Berrange wrote:
> > Well I'd like us to have fine grained access control across users,
> > objects & operations, probably using the role based access control
> > model.  Once you have such fine grained access control, then I
> > don't believe you have a clearcut boundary between users of libvirtd
> > and users of VNC. eg, you may well give the VNC admin access to the
> > 'virDomainDestroy' and 'virDomainStart' commands for his own domains,
> > but not other people's domains. So I think we should think about the
> > solution to the authorization problem for both libvirtd & VNC at the
> > same time.
> 
> Have you got an RBAC library in mind that would take the group
> management outside of libvirt (like SASL does for authentication), or
> does it all need building? 

There's no general library that I'm aware of that'd be suitable.
In addition to the general access control solution, we'd like to
expand our SELinux support to cover MAC of the entire API (kinda
like SEPostgreSQL).

Regards,
Daniel

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list


[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]