On Mon, Dec 05, 2011 at 06:41:54PM +0100, Reeted wrote: > Hello libvirt people, > > is there a (preferably simple) way in Linux to allow a certain set > of users to be able to do: > > virt-viewer --connect qemu+ssh://username@virthost/system vmname > > for connecting to virt-viewer BUT without letting them do all the > other things that can be done with virsh? > > I know that if I add them to the libvirtd and kvm groups, they will > be able to connect with virt-viewer to any virtual machine AND ALSO > do any virsh command on any virtual machine. This is too much > permission. > > I can accept the first part (a way to allow a group of user to > connect with virt-viewer to all the virtual machines of the host) > since more restriction can be enforced by using VNC passwords... But > if they are also able to do anything in virsh that's too much. virt-viewer only requires a read-only connection to libvirt. So you only need to give them permissions to access the read-only UNIX domain socket. I'm currently working on finer grained access controls for libvirt that will allow even tighter restrictions in the future, but that's a couple of months away. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list