[release-notes] libvirt ACLs

Pete Travis immanetize at fedoraproject.org
Sat Oct 19 19:19:48 UTC 2013


commit 50d4bd48c5d9aa64fdca2002f88197f0d24ad825
Author: Pete Travis <immanetize at fedoraproject.org>
Date:   Sat Oct 19 13:19:42 2013 -0600

    libvirt ACLs

 en-US/Virtualization.xml |   18 ++++++++++++++++++
 1 files changed, 18 insertions(+), 0 deletions(-)
---
diff --git a/en-US/Virtualization.xml b/en-US/Virtualization.xml
index d72dd21..c781b3a 100644
--- a/en-US/Virtualization.xml
+++ b/en-US/Virtualization.xml
@@ -22,6 +22,24 @@
     </title>
     <para />
 -->
+<section id="virtualization-libvirt-acl">
+  <title>Libvirt Client Access Control</title>
+  <para>
+    The <application>libvirt</application> client allows for the setting of permission rules which can be applied to all managed objects and API operations, thus allowing for all client connections to be limited to a minimal set of rules and privileges. There are three levels of access which can be assigned.
+  </para>
+  <para>
+    <literal>Unauthenticated</literal> access is initially used for all connections. This state allows all API operations that are required to complete authentication. Following a successful authentication, two more levels can be assigned: <literal>Unrestricted</literal>, which gives full access to all API operations, and <literal>Restricted</literal>, which allows read only access.
+  </para>
+  <para>
+    System administrators can set permission rules for authenticated connections. Every API call in libvirt has a set of permissions that are validated against the object that is being used. For example, User A wants to change a parameter in the domain object. When the user tries to save the change, virDomainSetSchedulerParametersFlags method will check whether the client has write permissions on the domain object. Additional checks and permission settings can be processed as well. Filtering can also be done to see which clients have permissions on which objects to allow for smother administration of permissions. 
+    </para>
+    <para>
+      The libvirtd.conf configuration file is responsible for setting the access permissions. It uses the access_drivers parameter to enable this operation. Note that if more than one access driver is requested, all must succeed in order for permission to be granted.
+      </para>
+      <para>
+	More information can be found at <ulink url="https://fedoraproject.org/wiki/Changes/Virt_ACLs" /> and <ulink url="http://libvirt.org/acl.html" />
+      </para>
+</section>
 
 <section id="virtualization-snapshopts">
   <title>Virt-manager snapshots</title>


More information about the docs-commits mailing list