Bug 1115289

Summary: Add example policykit rules for libvirt ACLs
Product: Red Hat Enterprise Linux 7 Reporter: Martin Tessun <mtessun>
Component: libvirtAssignee: Jiri Denemark <jdenemar>
Status: CLOSED ERRATA QA Contact: Virtualization Bugs <virt-bugs>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0CC: berrange, dyuan, jdenemar, knoel, mtessun, mzhan, rbalakri, yafu, zhwang
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libvirt-1.2.17-8.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 05:46:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Tessun 2014-07-02 06:50:23 UTC 
3. What is the nature and description of the request?  
   Add a possiblilty to virsh to add unix users or unix groups to some predefined or configurable roles.
   The solution of modifying policykit rules should be simplified by this approach.
   See  https://www.berrange.com/posts/2013/08/12/fine-grained-access-control-in-libvirt-using-polkit/ for
   more details on this
   Suggested Roles:
   * User:          May start/stop/migrate VMs and access the console
   * Operator:      May modify existing machines or create new machines.
   * Administrator: Like "root". Has full access to virsh commands.
      
4. Why does the customer need this? (List the business requirements here)  
   As the customer is using only virsh and no RHEV-M there is a business requirement in having these roles implemented.
   Manually adjusting the policy kit rules or building complex sudoers configurations is very time intensive and error prone.
      
5. How would the customer like to achieve this? (List the functional requirements here)  
   Add some directive to the virsh command to add Unix Users / Unix Groups to the appropriate role, e.g.
   # virsh policy add <User/Group> <role>
   # virsh policy remove <User/Group> <role>
   # virsh policy list [<user/Group>]

6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.
   If a User is added to a role, the user should be able to run the commands that are associated with the role.
   The virsh policy list command should show all roles a user is aligned to or (if no user is given) an alignment of all users/groups to the roles.

7. Is there already an existing RFE upstream or in Red Hat Bugzilla?
   Not that I am aware of, but https://www.berrange.com/posts/2013/08/12/fine-grained-access-control-in-libvirt-using-polkit/
   shows a policykit approach.
      
8. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL5, RHEL6)?  
   As usual ASAP, RHEL 6.x would be great.

9. Is the sales team involved in this request and do they have any additional input?  
   No.

10. List any affected packages or components.
    (libvirt), libvirt-client
      
11. Would the customer be able to assist in testing this functionality if implemented?
    Yes.
Comment 11 Jiri Denemark 2015-07-09 05:50:38 UTC 
Adding an example policy to libvirt documentation is not really a new feature.
Comment 12 Jiri Denemark 2015-09-07 10:54:24 UTC 
The example was added upstream by v1.2.19-19-g29b5167:

commit 29b5167417483ef80f6c3fce12811b59a1e2bd55
Author: Jiri Denemark <jdenemar>
Date:   Tue Aug 4 14:05:52 2015 +0200

    examples: Add example polkit ACL rules
    
    Creating ACL rules is not exactly easy and existing examples are pretty
    simple. This patch adds a somewhat complex example which defines several
    roles. Admins can do everything, operators can do basic operations
    on any domain and several groups of users who act as operators but only
    on a limited set of domains.
    
    Signed-off-by: Jiri Denemark <jdenemar>
Comment 15 zhenfeng wang 2015-09-14 09:14:38 UTC 
Verify this bug on libvirt-1.2.17-8.el7, verify steps as following
1.Create 4 users
#useradd user1
#useradd user2
#useradd user3
#useradd useradmin

2.Prepare 4 guests
# virsh list --all
 Id    Name                           State
----------------------------------------------------
 -     rhel7.0                        shut off
 -     rhel7.2                        shut off
 -     vm1                            shut off
 -     vm2                            shut off


3.Enable the acl in the host
#cat /etc/libvirt/libvirtd.conf
access_drivers = [ "polkit" ]
auth_unix_rw = "none"
unix_sock_rw_perms = "0777"

#systemctl restart libvirtd


4.Copy example polkit ACL rules to /etc/polkit-1/rules.d/ directory
/usr/share/doc/libvirt-daemon-1.2.17/libvirt-acl.rules /etc/polkit-1/rules.d/

5.Modify the rules with following setting
<1.let user1 and user1's group only operate domain rhel7*
<2.let user2 and user2's group only operate domain vm*
<3.let user3 and user3's group could operate both domain rhel7* and domain vm*
<4.let useradmin have could operate all domains with all permissons 

#cat /etc/polkit-1/rules.d/libvirt-acl.rules
--
/* Basic operations and monitoring on a limited set of domains. */
var userA = new Role("userA");
userA.domains = /^rhel7/;
userA.users = ["user1"];
userA.groups = ["user1"];

var userB = new Role("userB");
userB.domains = /^vm/;
userB.users = ["user2"];
userB.groups = ["user2"];

--
/* Same as users but on any domain. */
var operator = new Role("operator");
operator.domains = /.*/;
operator.users = ["user3"];
operator.groups = ["user3"];

--
/* Full access. */
var admin = new Role("admin");
admin.users = ["useradmin"];
admin.groups = ["useradmin"];

6.login guest with user1, then connect the hyperv with system mode,
user1 can do all operations which defined in "restrictedActions"
in /etc/polkit-1/rules.d/libvirt-acl.rules by default, but only on
rhel7* guests

 virsh # list --all
 Id    Name                           State
----------------------------------------------------
 10    rhel7.0                        running
 11    rhel7.2                        running

7.login guest with user2, then connect the hyperv with system mode,
user1 can do all operations which defined in "restrictedActions"
in /etc/polkit-1/rules.d/libvirt-acl.rules by default, but only on
vm* guests

virsh # list --all
 Id    Name                           State
----------------------------------------------------
 12    vm1                            running
 13    vm2                            running

8.login guest with user3, then connect the hyperv with system mode,
user3 can do all operations which defined in "restrictedActions"
in /etc/polkit-1/rules.d/libvirt-acl.rules by default on all guests,
but couldn't do the ations outside  "restrictedActions"
virsh # list --all
 Id    Name                           State
----------------------------------------------------
 16    rhel7.0                        running
 17    rhel7.2                        running
 18    vm1                            running
 19    vm2                            running

virsh # net-destroy default
error: Failed to destroy network default
error: access denied

9.login guest with useradmin, then connect the hyperv with system mode,
useradmin can do all operations on all guests,

10.Add user1 to user2's group, then re-test step 7, user1 can do actions 
on domain vm*
virsh # list --all
 Id    Name                           State
----------------------------------------------------
 20    vm1                            running
 21    vm2                            running
 22    rhel7.2                        running
 23    rhel7.0                        running

11.Add user1 to useradmin's group, then re-test step7, user1 can operate
all operations on all domains

According to the upper steps, mark this bug verifed
Comment 17 errata-xmlrpc 2015-11-19 05:46:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2202.html