Bug 1115289 - Add example policykit rules for libvirt ACLs
Summary: Add example policykit rules for libvirt ACLs
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libvirt
Version: 7.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Jiri Denemark
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-07-02 06:50 UTC by Martin Tessun
Modified: 2019-09-12 07:55 UTC (History)
9 users (show)

Fixed In Version: libvirt-1.2.17-8.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-11-19 05:46:12 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:2202 0 normal SHIPPED_LIVE libvirt bug fix and enhancement update 2015-11-19 08:17:58 UTC

Description Martin Tessun 2014-07-02 06:50:23 UTC
3. What is the nature and description of the request?  
   Add a possiblilty to virsh to add unix users or unix groups to some predefined or configurable roles.
   The solution of modifying policykit rules should be simplified by this approach.
   See  https://www.berrange.com/posts/2013/08/12/fine-grained-access-control-in-libvirt-using-polkit/ for
   more details on this
   Suggested Roles:
   * User:          May start/stop/migrate VMs and access the console
   * Operator:      May modify existing machines or create new machines.
   * Administrator: Like "root". Has full access to virsh commands.
      
4. Why does the customer need this? (List the business requirements here)  
   As the customer is using only virsh and no RHEV-M there is a business requirement in having these roles implemented.
   Manually adjusting the policy kit rules or building complex sudoers configurations is very time intensive and error prone.
      
5. How would the customer like to achieve this? (List the functional requirements here)  
   Add some directive to the virsh command to add Unix Users / Unix Groups to the appropriate role, e.g.
   # virsh policy add <User/Group> <role>
   # virsh policy remove <User/Group> <role>
   # virsh policy list [<user/Group>]

6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.
   If a User is added to a role, the user should be able to run the commands that are associated with the role.
   The virsh policy list command should show all roles a user is aligned to or (if no user is given) an alignment of all users/groups to the roles.

7. Is there already an existing RFE upstream or in Red Hat Bugzilla?
   Not that I am aware of, but https://www.berrange.com/posts/2013/08/12/fine-grained-access-control-in-libvirt-using-polkit/
   shows a policykit approach.
      
8. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL5, RHEL6)?  
   As usual ASAP, RHEL 6.x would be great.

9. Is the sales team involved in this request and do they have any additional input?  
   No.

10. List any affected packages or components.
    (libvirt), libvirt-client
      
11. Would the customer be able to assist in testing this functionality if implemented?
    Yes.

Comment 11 Jiri Denemark 2015-07-09 05:50:38 UTC
Adding an example policy to libvirt documentation is not really a new feature.

Comment 12 Jiri Denemark 2015-09-07 10:54:24 UTC
The example was added upstream by v1.2.19-19-g29b5167:

commit 29b5167417483ef80f6c3fce12811b59a1e2bd55
Author: Jiri Denemark <jdenemar@redhat.com>
Date:   Tue Aug 4 14:05:52 2015 +0200

    examples: Add example polkit ACL rules
    
    Creating ACL rules is not exactly easy and existing examples are pretty
    simple. This patch adds a somewhat complex example which defines several
    roles. Admins can do everything, operators can do basic operations
    on any domain and several groups of users who act as operators but only
    on a limited set of domains.
    
    Signed-off-by: Jiri Denemark <jdenemar@redhat.com>

Comment 15 zhenfeng wang 2015-09-14 09:14:38 UTC
Verify this bug on libvirt-1.2.17-8.el7, verify steps as following
1.Create 4 users
#useradd user1
#useradd user2
#useradd user3
#useradd useradmin

2.Prepare 4 guests
# virsh list --all
 Id    Name                           State
----------------------------------------------------
 -     rhel7.0                        shut off
 -     rhel7.2                        shut off
 -     vm1                            shut off
 -     vm2                            shut off


3.Enable the acl in the host
#cat /etc/libvirt/libvirtd.conf
access_drivers = [ "polkit" ]
auth_unix_rw = "none"
unix_sock_rw_perms = "0777"

#systemctl restart libvirtd


4.Copy example polkit ACL rules to /etc/polkit-1/rules.d/ directory
/usr/share/doc/libvirt-daemon-1.2.17/libvirt-acl.rules /etc/polkit-1/rules.d/

5.Modify the rules with following setting
<1.let user1 and user1's group only operate domain rhel7*
<2.let user2 and user2's group only operate domain vm*
<3.let user3 and user3's group could operate both domain rhel7* and domain vm*
<4.let useradmin have could operate all domains with all permissons 

#cat /etc/polkit-1/rules.d/libvirt-acl.rules
--
/* Basic operations and monitoring on a limited set of domains. */
var userA = new Role("userA");
userA.domains = /^rhel7/;
userA.users = ["user1"];
userA.groups = ["user1"];

var userB = new Role("userB");
userB.domains = /^vm/;
userB.users = ["user2"];
userB.groups = ["user2"];

--
/* Same as users but on any domain. */
var operator = new Role("operator");
operator.domains = /.*/;
operator.users = ["user3"];
operator.groups = ["user3"];

--
/* Full access. */
var admin = new Role("admin");
admin.users = ["useradmin"];
admin.groups = ["useradmin"];

6.login guest with user1, then connect the hyperv with system mode,
user1 can do all operations which defined in "restrictedActions"
in /etc/polkit-1/rules.d/libvirt-acl.rules by default, but only on
rhel7* guests

 virsh # list --all
 Id    Name                           State
----------------------------------------------------
 10    rhel7.0                        running
 11    rhel7.2                        running

7.login guest with user2, then connect the hyperv with system mode,
user1 can do all operations which defined in "restrictedActions"
in /etc/polkit-1/rules.d/libvirt-acl.rules by default, but only on
vm* guests

virsh # list --all
 Id    Name                           State
----------------------------------------------------
 12    vm1                            running
 13    vm2                            running

8.login guest with user3, then connect the hyperv with system mode,
user3 can do all operations which defined in "restrictedActions"
in /etc/polkit-1/rules.d/libvirt-acl.rules by default on all guests,
but couldn't do the ations outside  "restrictedActions"
virsh # list --all
 Id    Name                           State
----------------------------------------------------
 16    rhel7.0                        running
 17    rhel7.2                        running
 18    vm1                            running
 19    vm2                            running

virsh # net-destroy default
error: Failed to destroy network default
error: access denied

9.login guest with useradmin, then connect the hyperv with system mode,
useradmin can do all operations on all guests,

10.Add user1 to user2's group, then re-test step 7, user1 can do actions 
on domain vm*
virsh # list --all
 Id    Name                           State
----------------------------------------------------
 20    vm1                            running
 21    vm2                            running
 22    rhel7.2                        running
 23    rhel7.0                        running

11.Add user1 to useradmin's group, then re-test step7, user1 can operate
all operations on all domains

According to the upper steps, mark this bug verifed

Comment 17 errata-xmlrpc 2015-11-19 05:46:12 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2202.html


Note You need to log in before you can comment on or make changes to this bug.