Description of problem: It could be problematic if admins can run virsh destroy/undefine on ComputeNodes outside of Nova, since that may cause state to get messed up between ComputeNodes and Nova. So it might be desirable to make libvirt connections read-only for all users except for Nova. This should be optional though. Some users may want their admins to have virsh access to VMs even despite the risks.
I think that this is something we should not do. RHEV made libvirt inaccessible to the root user and it has been a total PITA for anyone logging into a box to troubleshoot the system. If a person has been given root they are all powerful and know they should be careful. We don't need to add child-locks to their account wrt libvirt, which ultimately don't achieve anything besides annoyance for people who need access.
BTW, Nova copes fine if you 'virsh destroy' a running nova guest - it just transitions it to the shutoff state.