SSHPolicyKitSetup

From Libvirt Wiki
Revision as of 10:59, 13 September 2010 by JustinClift (talk | contribs) (Initial page, showing the ssh setup needed for PolicyKit controlled access. (RHEL 6/F12+))
(diff) ←Older revision | view current revision (diff) | Newer revision→ (diff)
Jump to: navigation, search

Configuring access on RHEL 6 or Fedora 12 (onwards)

From Fedora 12 and RHEL 6 onwards, management access to the virtualisation layer is controlled by PolicyKit.


Advantages of PolicyKit

PolicyKit allows for more flexible, fine grained access control than just granting access to a named unix group.

Organisations with complex requirements can extend PolicyKit to meet their needs. For example, to give access to certain users between 9am and 5pm Monday to Friday.

Extending PolicyKit in this way is beyond the scope of this page. For that, you'll need to consult the PolicyKit documentation.

This page will cover two common configurations:

  • Management access based upon unix groups
  • Management access for named unix users


Configuration for group access

To give management access to members of a unix group, we only need to create a PolicyKit Local Authority file.

This is a plain text file, generally placed in this directory:

 /etc/polkit-1/localauthority/50-local.d/

The name of the file is up to you, but needs to start with a two digit number and end with .pkla. For example:

 /etc/polkit-1/localauthority/50-local.d/50-org.example-libvirt-remote-access.pkla

It's contents should be:

 [Remote libvirt SSH access]
 Identity=unix-group:group_name
 Action=org.libvirt.unix.manage
 ResultAny=yes
 ResultInactive=yes
 ResultActive=yes

Replace the group_name value above with the name of the unix group needing management access.

For example:

 $ sudo cat /etc/polkit-1/localauthority/50-local.d/50-org.example-libvirt-remote-access.pkla
 [Remote libvirt SSH access]
 Identity=unix-group:libvirt
 Action=org.libvirt.unix.manage
 ResultAny=yes
 ResultInactive=yes
 ResultActive=yes

This will allow any member of the unix group libvirt to manage the virtualisation layer, including remotely through SSH.


Connection example

We have two users in the libvirt group, named someuser and anotheruser. Using the PolicyKit Local Authority file above, they should now both have access:

 (on a server named host1)
 $ groups someuser anotheruser
 someuser : someuser tty libvirt
 anotheruser : anotheruser libvirt
 (from a computer other than host1)
 $ virsh -c qemu+ssh://someuser@host1/system
 Welcome to virsh, the virtualization interactive terminal.
 
 Type:  'help' for help with commands
        'quit' to quit
 
 virsh # hostname
 host1.libvirt.org
 (from a computer other than host1)
 $ virsh -c qemu+ssh://anotheruser@host1/system
 Welcome to virsh, the virtualization interactive terminal.
 
 Type:  'help' for help with commands
        'quit' to quit
 
 virsh # hostname
 host1.libvirt.org


Multiple groups

Multiple entries can be given on the Identity line. They need to be separated by a semi-colon ";".

For example:

 [Remote libvirt SSH access]
 Identity=unix-group:group_name1;unix-group:group_name2;unix-group:group_name3
 Action=org.libvirt.unix.manage
 ResultAny=yes
 ResultInactive=yes
 ResultActive=yes


Configuration for single user access

ToDo: Add item showing how to configure for a specific user, rather than for a group