Re: F20 Self Contained Change: Role based access control with libvirt

2013-07-15 Thread Matthew Miller
On Mon, Jul 15, 2013 at 06:03:46PM +0100, Daniel P. Berrange wrote: > Yes, libvirt is just calling pkcheck with suitable arguments. The admin > is the one writing the policy files, which is what we need to document > the process for. Ok cool. -- Matthew Miller ☁☁☁ Fedora Cloud Architect ☁☁☁

Re: F20 Self Contained Change: Role based access control with libvirt

2013-07-15 Thread Daniel P. Berrange
On Mon, Jul 15, 2013 at 12:58:36PM -0400, Matthew Miller wrote: > On Mon, Jul 15, 2013 at 05:37:26PM +0100, Daniel P. Berrange wrote: > > >and those audiences only. In particular, applications, mechanisms > > >and general-purpose operating systems must never include any > > >

Re: F20 Self Contained Change: Role based access control with libvirt

2013-07-15 Thread Matthew Miller
On Mon, Jul 15, 2013 at 05:37:26PM +0100, Daniel P. Berrange wrote: > >and those audiences only. In particular, applications, mechanisms > >and general-purpose operating systems must never include any > >authorization rules. > What/where's the problem you're seeing ? Not ne

Re: F20 Self Contained Change: Role based access control with libvirt

2013-07-15 Thread James Hogarth
> >Authorization rules are intended for two specific audiences > >· System Administrators > Well one could argue with good conscience that starting, stopping and so on of VMs is a system administration function and this viable for policykit based configuration... Policykit as al

Re: F20 Self Contained Change: Role based access control with libvirt

2013-07-15 Thread Daniel P. Berrange
On Mon, Jul 15, 2013 at 12:34:55PM -0400, Matthew Miller wrote: > On Mon, Jul 15, 2013 at 05:09:33PM +0100, Daniel P. Berrange wrote: > > > How do you set these policies? Is there a command/gui/interface? Or a > > > text file? Or ? > > It is done via the standard PolicyKit javascript auth rules fil

Re: F20 Self Contained Change: Role based access control with libvirt

2013-07-15 Thread Matthew Miller
On Mon, Jul 15, 2013 at 05:09:33PM +0100, Daniel P. Berrange wrote: > > How do you set these policies? Is there a command/gui/interface? Or a > > text file? Or ? > It is done via the standard PolicyKit javascript auth rules files How does this fit with the PolicyKit documentation for javascript au

Re: F20 Self Contained Change: Role based access control with libvirt

2013-07-15 Thread Daniel P. Berrange
On Mon, Jul 15, 2013 at 10:06:30AM -0600, Kevin Fenzi wrote: > On Mon, 15 Jul 2013 12:00:35 +0200 > Jaroslav Reznik wrote: > > > = Proposed Self Contained Change: Role based access control with > > libvirt = https://fedoraproject.org/wiki/Changes/Virt_ACLs > > > > Change owner(s): Daniel P. Ber

Re: F20 Self Contained Change: Role based access control with libvirt

2013-07-15 Thread Kevin Fenzi
On Mon, 15 Jul 2013 12:00:35 +0200 Jaroslav Reznik wrote: > = Proposed Self Contained Change: Role based access control with > libvirt = https://fedoraproject.org/wiki/Changes/Virt_ACLs > > Change owner(s): Daniel P. Berrange , Cole > Robinson > > Allow role based access control with libvirt.