External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-12-22 05:35:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs: acl: Convert to 'rst'

Browse Source 
The only special bit about the 'acl' page was the inclusion of the
objects and permissions tables. We can do that by the '.. raw::'
directive.

One reference from 'aclpolkit.rst' needed to be updated to go with the
new header anchor naming.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
This commit is contained in:
Peter Krempa 2022-08-03 14:59:03 +02:00
parent 0f1d6ef6e7
commit c0a06c081c
4 changed files with 79 additions and 103 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

101
docs/acl.html.in
View File

@ -1,101 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<body>
<h1>Client access control</h1>
<p>
Libvirt's client access control framework allows administrators
to setup fine grained permission rules across client users,
managed objects and API operations. This allows client connections
to be locked down to a minimal set of privileges.
</p>
<ul id="toc"></ul>
<h2><a id="intro">Access control introduction</a></h2>
<p>
In a default configuration, the libvirtd daemon has three levels
of access control. All connections start off in an unauthenticated
state, where the only API operations allowed are those required
to complete authentication. After successful authentication, a
connection either has full, unrestricted access to all libvirt
API calls, or is locked down to only "read only" (see 'Anonymous'
in the table below) operations,
according to what socket a client connection originated on.
</p>
<p>
The access control framework allows authenticated connections to
have fine grained permission rules to be defined by the administrator.
Every API call in libvirt has a set of permissions that will
be validated against the object being used. For example, the
<code>virDomainSetSchedulerParametersFlags</code> method will
check whether the client user has the <code>write</code>
permission on the <code>domain</code> object instance passed
in as a parameter. Further permissions will also be checked
if certain flags are set in the API call. In addition to
checks on the object passed in to an API call, some methods
will filter their results. For example the <code>virConnectListAllDomains</code>
method will check the <code>search_domains</code> on the <code>connect</code>
object, but will also filter the returned <code>domain</code>
objects to only those on which the client user has the
<code>getattr</code> permission.
</p>
<h2><a id="drivers">Access control drivers</a></h2>
<p>
The access control framework is designed as a pluggable
system to enable future integration with arbitrary access
control technologies. By default, the <code>none</code>
driver is used, which does no access control checks at
all. At this time, libvirt ships with support for using
<a href="https://www.freedesktop.org/wiki/Software/polkit/">polkit</a> as a real access
control driver. To learn how to use the polkit access
driver consult <a href="aclpolkit.html">the configuration
docs</a>.
</p>
<p>
The access driver is configured in the <code>libvirtd.conf</code>
configuration file, using the <code>access_drivers</code>
parameter. This parameter accepts an array of access control
driver names. If more than one access driver is requested,
then all must succeed in order for access to be granted.
To enable 'polkit' as the driver:
</p>
<pre>
# augtool -s set '/files/etc/libvirt/libvirtd.conf/access_drivers[1]' polkit
</pre>
<p>
And to reset back to the default (no-op) driver
</p>
<pre>
# augtool -s rm /files/etc/libvirt/libvirtd.conf/access_drivers
</pre>
<p>
<strong>Note:</strong> changes to libvirtd.conf require that
the libvirtd daemon be restarted.
</p>
<h2><a id="perms">Objects and permissions</a></h2>
<p>
Libvirt applies access control to all the main object
types in its API. Each object type, in turn, has a set
of permissions defined. To determine what permissions
are checked for specific API call, consult the
<a href="html/index.html">API reference manual</a>
documentation for the API in question.
</p>
<div id="include" filename="aclperms.htmlinc"/>
</body>
</html>

76
docs/acl.rst Normal file
View File

@ -0,0 +1,76 @@
=====================
Client access control
=====================
Libvirt's client access control framework allows administrators to setup fine
grained permission rules across client users, managed objects and API
operations. This allows client connections to be locked down to a minimal set of
privileges.
.. contents::
Access control introduction
---------------------------
In a default configuration, the libvirtd daemon has three levels of access
control. All connections start off in an unauthenticated state, where the only
API operations allowed are those required to complete authentication. After
successful authentication, a connection either has full, unrestricted access to
all libvirt API calls, or is locked down to only "read only" (see 'Anonymous' in
the table below) operations, according to what socket a client connection
originated on.
The access control framework allows authenticated connections to have fine
grained permission rules to be defined by the administrator. Every API call in
libvirt has a set of permissions that will be validated against the object being
used. For example, the ``virDomainSetSchedulerParametersFlags`` method will
check whether the client user has the ``write`` permission on the ``domain``
object instance passed in as a parameter. Further permissions will also be
checked if certain flags are set in the API call. In addition to checks on the
object passed in to an API call, some methods will filter their results. For
example the ``virConnectListAllDomains`` method will check the
``search_domains`` on the ``connect`` object, but will also filter the returned
``domain`` objects to only those on which the client user has the ``getattr``
permission.
Access control drivers
----------------------
The access control framework is designed as a pluggable system to enable future
integration with arbitrary access control technologies. By default, the ``none``
driver is used, which does no access control checks at all. At this time,
libvirt ships with support for using
`polkit <https://www.freedesktop.org/wiki/Software/polkit/>`__ as a real access
control driver. To learn how to use the polkit access driver consult `the
configuration docs <aclpolkit.html>`__.
The access driver is configured in the ``libvirtd.conf`` configuration file,
using the ``access_drivers`` parameter. This parameter accepts an array of
access control driver names. If more than one access driver is requested, then
all must succeed in order for access to be granted. To enable 'polkit' as the
driver:
::
# augtool -s set '/files/etc/libvirt/libvirtd.conf/access_drivers[1]' polkit
And to reset back to the default (no-op) driver
::
# augtool -s rm /files/etc/libvirt/libvirtd.conf/access_drivers
**Note:** changes to libvirtd.conf require that the libvirtd daemon be
restarted.
Objects and permissions
-----------------------
Libvirt applies access control to all the main object types in its API. Each
object type, in turn, has a set of permissions defined. To determine what
permissions are checked for specific API call, consult the `API reference
manual <html/index.html>`__ documentation for the API in question.
.. raw:: html
<div id="include" filename="aclperms.htmlinc"/>

2
docs/aclpolkit.rst
View File

@ -26,7 +26,7 @@ the operations a user may perform on an object.
Permission names Permission names
---------------- ----------------
The libvirt `object names and permission names <acl.html#perms>`__ are The libvirt `object names and permission names <acl.html#objects-and-permissions>`__ are
mapped onto polkit action names using the simple pattern: mapped onto polkit action names using the simple pattern:
:: ::

3
docs/meson.build
View File

@ -248,7 +248,8 @@ endforeach
html_xslt_gen += { html_xslt_gen += {
'name': 'acl', 'name': 'acl',
'source': 'docs' / 'acl.html.in', 'file': docs_rst2html5_gen.process('acl.rst'),
'source': 'docs' / 'acl.rst',
'depends': aclperms_gen, 'depends': aclperms_gen,
} }