From bdb62336234cc454d7c5b1e539ad764984c946e2 Mon Sep 17 00:00:00 2001

Message-Id: <bdb62336234cc454d7c5b1e539ad764984c946e2.1377873638.git.jdenemar@redhat.com>

From: "Daniel P. Berrange" <berrange@redhat.com>

Date: Tue, 13 Aug 2013 11:38:28 +0100

Subject: [PATCH] Add documentation for access control system

For https://bugzilla.redhat.com/show_bug.cgi?id=700443

This adds two new pages to the website, acl.html describing

the general access control framework and permissions models,

and aclpolkit.html describing the use of polkit as an

access control driver.

page.xsl is modified to support a new syntax

which will cause the XSL transform to replace that 

with the contents of 'somefile.htmlinc'. We use this in

the acl.html.in file, to pull the table of permissions

for each libvirt object. This table is autogenerated

from the enums in src/access/viraccessperms.h by the

genaclperms.pl script.

newapi.xsl is modified so that the list of permissions

checks shown against each API will link to the description

of the permissions in acl.html

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

(cherry picked from commit da13f2c70c06c38c4f8feba1a5725652d2f1efc7)

---

 .gitignore             |   1 +

 docs/Makefile.am       |  12 +-

 docs/acl.html.in       | 100 ++++++++++++

 docs/aclpolkit.html.in | 410 +++++++++++++++++++++++++++++++++++++++++++++++++

 docs/auth.html.in      |   6 +-

 docs/genaclperms.pl    | 124 +++++++++++++++

 docs/newapi.xsl        |   4 +-

 docs/page.xsl          |  11 ++

 docs/sitemap.html.in   |  10 ++

 src/Makefile.am        |   2 +-

 10 files changed, 674 insertions(+), 6 deletions(-)

 create mode 100644 docs/acl.html.in

 create mode 100644 docs/aclpolkit.html.in

 create mode 100755 docs/genaclperms.pl

diff --git a/docs/Makefile.am b/docs/Makefile.am

index aabee44..0b0d2d4 100644

--- a/docs/Makefile.am

+++ b/docs/Makefile.am

@@ -128,7 +128,7 @@ fig = \

   migration-unmanaged-direct.fig

 EXTRA_DIST=					\

-  apibuild.py \

+  apibuild.py genaclperms.pl \

   site.xsl newapi.xsl news.xsl page.xsl \

   hacking1.xsl hacking2.xsl wrapstring.xsl \

   $(dot_html) $(dot_html_in) $(gif) $(apihtml) $(apipng) \

@@ -139,6 +139,16 @@ EXTRA_DIST=					\

   sitemap.html.in \

   todo.pl hvsupport.pl todo.cfg-example

+BUILT_SOURCES += aclperms.htmlinc

+

+CLEANFILES = $(srcdir)/aclperms.htmlinc

+

+acl.html:: $(srcdir)/aclperms.htmlinc

+

+$(srcdir)/aclperms.htmlinc: $(top_srcdir)/src/access/viraccessperm.h \

+        $(srcdir)/genaclperms.pl Makefile.am

+	$(PERL) $(srcdir)/genaclperms.pl $< > $@

+

 MAINTAINERCLEANFILES = \

   $(addprefix $(srcdir)/,$(dot_html)) \

   $(addprefix $(srcdir)/,$(apihtml)) \

diff --git a/docs/acl.html.in b/docs/acl.html.in

new file mode 100644

index 0000000..2d228e2

--- /dev/null

+++ b/docs/acl.html.in

@@ -0,0 +1,100 @@

+

+

+<html xmlns="http://www.w3.org/1999/xhtml">

+  <body>

+    
Client access control

+    

+      Libvirt's client access control framework allows administrators

+      to setup fine grained permission rules across client users,

+      managed objects and API operations. This allows client connections

+      to be locked down to a minimal set of privileges.

+    

+

+    

+

+    
Access control introduction

+

+    

+      In a default configuration, the libvirtd daemon has three levels

+      of access control. All connections start off in an unauthenticated

+      state, where the only API operations allowed are those required

+      to complete authentication. After successful authentication, a

+      connection either has full, unrestricted access to all libvirt

+      API calls, or is locked down to only "read only" operations,

+      according to what socket a client connection originated on.

+    

+

+    

+      The access control framework allows authenticated connections to

+      have fine grained permission rules to be defined by the administrator.

+      Every API call in libvirt has a set of permissions that will

+      be validated against the object being used. For example, the

+      virDomainSetSchedulerParametersFlags method will

+      check whether the client user has the write

+      permission on the domain object instance passed

+      in as a parameter. Further permissions will also be checked

+      if certain flags are set in the API call. In addition to

+      checks on the object passed in to an API call, some methods

+      will filter their results. For example the virConnectListAllDomains

+      method will check the search_domains on the connect

+      object, but will also filter the returned domain

+      objects to only those on which the client user has the

+      getattr permission.

+    

+

+    
Access control drivers

+

+    

+      The access control framework is designed as a pluggable

+      system to enable future integration with arbitrary access

+      control technologies. By default, the none

+      driver is used, which does no access control checks at

+      all. At this time, libvirt ships with support for using

+      polkit as a real access

+      control driver. To learn how to use the polkit access

+      driver consult the configuration

+      docs.

+    

+

+    

+      The access driver is configured in the libvirtd.conf

+      configuration file, using the access_drivers

+      parameter. This parameter accepts an array of access control

+      driver names. If more than one access driver is requested,

+      then all must succeed in order for access to be granted.

+      To enable 'polkit' as the driver:

+    

+

+    

+# augtool -s set '/files/etc/libvirt/libvirtd.conf/access_drivers[1]' polkit

+    

+

+    

+      And to reset back to the default (no-op) driver

+    

+

+

+    

+# augtool -s rm /files/etc/libvirt/libvirtd.conf/access_drivers

+    

+

+    

+      Note: changes to libvirtd.conf require that

+      the libvirtd daemon be restarted.

+    

+

+    
Objects and permissions

+

+    

+      Libvirt applies access control to all the main object

+      types in its API. Each object type, in turn, has a set

+      of permissions defined. To determine what permissions

+      are checked for specific API call, consult the

+      API reference manual

+      documentation for the API in question.

+    

+

+    

+

+  </body>

+</html>

diff --git a/docs/aclpolkit.html.in b/docs/aclpolkit.html.in

new file mode 100644

index 0000000..3b0d81a

--- /dev/null

+++ b/docs/aclpolkit.html.in

@@ -0,0 +1,410 @@

+

+

+<html xmlns="http://www.w3.org/1999/xhtml">

+  <body>

+    
Polkit access control

+

+    

+      Libvirt's client access control framework allows

+      administrators to setup fine grained permission rules across client users,

+      managed objects and API operations. This allows client connections

+      to be locked down to a minimal set of privileges. The polkit driver

+      provides a simple implementation of the access control framework.

+    

+

+    

+

+    
Introduction

+

+    

+      A default install of libvirt will typically use

+      polkit

+      to authenticate the initial user connection to libvirtd. This is a

+      very coarse grained check though, either allowing full read-write

+      access to all APIs, or just read-only access. The polkit access

+      control driver in libvirt builds on this capability to allow for

+      fine grained control over the operations a user may perform on an

+      object.

+    

+

+    
Permission names

+

+    

+      The libvirt object names and permission names

+      are mapped onto polkit action names using the simple pattern:

+    

+

+    
org.libvirt.api.$object.$permission

+

+

+    

+      The only caveat is that any underscore characters in the

+      object or permission names are converted to hyphens. So,

+      for example, the search_storage_vols permission

+      on the storage_pool object maps to the polkit

+      action:

+    

+    
org.libvirt.api.storage-pool.search-storage-vols

+

+

+    

+      The default policy for any permission which corresponds to

+      a "read only" operation, is to allow access. All other

+      permissions default to deny access.

+    

+

+    
Object identity attributes

+

+    

+      To allow polkit authorization rules to be written to match

+      against individual object instances, libvirt provides a number

+      of authorization detail attributes when performing a permission

+      check. The set of attributes varies according to the type

+      of object being checked

+    

+

+    
virConnectPtr

+    

+      

+        

+          Attribute

+          Description

+        

+      

+      

+        

+          connect_driver

+          Name of the libvirt connection driver

+        

+      

+    

+

+    
virDomainPtr

+    

+      

+        

+          Attribute

+          Description

+        

+      

+      

+        

+          connect_driver

+          Name of the libvirt connection driver

+        

+        

+          domain_name

+          Name of the domain, unique to the local host

+        

+        

+          domain_uuid

+          UUID of the domain, globally unique

+        

+      

+    

+

+    
virInterfacePtr

+    

+      

+        

+          Attribute

+          Description

+        

+      

+      

+        

+          connect_driver

+          Name of the libvirt connection driver

+        

+        

+          interface_name

+          Name of the network interface, unique to the local host

+        

+        

+          interface_mac

+          MAC address of the network interface, not unique

+        

+      

+    

+

+    
virNetworkPtr

+    

+      

+        

+          Attribute

+          Description

+        

+      

+      

+        

+          connect_driver

+          Name of the libvirt connection driver

+        

+        

+          network_name

+          Name of the network, unique to the local host

+        

+        

+          network_uuid

+          UUID of the network, globally unique

+        

+      

+    

+

+    
virNodeDevicePtr

+    

+      

+        

+          Attribute

+          Description

+        

+      

+      

+        

+          connect_driver

+          Name of the libvirt connection driver

+        

+        

+          node_device_name

+          Name of the node device, unique to the local host

+        

+      

+    

+

+    
virNWFilterPtr

+    

+      

+        

+          Attribute

+          Description

+        

+      

+      

+        

+          connect_driver

+          Name of the libvirt connection driver

+        

+        

+          nwfilter_name

+          Name of the network filter, unique to the local host

+        

+        

+          nwfilter_uuid

+          UUID of the network filter, globally unique

+        

+      

+    

+

+    
virSecretPtr

+    

+      

+        

+          Attribute

+          Description

+        

+      

+      

+        

+          connect_driver

+          Name of the libvirt connection driver

+        

+        

+          secret_uuid

+          UUID of the secret, globally unique

+        

+        

+          secret_usage_volume

+          Name of the associated volume, if any

+        

+        

+          secret_usage_ceph

+          Name of the associated Ceph server, if any

+        

+        

+          secret_usage_target

+          Name of the associated iSCSI target, if any

+        

+      

+    

+

+    
virStoragePoolPtr

+    

+      

+        

+          Attribute

+          Description

+        

+      

+      

+        

+          connect_driver

+          Name of the libvirt connection driver

+        

+        

+          pool_name

+          Name of the storage pool, unique to the local host

+        

+        

+          pool_uuid

+          UUID of the storage pool, globally unique

+        

+      

+    

+

+    
virStorageVolPtr

+    

+      

+        

+          Attribute

+          Description

+        

+      

+      

+        

+          connect_driver

+          Name of the libvirt connection driver

+        

+        

+          pool_name

+          Name of the storage pool, unique to the local host

+        

+        

+          pool_uuid

+          UUID of the storage pool, globally unique

+        

+        

+          vol_name

+          Name of the storage volume, unique to the pool

+        

+        

+          vol_key

+          Key of the storage volume, globally unique

+        

+      

+    

+

+

+    
User identity attributes

+

+    

+      At this point in time, the only attribute provided by

+      libvirt to identify the user invoking the operation

+      is the PID of the client program. This means that the

+      polkit access control driver is only useful if connections

+      to libvirt are restricted to its UNIX domain socket. If

+      connections are being made to a TCP socket, no identifying

+      information is available and access will be denied.

+      Also note that if the client is connecting via an SSH

+      tunnel, it is the local SSH user that will be identified.

+      In future versions, it is expected that more information

+      about the client user will be provided, including the

+      SASL / Kerberos username and/or x509 distinguished

+      name obtained from the authentication provider in use.

+    

+

+

+    
Writing acces control policies

+

+    

+      If using versions of polkit prior to 0.106 then it is only

+      possible to validate (user, permission) pairs via the .pkla

+      files. Fully validation of the (user, permission, object) triple

+      requires the new JavaScript .rules support that

+      was introduced in version 0.106. The latter is what will be

+      described here.

+    

+

+    

+      Libvirt does not ship any rules files by default. It merely

+      provides a definition of the default behaviour for each

+      action (permission). As noted earlier, permissions which

+      correspond to read-only operations in libvirt will be allowed

+      to all users by default; everything else is denied by default.

+      Defining custom rules requires creation of a file in the

+      /etc/polkit-1/rules.d directory with a name

+      chosen by the administrator (100-libvirt-acl.rules

+      would be a reasonable choice). See the polkit(8)

+      manual page for a description of how to write these files

+      in general. The key idea is to create a file containing

+      something like

+    

+

+    

+      polkit.addRule(function(action, subject) {

+        ....logic to check 'action' and 'subject'...

+      });

+    

+

+    

+      In this code snippet above, the action object

+      instance will represent the libvirt permission being checked

+      along with identifying attributes for the object it is being

+      applied to. The subject meanwhile will identify

+      the libvirt client app (with the caveat above about it only

+      dealing with local clients connected via the UNIX socket).

+      On the action object, the permission name is

+      accessible via the id attribute, while the

+      object identifying attributes are exposed via a set of

+      attributes with the naming convention _detail_[attrname].

+      For example, the 'domain_name' attribute would be exposed via

+      a property _detail_domain_name.

+    

+

+    
Example: restricting ability to connect to drivers

+

+    

+      Consider a local user berrange

+      who has been granted permission to connect to libvirt in

+      full read-write mode. The goal is to only allow them to

+      use the QEMU driver and not the Xen or LXC

+      drivers which are also available in libvirtd.

+      To achieve this we need to write a rule which checks

+      whether the _detail_connect_driver attribute

+      is QEMU, and match on an action

+      name of org.libvirt.api.connect.getattr. Using

+      the javascript rules format, this ends up written as

+    

+

+    

+polkit.addRule(function(action, subject) {

+    if (action.id == "org.libvirt.api.connect.getattr" &&

+        subject.user == "berrange") {

+          if (action._detail_connect_driver == 'QEMU') {

+            return polkit.Result.YES;

+          } else {

+            return polkit.Result.NO;

+          }

+    }

+});

+    

+

+    
Example: restricting access to a single domain

+

+    

+      Consider a local user berrange

+      who has been granted permission to connect to libvirt in

+      full read-write mode. The goal is to only allow them to

+      see the domain called demo on the LXC driver.

+      To achieve this we need to write a rule which checks

+      whether the _detail_connect_driver attribute

+      is LXC and the _detail_domain_name

+      attribute is demo, and match on a action

+      name of org.libvirt.api.domain.getattr. Using

+      the javascript rules format, this ends up written as

+    

+

+    

+polkit.addRule(function(action, subject) {

+    if (action.id == "org.libvirt.api.domain.getattr" &&

+        subject.user == "berrange") {

+          if (action._detail_connect_driver == 'LXC' &&

+              action._detail_domain_name == 'busy') {

+            return polkit.Result.YES;

+          } else {

+            return polkit.Result.NO;

+          }

+    }

+});

+    

+  </body>

+</html>

diff --git a/docs/auth.html.in b/docs/auth.html.in

index e5703c7..37f2978 100644

--- a/docs/auth.html.in

+++ b/docs/auth.html.in

@@ -2,12 +2,14 @@

 <html xmlns="http://www.w3.org/1999/xhtml">

   <body>

-    
Authentication & access control

+    
Connection authentication

       When connecting to libvirt, some connections may require client

       authentication before allowing use of the APIs. The set of possible

       authentication mechanisms is administrator controlled, independent

-      of applications using libvirt.

+      of applications using libvirt. Once authenticated, libvirt can apply

+      fine grained access control to the operations

+      performed by a client.

diff --git a/docs/genaclperms.pl b/docs/genaclperms.pl

new file mode 100755

index 0000000..244a68e

--- /dev/null

+++ b/docs/genaclperms.pl

@@ -0,0 +1,124 @@

+#!/usr/bin/perl

+#

+# Copyright (C) 2013 Red Hat, Inc.

+#

+# This library is free software; you can redistribute it and/or

+# modify it under the terms of the GNU Lesser General Public

+# License as published by the Free Software Foundation; either

+# version 2.1 of the License, or (at your option) any later version.

+#

+# This library is distributed in the hope that it will be useful,

+# but WITHOUT ANY WARRANTY; without even the implied warranty of

+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

+# Lesser General Public License for more details.

+#

+# You should have received a copy of the GNU Lesser General Public

+# License along with this library.  If not, see

+# <http://www.gnu.org/licenses/>.

+#

+

+use strict;

+use warnings;

+

+my @objects = (

+    "CONNECT", "DOMAIN", "INTERFACE",

+    "NETWORK","NODE_DEVICE", "NWFILTER",

+     "SECRET", "STORAGE_POOL", "STORAGE_VOL",

+    );

+

+my %class;

+

+foreach my $object (@objects) {

+    my $class = lc $object;

+

+    $class =~ s/(^\w|_\w)/uc $1/eg;

+    $class =~ s/_//g;

+    $class =~ s/Nwfilter/NWFilter/;

+    $class = "vir" . $class . "Ptr";

+

+    $class{$object} = $class;

+}

+

+my $objects = join ("|", @objects);

+

+my %opts;

+my $in_opts = 0;

+

+my %perms;

+

+while (<>) {

+    if ($in_opts) {

+        if (m,\*/,) {

+            $in_opts = 0;

+        } elsif (/\*\s*\@(\w+):\s*(.*?)\s*$/) {

+            $opts{$1} = $2;

+        }

+    } elsif (m,/\*\*,) {

+        $in_opts = 1;

+    } elsif (/VIR_ACCESS_PERM_($objects)_((?:\w|_)+),/) {

+        my $object = $1;

+        my $perm = lc $2;

+        next if $perm eq "last";

+

+        $perm =~ s/_/-/g;

+

+        $perms{$object} = {} unless exists $perms{$object};

+        $perms{$object}->{$perm} = {

+            desc => $opts{desc},

+            message => $opts{message},

+            anonymous => $opts{anonymous}

+        };

+        %opts = ();

+    }

+}

+

+print <

+

+

+<html xmlns="http://www.w3.org/1999/xhtml">

+  <body>

+EOF