[PR #323] [CLOSED] Basic VMs access control #619

New issue

Closed

opened 2026-02-27 16:39:54 +03:00 by kerem · 0 comments

kerem commented

2026-02-27 16:39:54 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/retspen/webvirtmgr/pull/323
Author: @daniviga
Created: 5/28/2014
Status: ❌ Closed

Base: master ← Head: master

📝 Commits (10+)

0ffec44 Merged with upstream
cc63f6b First stage of auth: only is_staff can access host configuration
d2735ee Enable django admin interface
f00c56e Merge remote-tracking branch 'base/master'
66cf1ec Merge remote-tracking branch 'base/master'
0420543 Added logged user name in base template
666d6c6 Merge remote-tracking branch 'base/master'
a35e40a Merge remote-tracking branch 'base/master'
37005f6 Add preliminary acl support in the instance model
07dde91 Limit permissions on servers (add host)

📊 Changes

16 files changed (+255 additions, -163 deletions)

View changed files

📝 create/views.py (+4 -0)
➕ instance/admin.py (+9 -0)
📝 instance/models.py (+2 -0)
📝 instance/views.py (+15 -7)
📝 interfaces/views.py (+4 -0)
📝 networks/views.py (+7 -0)
📝 secrets/views.py (+4 -0)
📝 servers/views.py (+8 -0)
📝 storages/views.py (+7 -0)
➕ templates/403.html (+14 -0)
📝 templates/base.html (+4 -2)
📝 templates/instance.html (+2 -0)
📝 templates/servers.html (+164 -151)
📝 templates/sidebar.html (+4 -0)
📝 webvirtmgr/settings.py (+2 -2)
📝 webvirtmgr/urls.py (+5 -1)

📄 Description

This PR is a proof of concept of adding access control on VMs to webvirtmgr.

Use case:

There are admin accounts which have full control (network, storage, hypervisor)
You need to grant access to a specific non-admin user only for a set of virtual machines. These users can start, stop, modify and access the console of a VM. They cannot delete it, add new instances nor edit the hypervisor settings (i.e. add/remove storage and network pools)

How it is implemented:

Enabling the Django admin interface
Adding a Many-to-Many relation in the instance model between instance and users
Adding an instance admin view

How it works

The "Staff" (and superusers) users have full control on the installation
Using the Django admin interface you can add new users. You have to leave the created user without the "Staff" flag
In the Django interface, under the "Instances" view you can assign the newly created users to a specific VM

All the features and the VMs for which a normal user doesn't have permission are hidden in the interface. If the user tries to access them directly (for example using the URL) he will get a 403 response.

As admin user

As normal user

This is just a proof of concept (I'm not a developer, just a sysadmin), but it works for my needs. The users and acl management is very simple; but it can be expanded further and maybe moved from the Django admin interface to a custom view in the application.

Feel free to discard, merge or move the code to a custom branch.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/retspen/webvirtmgr/pull/323 **Author:** [@daniviga](https://github.com/daniviga) **Created:** 5/28/2014 **Status:** ❌ Closed **Base:** `master` ← **Head:** `master` --- ### 📝 Commits (10+) - [`0ffec44`](https://github.com/retspen/webvirtmgr/commit/0ffec4435e06c52a9f5d748033e71d306bab4064) Merged with upstream - [`cc63f6b`](https://github.com/retspen/webvirtmgr/commit/cc63f6be14496ce2f94d79180e4579bfaf01c819) First stage of auth: only is_staff can access host configuration - [`d2735ee`](https://github.com/retspen/webvirtmgr/commit/d2735ee24cf9fc5a3472860fa5b3fb2e0323423f) Enable django admin interface - [`f00c56e`](https://github.com/retspen/webvirtmgr/commit/f00c56ef2eee29c9db747f60a3774e55b03c8c2d) Merge remote-tracking branch 'base/master' - [`66cf1ec`](https://github.com/retspen/webvirtmgr/commit/66cf1ec07c90f5093d746c1cf3841afb3d54e8fb) Merge remote-tracking branch 'base/master' - [`0420543`](https://github.com/retspen/webvirtmgr/commit/04205435dc9b109b7420df427edb2604ce9c52fb) Added logged user name in base template - [`666d6c6`](https://github.com/retspen/webvirtmgr/commit/666d6c64e82770b8c500133bb3ae62fdeec7b08c) Merge remote-tracking branch 'base/master' - [`a35e40a`](https://github.com/retspen/webvirtmgr/commit/a35e40a49713ca4d35eafde2ee5842fe9e405cf2) Merge remote-tracking branch 'base/master' - [`37005f6`](https://github.com/retspen/webvirtmgr/commit/37005f675aba8e45e1e6a004dd606dfef11add18) Add preliminary acl support in the instance model - [`07dde91`](https://github.com/retspen/webvirtmgr/commit/07dde91fda7009599bf2ef4fa2d9fedbc12d29c0) Limit permissions on servers (add host) ### 📊 Changes **16 files changed** (+255 additions, -163 deletions) <details> <summary>View changed files</summary> 📝 `create/views.py` (+4 -0) ➕ `instance/admin.py` (+9 -0) 📝 `instance/models.py` (+2 -0) 📝 `instance/views.py` (+15 -7) 📝 `interfaces/views.py` (+4 -0) 📝 `networks/views.py` (+7 -0) 📝 `secrets/views.py` (+4 -0) 📝 `servers/views.py` (+8 -0) 📝 `storages/views.py` (+7 -0) ➕ `templates/403.html` (+14 -0) 📝 `templates/base.html` (+4 -2) 📝 `templates/instance.html` (+2 -0) 📝 `templates/servers.html` (+164 -151) 📝 `templates/sidebar.html` (+4 -0) 📝 `webvirtmgr/settings.py` (+2 -2) 📝 `webvirtmgr/urls.py` (+5 -1) </details> ### 📄 Description This PR is a proof of concept of adding access control on VMs to webvirtmgr. Use case: - There are admin accounts which have full control (network, storage, hypervisor) - You need to grant access to a specific non-admin user only for a set of virtual machines. These users can start, stop, modify and access the console of a VM. They cannot delete it, add new instances nor edit the hypervisor settings (i.e. add/remove storage and network pools) How it is implemented: - Enabling the Django admin interface - Adding a Many-to-Many relation in the instance model between instance and users - Adding an instance admin view ![screen shot 2014-05-28 at 14 41 14](https://cloud.githubusercontent.com/assets/1818657/3104305/67d2b746-e665-11e3-925f-7aa94c87f88c.png) How it works - The "Staff" (and superusers) users have full control on the installation - Using the Django admin interface you can add new users. You have to leave the created user without the "Staff" flag - In the Django interface, under the "Instances" view you can assign the newly created users to a specific VM All the features and the VMs for which a normal user doesn't have permission are hidden in the interface. If the user tries to access them directly (for example using the URL) he will get a 403 response. **As admin user** ![admin_user_login](https://cloud.githubusercontent.com/assets/1818657/3104321/96125d32-e665-11e3-8ed7-aafdbce3b739.png) ![admin_user](https://cloud.githubusercontent.com/assets/1818657/3104324/9a71541e-e665-11e3-8178-4f9ff5acebcd.png) **As normal user** ![normal_user_login](https://cloud.githubusercontent.com/assets/1818657/3104308/758e1fa6-e665-11e3-9ba7-be17775f5788.png) ![normal_user](https://cloud.githubusercontent.com/assets/1818657/3104309/7704b570-e665-11e3-93a7-f480b8b6d445.png) This is just a proof of concept (I'm not a developer, just a sysadmin), but it works for my needs. The users and acl management is very simple; but it can be expanded further and maybe moved from the Django admin interface to a custom view in the application. Feel free to discard, merge or move the code to a custom branch. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>