ACL V2, we need your feedbacks!

ACL v2: Fine-grained access control in Xen Orchestra

With the v2 of the ACL system, Xen Orchestra takes a new step forward in permission management. Where v1 offered basic per-object access control, v2 introduces a full RBAC (Role-Based Access Control) model, with effects, selectors, and an action hierarchy.

What changes

The old approach allowed granting access to an object (a VM, an SR…). Simple, but limited: there was no way to say "this user can shutdown only VM with tag: foo".

Another major limitation of v1: it only covered XAPI objects — VMs, hosts, SRs, networks, so user, groups, backups, schedules, jobs,... was out of scope.

ACL v2: REST API exclusive

ACL v2 is available through the REST API only. The JSON-RPC API (used by XO5) stays on ACL v1, and conversely: ACL v1 is not available on the REST API.

Key concepts

Roles and privileges

A role is a named set of privileges. Each privilege defines:

• a resource type (vm, sr, network, backup-job…)
• an action (read, start, shutdown:clean, delete…)
• an effect: allow or deny
• an optional selector to target specific objects (complex-matcher format)

Actions are hierarchical. Granting shutdown covers both shutdown:clean and shutdown:hard. But granting shutdown:clean does not cover shutdown as a whole. deny always takes precedence over allow.

Built-in roles

Actually, 4 template roles are provided out of the box:

• Read only — full read-only access to the infrastructure
• VMs read only — read-only access to VMs only
• VMs power state manager — manage VM power state (start, stop, reboot, pause…)
• VMs creator — create VMs from templates

These roles are immutable and automatically updated on startup — they cannot be assigned directly. To use them, copy the template into a new role and assign that copy to your users or groups. This ensures the built-in templates always stay up to date without affecting your custom configurations.

Selectors: object-level precision

A selector restricts a privilege to objects matching certain properties. For example:tags:qa
This allows add a privilege only on VMs tagged qa.

What makes this mechanism powerful is its dynamic nature. Selectors are evaluated in real time.
In case the users subscribed to VMs changes, if the qa tag is added to an existing VM, and the user have a read privilege, he will see that VM appear as a new object — the user will receive an add event, not an update. Conversely, if the tag is removed, he will receive a remove event: the VM disappears from his scope.

Events are always from the user's perspective, not XOA's. For XOA, it is a simple tag update. For the ACL user, it is an object entering or leaving their scope.

This enables very practical use cases: a single tag is enough to grant or revoke access to a resource, without touching roles or privileges at all.

Assigning Roles to Users and Groups

A role can be attached to a user or a group. A user's effective roles are the union of their direct roles and those of their groups.

REST API integration

All endpoints are exposed through the REST API:

• GET/POST /acl-roles — list and create roles
• PUT/DELETE /acl-roles/{id}/users/{userId} — attach/detach a role to a user
• PUT/DELETE /acl-roles/{id}/groups/{groupId} — attach/detach a role to a group
• GET/POST /acl-privileges — list and create role's privileges
• POST /acl-roles/{id}/actions/copy — copy a role

Each REST API endpoint declares the required privileges to access it via the swagger UI. If an endpoint declares none, it is admin-only.

A concrete example

Alice is a member of the QA team. She needs to be able to start and stop VMs in her test environment, but must not touch anything in production.

With ACL v2:

1. Create a QA Operator role with following privileges:
   • {resource: 'vm', action: 'read', effect: 'allow', selector: 'tags:qa'}
   • {resource: 'vm', action: 'start', effect: 'allow', selector: 'tags:qa'}
   • {resource: 'vm', action: 'stop', effect: 'allow', selector: 'tags:qa'}
2. Attach this role to Alice (or her group)

That's it. Alice cannot touch production VMs, and any attempt is blocked with an explicit error.

Another concrete example

Bob is allowed to rename VMs, but only while they are running — to prevent renaming VMs that are off and might be part of an automated process.

With ACL v2:

1. Create a Running VM Renamer role with following privilege:
   • {resource: 'vm', action: 'read', effect: 'allow', selector: 'power_state:Running'
   • {resource: 'vm', action: 'update:name_label', effect: 'allow', selector: 'power_state:Running'
2. Attach this role to Bob

Bob can rename and see any running VM.

One last example

Carol can see all VMs in the infrastructure, except those tagged prod.

With ACL v2:

1. Create a Non-Prod VM Reader role with two privileges:
   • {resource: 'vm', action: 'read', effect: 'allow'} no selector, grants read access to all VMs
   • {resource: 'vm', action: 'read', effect: 'deny', selector: 'tags:prod' explicitly denies access to production VMs
2. Attach this role to Carol

Since deny always takes precedence over allow, Carol can browse the full VM list — except production VMs, which are completely invisible to her.

List of possible actions (by resource)

{
  update: {
    name_label:true,
    name_description:true,
    ...
  }
} 

is translated into -> update:name_label, update:name_description, ...

Please note that ACL v2 is currently only accessible via the REST API. Support in the XO6 user interface will be available later.

Hi, @14wkinnersley
We merged the PATCH /vms/:id endpoint onto the master branch

I will create a card for this feature request to discuss with the whole XO team. I will keep you updated here

Hi @Andrew.
This PR should fix your issue https://github.com/vatesfr/xen-orchestra/pull/8854

MathieuRA opened this pull request in vatesfr/xen-orchestra

closed fix(xo-server): fix incorrect state when remove server #8854

Hi @irtaza9
You have a typo in your vm-templates URL.
fields instead of field

Hi @irtaza9
FYI, for about 2 years, VMs expose a creation field:

"creation": {
    "date": string,
    "template": string,
    "user": string
  },

With this you can filter VMs by creation.user to list only VMs created by a user.
/rest/v0/vms?filter=creation:user:<user-id>

Hi, @14wkinnersley .
That something in our backlog but not yet planned.
ping @gregoire, card XO-2204

Hi.
The IPMI plugin is only used to display hardware information if you are using mona_1.44gg.

To display if a BIOS update is available, we mainly fetch this endpoint: https://pictures.2cr.si/Images_site_web_Odoo/Pages_produit/VATES-BIOS_BMC_last-version.json

Does your host have access to this endpoint?
What is the ouput of xo-cli host.getBiosInfo id=<host-id>

Hi,
Since XO is a client, I don't think it's a good idea to have this kind of feature. In this case, a VM could be restarted from sources other than XO, and would not apply the new VDI size.

However, I believe we can handle this situation by implementing a modal that appears when editing the VDI size of a running VM. This modal can offer the option to restart the VM immediately and apply the changes. In my opinion, removing the "pending" state will prevent confusion

@acebmxer It also works on your XOA.

Thank you both for your availability for testing. I will see with the XO team when to release a fix.

We apologize for any inconvenience

Hi @DevFlint,
tasks are now correctly visible in the swagger documentation

Hi @slavavrn,
FYI, its now possible to revert a snapshot via the REST API.
POST /vms/:id/actions/revert_snapshot
And the body of the endpoint:

{
  "snapshotId": <snapshot-id>
  "snapshotBefore": boolean (optional)
}

Hi @johnnezero and thanks for the post!

Just wanted to talk about PERMISSION SYNC.

In the REST API the "permission sync" pattern is actually handled natively by the RBAC system using selectors.

For example, if you want a role that allows a user to manage VM power state only for VMs tagged dev:

• Start from the built-in role template “VMs power state manager” (just to speed up role creation, but totally optional)
• Create or customize a role with the required VM power privileges (read, start, stop, reboot, etc.)
• Scope each privileges using a selector like:
  tags:dev
• Then assign the role to your user or group

Once done, the access is fully dynamic:

• Any VM with the dev tag is included in the scope
• Removing the tag immediately revokes access
• Adding the tag grants access instantly
• No need to maintain per-VM ACL entries

The key point is that RBAC evaluates privileges at request time based on selectors.
You can also base selectors on other VM properties, not only tags (for example power state, name patterns ...).

You can find the doc here
and a dedicated forum thread here

PS: For the moment the XO6 UI does not support the RBAC system, but we are working on it

Hi @rzr,
When you say, "XO still showed host 2 needing patching", does that mean XO is still showing missing patches?

If so, can you run the following command: xe host-call-plugin host-uuid=<uuid-host2> plugin=updater.py fn=check_update

Hi @r0123456789,

GET /rest/v0/hosts/:id/stats is available in the REST API

Hi @dan89,
It is possible to create an authentication_token using the REST API.

POST /rest/v0/users/me/authentication_tokens

Hi @Steve_Sibilia,
FYI, ACL V2 / RBAC is now available in the REST API.

You can see the RBAC doc.
A dedicated thread is available on the forum thread, please feel free to share your feedback.

Thank you.

Hi @halvor,
FYI, ACL V2 / RBAC is now available in the REST API.

You can create a privilege that only give you read privilege on your host.
You can see the RBAC doc.
A dedicated thread is available on the forum thread, please feel free to share your feedback.

Thank you.

Hi @jedimarcus,
FYI, VIF creation is possible via the REST API POST /rest/v0/vifs

Hi, @14wkinnersley
We merged the PATCH /vms/:id endpoint onto the master branch