How to create a environment where each user's vm is isolated

Thanks to libvirt's PolicyKit support, I believe this can be done, based on how much features you require.

The rules can be created by you and accessed by PolicyKit ACLs as a database (file, server, etc.) to get the information about the owners. Also, if the PolicyKit rule has write access to the database, you can assign VMs to their respective owners when they get created, hence creating that database automatically. It might not be foolproof (e.g. when the VM definition fails the database will already have that record), so some more hooks might be necessary, based on how much functionality you are looking for. That's why there are projects building on top of libvirt (or just scripts deployed by admins) that can have more functionality.

If a simpler thing is enough for you, then you can say that users can call APIs only on VMs that start with their username. Just make sure corner cases are covered (e.g. user "bla" cannot access user's "blabla" machines).

As said, based on how much functionality you need, it can be either done easily, or with few lines of a script or you might need a full blown virtualisation system sitting on top of libvirt.

One more thing that nobody mentioned (and it might be what you want/are looking for). If you (as a non-root user) connect to qemu:///session (instead of system, see Connections to QEMU driver) you will connect to your own instance of libvirt daemon and you will only see your own machines (in other words, it will be isolated from other user's session daemons).

Well, just like advertised in the article you link, libvirt does support PolicyKit on per API basis (we call it ACL). So if you set up some polkit rules, you should be able to get what you want. For instance, domain X would be visible just to user Y. Unfortunately, I don't think it's possible to make those rules dynamic (I mean, if an user creates a domain it will be visible just to them).

Unless you want to write your own wrapper/management system, you simply need something more than just libvirt, to manage access and VM to user relationships. oVirt/RHV have that out of the box, even with a special user portal where a logged in user can only see the VMs that belong to him. I'm pretty sure other virtualization management systems also have this capability

This file as polkit rule

function myFunction(username, virtualmachine) {
var arr = virtualmachine.split("*");
if(arr[0]==username){
    return true;
    }
else{
    return false;
   }
}
// Allow passwordless connection to qemu:///system
polkit.addRule(function(action, subject) {
  if (action.id == "org.libvirt.unix.manage")
   {
        return polkit.Result.YES;
        }
    });
// Give full access to 'vm'
polkit.addRule(function(action, subject) {
if (action.id.indexOf("org.libvirt.api.domain.") == 0 ) {
      if (action.lookup("connect_driver") == 'QEMU' &&  myFunction(subject.user, action.lookup("domain_name"))) {
            polkit.log("vm=" + action.lookup("domain_name") + "action =>"+myFunction(subject.user, action.lookup("domain_name")));
            polkit.log("subject=" + subject);
            polkit.log("ok");
        return polkit.Result.YES;
      } else {
        return polkit.Result.NO;
      }
      }
});

here the vm in the format

username*vmname

this vm is only accessible for the corresponding user

PS this is only primitive rule that is you can't create a new pool or modify it ,etc., therefore furthure development of rule is required