11:53 p.m.
I'm trying to debug a PolicyKit auth issue in libvirt and looking for
some suggestions.
Server has the following policy for user ski52 in
/etc/PolicyKit/PolicyKit.conf :
<match action="org.libvirt.unix.manage">
<match user="ski52">
<return result="auth_self_keep_always"/>
</match>
</match>
I can authenticate via polkit when logged directly into server via ssh
as ski52
ski52@vhost52:~> virsh -c qemu:///system list
Attempting to obtain authorization for org.libvirt.unix.manage.
Authentication is required.
Password:
Successfully obtained the authorization for org.libvirt.unix.manage.
Id Name State
----------------------------------
33 vm1 running
But when using qemu+ssh remotely
ski53@vhost53:~> virsh -c qemu+ssh://ski52@vhost52/system list
Attempting to obtain authorization for org.libvirt.unix.manage.
Authentication as an administrative user is required.
Password:
polkit-grant-helper-pam: pam_authenticated failed: Authentication failure
Failed to obtain authorization for org.libvirt.unix.manage.
error: authentication failed
error: failed to connect to the hypervisor
AFAICT by tracing with gdb, the client calls polkit-auth *locally* when
authentication is needed, instead of invoking polkit-auth on the
server. This backtrace from gdb on the client machine shows
'polkit-auth --obtain' being called locally from virConnectAuthGainPolkit()
#0 virConnectAuthGainPolkit (privilege=0x7ffff7b8b3ba
"org.libvirt.unix.manage") at libvirt.c:111
#1 0x00007ffff7a912a3 in virConnectAuthCallbackDefault
(cred=0x7fffffffdd20, ncred=1, cbdata=0x0)
at libvirt.c:149
#2 0x00007ffff7ac367f in remoteAuthPolkit (conn=0x63ec10,
priv=0x7ffff7e25010, in_open=1,
auth=0x7ffff7dc9bc0) at remote/remote_driver.c:7431
#3 0x00007ffff7ac1d8d in remoteAuthenticate (conn=0x63ec10,
priv=0x7ffff7e25010, in_open=1,
auth=0x7ffff7dc9bc0, authtype=0x0) at remote/remote_driver.c:6864
#4 0x00007ffff7ab5936 in doRemoteOpen (conn=0x63ec10,
priv=0x7ffff7e25010, auth=0x7ffff7dc9bc0, flags=0)
at remote/remote_driver.c:854
..
Has anyone else observed such behavior? Any hints on how to forward the
polkit-auth call to the server? Both client and server are libvirt
0.8.5 btw.
Regards,
Jim
3:38 a.m.
On Wed, Nov 17, 2010 at 10:53:56PM -0700, Jim Fehlig wrote:
I'm trying to debug a PolicyKit auth issue in libvirt and looking
for
some suggestions.
Server has the following policy for user ski52 in
/etc/PolicyKit/PolicyKit.conf :
<match action="org.libvirt.unix.manage">
<match user="ski52">
<return result="auth_self_keep_always"/>
</match>
</match>
I can authenticate via polkit when logged directly into server via ssh
as ski52
ski52@vhost52:~> virsh -c qemu:///system list
Attempting to obtain authorization for org.libvirt.unix.manage.
Authentication is required.
Password:
Successfully obtained the authorization for org.libvirt.unix.manage.
Id Name State
----------------------------------
33 vm1 running
But when using qemu+ssh remotely
ski53@vhost53:~> virsh -c qemu+ssh://ski52@vhost52/system list
Attempting to obtain authorization for org.libvirt.unix.manage.
Authentication as an administrative user is required.
Password:
polkit-grant-helper-pam: pam_authenticated failed: Authentication failure
Failed to obtain authorization for org.libvirt.unix.manage.
error: authentication failed
error: failed to connect to the hypervisor
AFAICT by tracing with gdb, the client calls polkit-auth *locally* when
authentication is needed, instead of invoking polkit-auth on the
server. This backtrace from gdb on the client machine shows
'polkit-auth --obtain' being called locally from virConnectAuthGainPolkit()
#0 virConnectAuthGainPolkit (privilege=0x7ffff7b8b3ba
"org.libvirt.unix.manage") at libvirt.c:111
#1 0x00007ffff7a912a3 in virConnectAuthCallbackDefault
(cred=0x7fffffffdd20, ncred=1, cbdata=0x0)
at libvirt.c:149
#2 0x00007ffff7ac367f in remoteAuthPolkit (conn=0x63ec10,
priv=0x7ffff7e25010, in_open=1,
auth=0x7ffff7dc9bc0) at remote/remote_driver.c:7431
#3 0x00007ffff7ac1d8d in remoteAuthenticate (conn=0x63ec10,
priv=0x7ffff7e25010, in_open=1,
auth=0x7ffff7dc9bc0, authtype=0x0) at remote/remote_driver.c:6864
#4 0x00007ffff7ab5936 in doRemoteOpen (conn=0x63ec10,
priv=0x7ffff7e25010, auth=0x7ffff7dc9bc0, flags=0)
at remote/remote_driver.c:854
..
Has anyone else observed such behavior? Any hints on how to forward the
polkit-auth call to the server? Both client and server are libvirt
0.8.5 btw.
You basically can't use policy kit remotely. Its architecture only allows
for local authentication. Since you're seeing 'polkit-auth' being run
by libvirt.so, you must be using the first version of policykit. In the
second version, libvirt doesn't even get to run 'polkit-auth' itself.
The policykit daemon triggers the authentication client via a side-channel,
typically DBus. This just can't work remotely.
We do short-circuit this when logging in as root, so that root is always
allowed, so eg qemu+ssh://root@hostname/system should avoid policykit
auth
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
5120
days inactive
5120
days old
1 comments
2 participants
participants (2)
-
Daniel P. Berrange -
Jim Fehlig