On Mon, Feb 20, 2023 at 06:12:53PM +0100, Peter Krempa wrote:
On Mon, Feb 20, 2023 at 17:09:18 +0000, Daniel P. Berrangé wrote:
On Mon, Feb 20, 2023 at 11:47:09AM +0100, Peter Krempa wrote:
The example gives the user authorized to work with the domain permission to open the graphics socket. Since the graphics socket may be protected with a password it makes sense to grant the user the 'domain.read-secure' permission to fetch the password for the graphics object.
This also goes along with e.g. 'domain.send-input' and 'domain.screenshot' as they'll allow the user to interact with the domain even if they didn't have the password.
The password isn't required, as you can use virDomainOpenGraphics to connect when its a local display, and that's allowed via the domain.open-graphics permission. virt-viewer at least will use
So in such case authentication is not needed? e.g. if you setup a password regardles of that?
Yes, if VIR_DOMAIN_OPEN_GRAPHICS_SKIPAUTH is set as a flag. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|