On Wed, Aug 08, 2007 at 05:22:33AM +0100, Daniel P. Berrange wrote:
UNIX domain sockets already provide a way for each end to identify
the PID
and UID of the other end. This enables the libvirt daemon to determine the
identity of the application on the other end. With this information the
daemon merely needs to check this identity against some access control policy
rules. Where to get/define these rules though ?
Enter PolicyKit.
http://lists.freedesktop.org/archives/hal/2006-March/004770.html
http://lists.freedesktop.org/archives/hal/2007-June/008815.html
This is entirely new to me, but I suspect this doesn't have any Solaris
integration support (yet? I'm asking around about this).
Nonetheless the basic concept (allow all access, authenticate the peer's
credentials against some kind of database) translates well on Solaris.
- libvirtd defines two actions it can check called
'libvirt-local-monitor
(read only monitoring of state), and 'libvirt-local-manage' (full
read-write management).
Good... but I think we need to consider true delegation as well, that
is, allowing a certain credential to control only one named object. At
least we need to make sure that's possible in the future without
breaking anything here.
- libvirtd use SO_PEERCRED to get the PID of the client
Solaris doesn't have this, but the more powerful getpeerucred():
http://docs.sun.com/app/docs/doc/819-2243/6n4i09924?a=view
http://docs.sun.com/app/docs/doc/819-2243/6n4i099nf?a=view
Typically, we would then compare either the process's privilege set or
the user id. Privileges will likely have to come later but the user ID
will translate directly into RBAC:
http://www.samag.com/documents/s=7667/sam0213c/0213c.htm
Now, it may be the case that we can fit into the Policy Kit framework
and that work is ongoing, which would make things simple from libvirt
point of view (only need to replace SO_PEERCRED by getpeerucred for
now). I will endeavour to find out for you...
regards
john