On 01/03/2012 03:35 PM, Jim Fehlig wrote:
I previously mentioned [1] a PolicyKit issue where libvirt would proceed with authentication even though polkit-auth failed:
testusr xen134:~> virsh list --all Attempting to obtain authorization for org.libvirt.unix.manage. polkit-grant-helper: given auth type (8 -> yes) is bogus Failed to obtain authorization for org.libvirt.unix.manage. Id Name State ---------------------------------- 0 Domain-0 running - sles11sp1-pv shut off
AFAICT, libvirt attempts to obtain a privilege it already has, causing polkit-auth to fail with above message. Instead of calling obtain and then checking auth, IMO the workflow should be for the server to check auth first, and if that fails ask the client to obtain it and check again. This workflow also allows for checking only successful exit of polkit-auth in virConnectAuthGainPolkit().
[1] https://www.redhat.com/archives/libvir-list/2011-December/msg00837.html --- src/libvirt.c | 2 +- src/remote/remote_driver.c | 11 +++++++++++ 2 files changed, 12 insertions(+), 1 deletions(-)
This looks reasonable to me, but I'd like a second opinion from someone more familiar with the PolicyKit code before you push anything (that would probably be DV or danpb). If they agree, then I think it can go in 0.9.9. -- Eric Blake eblake@redhat.com +1-919-301-3266 Libvirt virtualization library http://libvirt.org