On 01/03/2012 03:35 PM, Jim Fehlig wrote:
I previously mentioned [1] a PolicyKit issue where libvirt would
proceed with authentication even though polkit-auth failed:
testusr xen134:~> virsh list --all
Attempting to obtain authorization for org.libvirt.unix.manage.
polkit-grant-helper: given auth type (8 -> yes) is bogus
Failed to obtain authorization for org.libvirt.unix.manage.
Id Name State
----------------------------------
0 Domain-0 running
- sles11sp1-pv shut off
AFAICT, libvirt attempts to obtain a privilege it already has,
causing polkit-auth to fail with above message. Instead of calling
obtain and then checking auth, IMO the workflow should be for the
server to check auth first, and if that fails ask the client to
obtain it and check again. This workflow also allows for checking
only successful exit of polkit-auth in virConnectAuthGainPolkit().
[1]
https://www.redhat.com/archives/libvir-list/2011-December/msg00837.html
---
src/libvirt.c | 2 +-
src/remote/remote_driver.c | 11 +++++++++++
2 files changed, 12 insertions(+), 1 deletions(-)
This looks reasonable to me, but I'd like a second opinion from someone
more familiar with the PolicyKit code before you push anything (that
would probably be DV or danpb). If they agree, then I think it can go
in 0.9.9.
--
Eric Blake eblake(a)redhat.com +1-919-301-3266
Libvirt virtualization library
http://libvirt.org