[libvirt] Proposed libguestfs API for implementing libvirt virConnectOpenAuth
As in the example code below. static void do_auth (guestfs_h *g, void *opaque, uint64_t event, int event_handle, int flags, const char *buf, size_t buf_len, const uint64_t *array, size_t array_len) { char **creds; size_t i; char *prompt; char *reply; size_t replylen; // buf will be the libvirt URI. It is always \0-terminated so // buf_len can be ignored in this case. printf ("Authentication required for libvirt connection '%s'\n", buf); // Ask libguestfs what credentials libvirt is demanding. creds = guestfs_get_libvirt_requested_credentials (g); // Now ask the user for answers. for (i = 0; creds[i] != NULL; ++i) { if (strcmp (creds[i], "authname") == 0 || strcmp (creds[i], "passphrase") == 0) { prompt = guestfs_get_libvirt_requested_credential_prompt (g, i); printf ("%s: ", prompt); free (prompt); // ... // Input from user is in 'reply', length 'replylen' (bytes). guestfs_set_libvirt_requested_credential (g, i, reply, replylen); } free (creds[i]); } free (creds); // On return from this function (libguestfs event), the libvirt // event returns too. } // ... { guestfs_h *g; char *creds[] = { "authname", "passphrase", NULL }; g = guestfs_create (); guestfs_set_libvirt_supported_credentials (g, creds); guestfs_set_event_callback (g, do_auth, GUESTFS_EVENT_LIBVIRT_AUTH, 0, NULL); // An example of a function that would open a libvirt connection: guestfs_add_domain (g, "dom", GUESTFS_ADD_DOMAIN_LIBVIRTURI, "qemu:///system", -1); } ---------------------------------------------------------------------- By the way, some of the virt tools can open multiple connections to libvirt, and it is architecturally hard to change this: https://www.redhat.com/archives/libguestfs/2012-October/msg00065.html Does libvirt (or policy kit?) provide any mechanism for caching these credentials within the same process, so that we don't have to provide the same creds back to libvirt for multiple connections? Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones virt-df lists disk usage of guests without needing to install any software inside the virtual machine. Supports Linux and Windows. http://et.redhat.com/~rjones/virt-df/
I forgot to CC this list on the patch that implements this. It is here: https://www.redhat.com/archives/libguestfs/2012-October/msg00070.html Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones virt-df lists disk usage of guests without needing to install any software inside the virtual machine. Supports Linux and Windows. http://et.redhat.com/~rjones/virt-df/
On 10/13/2012 05:31 AM, Richard W.M. Jones wrote:
Does libvirt (or policy kit?) provide any mechanism for caching these credentials within the same process, so that we don't have to provide the same creds back to libvirt for multiple connections?
Yeah, that's the 'keep' in 'auth_admin_keep' in libvirt's policykit rules: http://libvirt.org/git/?p=libvirt.git;a=blob;f=daemon/libvirtd.policy.in But libvirt only enables it for local, active sessions, which doesn't include SSH logins for example. libvirt should s/auth_admin/auth_admin_keep/g - Cole
On Sun, Oct 14, 2012 at 07:44:44PM -0400, Cole Robinson wrote:
On 10/13/2012 05:31 AM, Richard W.M. Jones wrote:
Does libvirt (or policy kit?) provide any mechanism for caching these credentials within the same process, so that we don't have to provide the same creds back to libvirt for multiple connections?
Yeah, that's the 'keep' in 'auth_admin_keep' in libvirt's policykit rules:
http://libvirt.org/git/?p=libvirt.git;a=blob;f=daemon/libvirtd.policy.in
But libvirt only enables it for local, active sessions, which doesn't include SSH logins for example. libvirt should s/auth_admin/auth_admin_keep/g
So if I understand correctly, how about this patch? Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones virt-top is 'top' for virtual machines. Tiny program with many powerful monitoring features, net stats, disk stats, logging, etc. http://et.redhat.com/~rjones/virt-top
On 10/15/2012 04:01 AM, Richard W.M. Jones wrote:
From 9eea45e80ad80283f1a89f792bcf0c174818f4a2 Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" <rjones@redhat.com> Date: Mon, 15 Oct 2012 09:01:13 +0100 Subject: [PATCH] daemon: Make the default PolicyKit policy auth_admin_keep.
--- daemon/libvirtd.policy.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/daemon/libvirtd.policy.in b/daemon/libvirtd.policy.in index 000c17e..df42e5f 100644 --- a/daemon/libvirtd.policy.in +++ b/daemon/libvirtd.policy.in @@ -31,8 +31,8 @@ version 2. See COPYING for details. <defaults> <!-- Any program can use libvirt in read/write mode if they provide the root password --> - <allow_any>auth_admin</allow_any> - <allow_inactive>auth_admin</allow_inactive> + <allow_any>@authaction@</allow_any> + <allow_inactive>@authaction@</allow_inactive> <allow_active>@authaction@</allow_active> </defaults> </action>
ACK - Cole
On Mon, Oct 15, 2012 at 11:23:04AM -0400, Cole Robinson wrote:
On 10/15/2012 04:01 AM, Richard W.M. Jones wrote:
From 9eea45e80ad80283f1a89f792bcf0c174818f4a2 Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" <rjones@redhat.com> Date: Mon, 15 Oct 2012 09:01:13 +0100 Subject: [PATCH] daemon: Make the default PolicyKit policy auth_admin_keep.
--- daemon/libvirtd.policy.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/daemon/libvirtd.policy.in b/daemon/libvirtd.policy.in index 000c17e..df42e5f 100644 --- a/daemon/libvirtd.policy.in +++ b/daemon/libvirtd.policy.in @@ -31,8 +31,8 @@ version 2. See COPYING for details. <defaults> <!-- Any program can use libvirt in read/write mode if they provide the root password --> - <allow_any>auth_admin</allow_any> - <allow_inactive>auth_admin</allow_inactive> + <allow_any>@authaction@</allow_any> + <allow_inactive>@authaction@</allow_inactive> <allow_active>@authaction@</allow_active> </defaults> </action>
ACK
While this patch does what Rich intends it todo, I'm a little wary of changing this, since this is a security relevant setting. Looking at the rules on my F17 box, there is a fair mix of different triples used by apps. Some have (no, no, auth_admin_keep), some have (auth_admin, auth_amdin., auth_admin_keep) and others have (auth_admin_keep, auth_admin_keep, auth_admin_keep). The actions that give broader / more serious access seem to have a slight bias against using the _keep variant for any/inactive. I don't have a good answer here, but I think we should seek guidance on this before changing our defaults. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
participants (3)
-
Cole Robinson -
Daniel P. Berrange -
Richard W.M. Jones