On Fri, Nov 30, 2012 at 11:33:30AM -0500, Dmitri Pal wrote:
On Fri, Nov 30, 2012 at 04:16:56PM +0100, Natxo Asenjo wrote:
On Fri, Nov 30, 2012 at 4:04 PM, Daniel P. Berrange <berrange@redhat.com> wrote:
On Fri, Nov 30, 2012 at 03:56:14PM +0100, Natxo Asenjo wrote:
hi,
sasl_allowed_username_list = ["admin@IPA.EXAMPLE.COM" ]
if I leave this field commented out (default setting), everybody can manage the kvm host. Oh it isn't very obvious, but in this log message:
>> 2012-11-30 12:00:53.403+0000: 7786: error : >> virNetSASLContextCheckIdentity:146 : SASL client admin not allowed in 'admin' is the identity being matched against.
We ought to quote that string int he log message to make it more obvious.
So I guess SASL/GSSAPI is not giving us back the REALM, just the username
So you need to change your whitelist to leave out the realm. Bingo!
Thanks. If I may just hijack this thread: is it possible to whitelist groups instead of individual users to use virsh/virtual manager?
I know sasl only deals with the authentication stuff, buy here you are also authorizing in the whitelist. If this authorization could go further to allow ipa groups, that would be ideal from an admin point of view ;-) It is desirable, but we don't have any way to find out information about groups. The authorization problem is something we've yet to really get a good pluggable solution for, though perhaps policykit would help here.
Daniel Policy kit is local escalation to admin privileges. The policy kit
On 11/30/2012 10:20 AM, Daniel P. Berrange wrote: policies are not centrally managed, they are preinstalled. Are you sure it is the right mechanism? Should there be some more centrally managed mechanism for access control rules like HBAC or SUDO?
You're referring to the traditional policykit backed based on a local policy file database. More generally policykit is pluggable, so you could reference an off-node policy store. In theory the new javascript engine for policykit could be used to do a check against ldap or IPA, but I've no idea if that'd work out in reality, without more investigation. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|