8:44 a.m.
Hi all,
I want to use libvirtd and polkit to create simple access restricitions for
incoming TLS connections.
libvirtd.conf:
...
auth_tls = "sasl"
access_drivers = [ "polkit" ]
...
tls_no_verify_certificate = 1
SASL and TLS in combination is already working without any faults. After
activating access_drivers, the setup breaks, cause the access is denied.
without polkit:
[root@inexor-test ~]# virsh --connect
qemu+tls://vm0.host.b3be.de/system
Please enter your authentication name: inexor@vm0
Please enter your password:
Welcome to virsh, the virtualization interactive terminal.
...
with polkit:
[root@inexor-test ~]# virsh --connect
qemu+tls://vm0.host.b3be.de/system
Please enter your authentication name: inexor@vm0
Please enter your password:
error: failed to connect to the hypervisor
error: access denied
I deactivated any self-written polkit-rules and had been able to track down the
problem to communication with libvirtd and polkit (via pkttyagent).
For every incoming connection, libvirtd logs this:
Jan 04 15:12:41 vm0 libvirtd[17075]: Unable to verify TLS peer: No
certificate
was found.
Jan 04 15:12:41 vm0 libvirtd[17075]: Certificate check failed Unable
to verify
TLS peer: No certificate was found.
Jan 04 15:12:45 vm0 libvirtd[17075]: internal error: No UNIX process
ID
available
Jan 04 15:12:45 vm0 libvirtd[17075]: access denied
Jan 04 15:12:45 vm0 libvirtd[17075]: access denied
Jan 04 15:12:45 vm0 libvirtd[17075]: Cannot recv data: Input/output error
Jan 04 15:12:47 vm0 libvirtd[17075]: Unable to verify TLS peer: No certificate
was
found.
Additionally, what I found: After every libvirtd-restart the unit polkit.service
loggs an Registered and directly after an Unregsitered Auth Agent.
Jan 04 15:28:29 vm0 polkitd[2670]: Registered Authentication Agent
for unix-
process:17225:3691193 (system bus name :1.97 [/usr/bin/pkttyagent
--notify-fd 4
--fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale
C)
Jan 04 15:28:30 vm0 polkitd[2670]: Unregistered Authentication Agent
for unix-
process:17225:3691193 (system bus name :1.97, object path
/org/freedesktop/PolicyKit1/AuthenticationAgent, locale C) (disconnected from
bus)
(Correct! In the first second it registers and shortly it unregisteres again)
Could someone please provide me a hint how to make libvirtd and polkit talk to
each other?
Sincerely,
Bene
polkit-version: 0.113
libvirt-version: 1.3.0
Running on Archlinux (init: systemd)
4:52 a.m.
On Mon, Jan 04, 2016 at 03:44:10PM +0100, Benedikt Heine wrote:
Hi all,
I want to use libvirtd and polkit to create simple access restricitions for
incoming TLS connections.
This is sadly not possible. polkit will only authenticate against unix
users. I filed an RFE long ago requesting for polkit to be generalized
so that we could use it against virtual (ie non-UNIX system) identities
but it was rejected.
So effectively the libvirt polkit access control driver is only useful
if you're connecting to libvirt over UNIX sockets :-(
I really ought to get around to writing a custom libvirt access control
driver that works in all cases.....
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
4:58 p.m.
Hi Daniel,
On Fr, 2016-01-08 at 10:52 +0000, Daniel P. Berrange wrote:
This is sadly not possible. polkit will only authenticate against
unix
users.
So effectively the libvirt polkit access control driver is only
useful
if you're connecting to libvirt over UNIX sockets :-(
This is really bad news for me.
I really ought to get around to writing a custom libvirt access
control
driver that works in all cases.....
If you could do that, that'd be great.
At least it would be great adding documentation, clarifying, that the current
polkit driver has no support for external/SASL users and is therefore not usable
in combination with TLS.
An error message telling me, that the access driver is not capable of using this
connection type, would be great, too. Currently libvirt just throws out error
'access denied'.
Anyway, thanks for the answer.
Regards,
Benedikt
3240
days inactive
3245
days old
2 comments
2 participants
participants (2)
-
Benedikt Heine -
Daniel P. Berrange