[Libvir] libvirt daemon UNIX socket auth with PolicyKit
John Levon
levon at movementarian.org
Wed Aug 8 12:55:15 UTC 2007
On Wed, Aug 08, 2007 at 05:22:33AM +0100, Daniel P. Berrange wrote:
> UNIX domain sockets already provide a way for each end to identify the PID
> and UID of the other end. This enables the libvirt daemon to determine the
> identity of the application on the other end. With this information the
> daemon merely needs to check this identity against some access control policy
> rules. Where to get/define these rules though ?
>
> Enter PolicyKit.
>
> http://lists.freedesktop.org/archives/hal/2006-March/004770.html
> http://lists.freedesktop.org/archives/hal/2007-June/008815.html
This is entirely new to me, but I suspect this doesn't have any Solaris
integration support (yet? I'm asking around about this).
Nonetheless the basic concept (allow all access, authenticate the peer's
credentials against some kind of database) translates well on Solaris.
> - libvirtd defines two actions it can check called 'libvirt-local-monitor
> (read only monitoring of state), and 'libvirt-local-manage' (full
> read-write management).
Good... but I think we need to consider true delegation as well, that
is, allowing a certain credential to control only one named object. At
least we need to make sure that's possible in the future without
breaking anything here.
> - libvirtd use SO_PEERCRED to get the PID of the client
Solaris doesn't have this, but the more powerful getpeerucred():
http://docs.sun.com/app/docs/doc/819-2243/6n4i09924?a=view
http://docs.sun.com/app/docs/doc/819-2243/6n4i099nf?a=view
Typically, we would then compare either the process's privilege set or
the user id. Privileges will likely have to come later but the user ID
will translate directly into RBAC:
http://www.samag.com/documents/s=7667/sam0213c/0213c.htm
Now, it may be the case that we can fit into the Policy Kit framework
and that work is ongoing, which would make things simple from libvirt
point of view (only need to replace SO_PEERCRED by getpeerucred for
now). I will endeavour to find out for you...
regards
john
More information about the libvir-list
mailing list