[libvirt] polkit auth issue

Daniel P. Berrange berrange at redhat.com
Thu Nov 18 09:38:40 UTC 2010 

On Wed, Nov 17, 2010 at 10:53:56PM -0700, Jim Fehlig wrote:
> I'm trying to debug a PolicyKit auth issue in libvirt and looking for
> some suggestions.
> 
> Server has the following policy for user ski52 in
> /etc/PolicyKit/PolicyKit.conf :
> 
> <match action="org.libvirt.unix.manage">
> <match user="ski52">
> <return result="auth_self_keep_always"/>
> </match>
> </match>
> 
> I can authenticate via polkit  when logged directly into server via ssh
> as ski52
> 
> ski52 at vhost52:~> virsh -c qemu:///system list
> Attempting to obtain authorization for org.libvirt.unix.manage.
> Authentication is required.
> Password:
> Successfully obtained the authorization for org.libvirt.unix.manage.
>  Id Name                 State
> ----------------------------------
>  33 vm1                   running
> 
> But when using qemu+ssh remotely
> 
> ski53 at vhost53:~> virsh -c qemu+ssh://ski52@vhost52/system list
> Attempting to obtain authorization for org.libvirt.unix.manage.
> Authentication as an administrative user is required.
> Password:
> polkit-grant-helper-pam: pam_authenticated failed: Authentication failure
> Failed to obtain authorization for org.libvirt.unix.manage.
> error: authentication failed
> error: failed to connect to the hypervisor
> 
> AFAICT by tracing with gdb, the client calls polkit-auth *locally* when
> authentication is needed, instead of invoking polkit-auth on the
> server.  This backtrace from gdb on the client machine shows
> 'polkit-auth --obtain' being called locally from virConnectAuthGainPolkit()
> 
> #0  virConnectAuthGainPolkit (privilege=0x7ffff7b8b3ba
> "org.libvirt.unix.manage") at libvirt.c:111
> #1  0x00007ffff7a912a3 in virConnectAuthCallbackDefault
> (cred=0x7fffffffdd20, ncred=1, cbdata=0x0)
>     at libvirt.c:149
> #2  0x00007ffff7ac367f in remoteAuthPolkit (conn=0x63ec10,
> priv=0x7ffff7e25010, in_open=1,
>     auth=0x7ffff7dc9bc0) at remote/remote_driver.c:7431
> #3  0x00007ffff7ac1d8d in remoteAuthenticate (conn=0x63ec10,
> priv=0x7ffff7e25010, in_open=1,
>     auth=0x7ffff7dc9bc0, authtype=0x0) at remote/remote_driver.c:6864
> #4  0x00007ffff7ab5936 in doRemoteOpen (conn=0x63ec10,
> priv=0x7ffff7e25010, auth=0x7ffff7dc9bc0, flags=0)
>     at remote/remote_driver.c:854
> ..
> 
> Has anyone else observed such behavior?  Any hints on how to forward the
> polkit-auth call to the server?  Both client and server are libvirt
> 0.8.5 btw.

You basically can't use policy kit remotely. Its architecture only allows
for local authentication. Since you're seeing 'polkit-auth' being run
by libvirt.so, you must be using the first version of policykit. In the
second version, libvirt doesn't even get to run 'polkit-auth' itself.
The policykit daemon triggers the authentication client via a side-channel,
typically DBus. This just can't work remotely.

We do short-circuit this when logging in as root, so that root is always
allowed, so eg  qemu+ssh://root@hostname/system should avoid policykit
auth

Daniel
-- 
|: Red Hat, Engineering, London    -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :|
|: http://autobuild.org        -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

More information about the libvir-list mailing list