[libvirt] [PATCH 03/19] Setup default access control manager in libvirtd

Daniel P. Berrange berrange at redhat.com
Wed Jun 19 17:00:44 UTC 2013 

From: "Daniel P. Berrange" <berrange at redhat.com>

Add a new 'access_drivers' config parameter to the libvirtd.conf
configuration file. This allows admins to setup the default
access control drivers to use for API authorization. The same
driver is to be used by all internal drivers & APIs

Signed-off-by: Daniel P. Berrange <berrange at redhat.com>
---
 daemon/Makefile.am          |  1 +
 daemon/libvirtd-config.c    |  4 ++++
 daemon/libvirtd-config.h    |  2 ++
 daemon/libvirtd.aug         |  1 +
 daemon/libvirtd.c           | 28 +++++++++++++++++++++++++++-
 daemon/libvirtd.conf        |  9 +++++++++
 daemon/test_libvirtd.aug.in |  4 ++++
 7 files changed, 48 insertions(+), 1 deletion(-)

diff --git a/daemon/Makefile.am b/daemon/Makefile.am
index fca0eac..e8a8371 100644
--- a/daemon/Makefile.am
+++ b/daemon/Makefile.am
@@ -24,6 +24,7 @@ INCLUDES = \
 	-I$(top_srcdir)/src/conf \
 	-I$(top_srcdir)/src/rpc \
 	-I$(top_srcdir)/src/remote \
+	-I$(top_srcdir)/src/access \
 	$(GETTEXT_CPPFLAGS)
 
 CLEANFILES =
diff --git a/daemon/libvirtd-config.c b/daemon/libvirtd-config.c
index d9357b7..6f60256 100644
--- a/daemon/libvirtd-config.c
+++ b/daemon/libvirtd-config.c
@@ -379,6 +379,10 @@ daemonConfigLoadOptions(struct daemonConfig *data,
     if (remoteConfigGetAuth(conf, "auth_tls", &data->auth_tls, filename) < 0)
         goto error;
 
+    if (remoteConfigGetStringList(conf, "access_drivers",
+                                  &data->access_drivers, filename) < 0)
+        goto error;
+
     GET_CONF_STR(conf, filename, unix_sock_group);
     GET_CONF_STR(conf, filename, unix_sock_ro_perms);
     GET_CONF_STR(conf, filename, unix_sock_rw_perms);
diff --git a/daemon/libvirtd-config.h b/daemon/libvirtd-config.h
index 07118de..973e0ea 100644
--- a/daemon/libvirtd-config.h
+++ b/daemon/libvirtd-config.h
@@ -45,6 +45,8 @@ struct daemonConfig {
     int auth_tcp;
     int auth_tls;
 
+    char **access_drivers;
+
     int mdns_adv;
     char *mdns_name;
 
diff --git a/daemon/libvirtd.aug b/daemon/libvirtd.aug
index f32b3a1..7c56a41 100644
--- a/daemon/libvirtd.aug
+++ b/daemon/libvirtd.aug
@@ -51,6 +51,7 @@ module Libvirtd =
                            | bool_entry "tls_no_sanity_certificate"
                            | str_array_entry "tls_allowed_dn_list"
                            | str_array_entry "sasl_allowed_username_list"
+                           | str_array_entry "access_drivers"
 
    let processing_entry = int_entry "min_workers"
                         | int_entry "max_workers"
diff --git a/daemon/libvirtd.c b/daemon/libvirtd.c
index ae6a15c..26c1c1f 100644
--- a/daemon/libvirtd.c
+++ b/daemon/libvirtd.c
@@ -52,8 +52,9 @@
 #include "remote.h"
 #include "virhook.h"
 #include "viraudit.h"
-#include "locking/lock_manager.h"
 #include "virstring.h"
+#include "locking/lock_manager.h"
+#include "viraccessmanager.h"
 
 #ifdef WITH_DRIVER_MODULES
 # include "driver.h"
@@ -728,6 +729,26 @@ error:
 }
 
 
+static int
+daemonSetupAccessManager(struct daemonConfig *config)
+{
+    virAccessManagerPtr mgr;
+    const char *none[] = { "none", NULL };
+    const char **driver = (const char **)config->access_drivers;
+
+    if (!driver ||
+        !driver[0])
+        driver = none;
+
+    if (!(mgr = virAccessManagerNewStack(driver)))
+        return -1;
+
+    virAccessManagerSetDefault(mgr);
+    virObjectUnref(mgr);
+    return 0;
+}
+
+
 /* Display version information. */
 static void
 daemonVersion(const char *argv0)
@@ -1260,6 +1281,11 @@ int main(int argc, char **argv) {
         exit(EXIT_FAILURE);
     }
 
+    if (daemonSetupAccessManager(config) < 0) {
+        VIR_ERROR(_("Can't initialize access manager"));
+        exit(EXIT_FAILURE);
+    }
+
     if (!pid_file &&
         daemonPidFilePath(privileged,
                           &pid_file) < 0) {
diff --git a/daemon/libvirtd.conf b/daemon/libvirtd.conf
index 47da520..75196a0 100644
--- a/daemon/libvirtd.conf
+++ b/daemon/libvirtd.conf
@@ -155,6 +155,15 @@
 #auth_tls = "none"
 
 
+# Change the API access control scheme
+#
+# By default an authenticated user is allowed access
+# to all APIs. Access drivers can place restrictions
+# on this. By default the 'nop' driver is enabled,
+# meaning no access control checks are done once a
+# client has authenticated with libvirtd
+#
+#access_drivers = [ "polkit", "selinux" ]
 
 #################################################################
 #
diff --git a/daemon/test_libvirtd.aug.in b/daemon/test_libvirtd.aug.in
index 455b74a..9215337 100644
--- a/daemon/test_libvirtd.aug.in
+++ b/daemon/test_libvirtd.aug.in
@@ -17,6 +17,10 @@ module Test_libvirtd =
         { "auth_unix_rw" = "none" }
         { "auth_tcp" = "sasl" }
         { "auth_tls" = "none" }
+        { "access_drivers"
+             { "1" = "polkit" }
+             { "2" = "selinux" }
+        }
         { "key_file" = "/etc/pki/libvirt/private/serverkey.pem" }
         { "cert_file" = "/etc/pki/libvirt/servercert.pem" }
         { "ca_file" = "/etc/pki/CA/cacert.pem" }
-- 
1.8.1.4

More information about the libvir-list mailing list