[libvirt-users] polkit ACL for remotely changing a spice console password
Eric Blake
eblake at redhat.com
Fri Jan 16 21:16:19 UTC 2015
On 01/16/2015 01:45 PM, David Mansfield wrote:
> I'm working on some infrastructure which allows a remote password reset
> (with expiry) of a spice console running on a remote libvirtd/qemu-kvm.
>
> I currently have GSSAPI over tcp working and can set the password - but
> I can also do everything else - the default policy is still in place,
> and once authenticated, anything goes.
>
> I'm setting the password using a command like this:
>
> virsh --connect qemu+tcp://remote.example.org/system
> qemu-monitor-command --hmp mydomain 'set_password spice mynewpassword123
> disconnect'
qemu-monitor-command is explicitly unsupported, because it is a gaping
backdoor, and therefore cannot be tied to any ACL. You instead need to
use a supported API to change the password; virDomainUpdateDeviceFlags()
is supposed to be able to do that.
>
> I've looked at the documentation for ACLs but I can't see anything that
> covers qemu-monitor-command, and specifically "set_password".
>
> The other way to set passwords is to update the domain settings using an
> XML fragment, but I'm not clear on the exact semantics on how to do that
> (do you have to extract the xml fragment first?) AND I can't find how
> that's covered in ACL documentation either.
virDomainUpdateDeviceFlags is covered by an ACL, and yes, you present it
a fragment of XML that corresponds to the updated device that is present
underneath <devices> when you dump a domain's XML. Changing a password
is not something I've tried personally, though, so I don't have a ready
recipe for what it would look like.
>
> Some idea? Any pointers would be much appreciated.
Maybe someone else can chime in and extend my answer.
>
> Ideally, I'd like to say "user x can update password for domain y" and
> that's the only thing that can be modified for that user.
It sounds like you are interested in creating a new fine-grained ACL,
which in turn would require a new API (or at least a new flag to the
existing API) to limit device changes to just the password, and where
password changes could be restricted differently from other device
changes. Daniel Berrange should have more ideas on whether that makes
sense, since he implemented the original ACL permissions.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 604 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20150116/62dac42c/attachment.sig>
More information about the libvirt-users
mailing list