[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Libvir] PATCH: 1/10: SASL authentication support



On Fri, Nov 30, 2007 at 10:32:40PM +0000, Daniel P. Berrange wrote:
> On Thu, Nov 29, 2007 at 05:16:34PM +0000, Daniel P. Berrange wrote:
> > This patch hooks up the basic authentication RPC calls, and the specific
> > SASL implementation. The SASL impl can be enabled/disable via the configurre
> > script with --without-sasl / --with-sasl - it'll auto-enable it if it finds
> > the headers & libs OK.
> > 
> > The sample /etc/sasl2/libvirt.conf file enables the DIGEST-MD5 mechanism
> > by default, since it is by far the easiest to setup for admins. No need for
> > a Kerberos server, or certificates - it just uses username/password which
> > can be set with 'saslpasswd2 -a libvirt [username]' and a list of all active
> > users viewed with 'sasldblistusers2 -a libvirt'
> > 
> > There are also example settings for enabling Kerberos (GSSAPI) but this is
> > disabled by default. It requires a file /etc/libvirt/krb5.tab containing a
> > service principle. On some distros you need to set KRB5_KTNAME to point to
> > this file when starting the daemon, so our init script does that. Other
> > distros, the 'keytab' config param in /etc/sasl2/libvirt.conf is actually
> > honoured.
> > 
> > With this patch you can successfully authentication client <-> server for
> > any authentication mechansim which doesn't need to prompt the user for
> > credentials. In effect this means it only works for GSSAPI/Kerberos, but
> > the later patches in this series will enable callbacks making the default
> > DIGEST-MD5 auth work.
> > 
> > The way auth is controlled, is that if the 'auth' parameter is set on the
> > struct qemud_client object, *NO* rpc call will be processed except for the
> > REMOTE_PROC_AUTH_LIST, SASL_AUTH_INIT, SASL_AUTH_START & SASL_AUTH_STEP
> > calls. If SASL is not compiled in, the latter 3 will send errors back to
> > the caller.
> > 
> > Only once authentication is complete, are the other calls allowed. It
> > currently hardcodes use of SASL on the TCP socket. The TLS & UNIX sockets
> > are unchanged. A subsequent patch will make it configurable.
> 
> Updated to add constants for getnameinfo() params as Jim suggested. Also
> remove the dep on cyrus-sasl-gssapi, and add one on cyrus-sasl-md5

  Okay looks good to me, +1

Daniel

-- 
Red Hat Virtualization group http://redhat.com/virtualization/
Daniel Veillard      | virtualization library  http://libvirt.org/
veillard redhat com  | libxml GNOME XML XSLT toolkit  http://xmlsoft.org/
http://veillard.com/ | Rpmfind RPM search engine  http://rpmfind.net/


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]