[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH] PolicyKit: Check auth before asking client to obtain it

Daniel P. Berrange wrote:
> On Thu, Jan 05, 2012 at 01:12:37PM -0700, Eric Blake wrote:
>> On 01/03/2012 03:35 PM, Jim Fehlig wrote:
>>> I previously mentioned [1] a PolicyKit issue where libvirt would
>>> proceed with authentication even though polkit-auth failed:
>>> testusr xen134:~> virsh list --all
>>> Attempting to obtain authorization for org.libvirt.unix.manage.
>>> polkit-grant-helper: given auth type (8 -> yes) is bogus
>>> Failed to obtain authorization for org.libvirt.unix.manage.
>>>  Id Name                 State
>>> ----------------------------------
>>>   0 Domain-0             running
>>>   - sles11sp1-pv         shut off
>>> AFAICT, libvirt attempts to obtain a privilege it already has,
>>> causing polkit-auth to fail with above message.  Instead of calling
>>> obtain and then checking auth, IMO the workflow should be for the
>>> server to check auth first, and if that fails ask the client to
>>> obtain it and check again.  This workflow also allows for checking
>>> only successful exit of polkit-auth in virConnectAuthGainPolkit().
>>> [1] https://www.redhat.com/archives/libvir-list/2011-December/msg00837.html
>>> ---
>>>  src/libvirt.c              |    2 +-
>>>  src/remote/remote_driver.c |   11 +++++++++++
>>>  2 files changed, 12 insertions(+), 1 deletions(-)
>> This looks reasonable to me, but I'd like a second opinion from someone
>> more familiar with the PolicyKit code before you push anything (that
>> would probably be DV or danpb).  If they agree, then I think it can go
>> in 0.9.9.

Thanks.  Should I push this for 0.9.9?

> Out of interest, what Suse distro releases are still relying on
> the old policy kit code, as opposed to the new style ?

SLES11 contains the old PolicyKit package, so I'll need the libvirt
integration to work for quite some time :-/.  All supported openSUSE
distros use the new polkit packages.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]