[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH] PolicyKit: Check auth before asking client to obtain it



Daniel P. Berrange wrote:
> On Thu, Jan 05, 2012 at 01:12:37PM -0700, Eric Blake wrote:
>   
>> On 01/03/2012 03:35 PM, Jim Fehlig wrote:
>>     
>>> I previously mentioned [1] a PolicyKit issue where libvirt would
>>> proceed with authentication even though polkit-auth failed:
>>>
>>> testusr xen134:~> virsh list --all
>>> Attempting to obtain authorization for org.libvirt.unix.manage.
>>> polkit-grant-helper: given auth type (8 -> yes) is bogus
>>> Failed to obtain authorization for org.libvirt.unix.manage.
>>>  Id Name                 State
>>> ----------------------------------
>>>   0 Domain-0             running
>>>   - sles11sp1-pv         shut off
>>>
>>> AFAICT, libvirt attempts to obtain a privilege it already has,
>>> causing polkit-auth to fail with above message.  Instead of calling
>>> obtain and then checking auth, IMO the workflow should be for the
>>> server to check auth first, and if that fails ask the client to
>>> obtain it and check again.  This workflow also allows for checking
>>> only successful exit of polkit-auth in virConnectAuthGainPolkit().
>>>
>>> [1] https://www.redhat.com/archives/libvir-list/2011-December/msg00837.html
>>> ---
>>>  src/libvirt.c              |    2 +-
>>>  src/remote/remote_driver.c |   11 +++++++++++
>>>  2 files changed, 12 insertions(+), 1 deletions(-)
>>>       
>> This looks reasonable to me, but I'd like a second opinion from someone
>> more familiar with the PolicyKit code before you push anything (that
>> would probably be DV or danpb).  If they agree, then I think it can go
>> in 0.9.9.
>>     
>
> ACK
>   

I've pushed this now that 0.9.9 has been released.

Thanks,
Jim


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]