[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH 12/14] Add APIs for handling lookup of auth credentials from config file



On Thu, Mar 22, 2012 at 07:02:31AM -0600, Eric Blake wrote:
> On 03/20/2012 11:33 AM, Daniel P. Berrange wrote:
> > From: "Daniel P. Berrange" <berrange redhat com>
> > 
> > This defines the format for the auth credential config file and
> > provides APIs to access the data. The config file contains
> > one or more named 'credential' sets
> > 
> >   [credentials-$NAME]
> >   credname1=value1
> >   credname2=value2
> > 
> > eg
> > 
> >   [credentials-test]
> >   authname=fred
> >   password=123456
> 
> I'm not always a fan of plain-text passwords; do you have plans to
> further enhance this to hook into our virSecret design, where the config
> file can list the name of a secret to reference, which in turn will
> trigger appropriate calls to the virSecret API to grab credentials on
> first use, securely caching them for later uses that need the same
> credentials but without the drawbacks of plain-text config files?  But
> that's future enhancement, and doesn't stop this patch from going in
> once you address Osier's review comments.

These credentials are required in order to establish a connection to
libvirt, so we don't have any virSecret APIs available yet. In addition
this is client side, while the virSecret APIs are server side.

Obviously this is not an ideal scenario from a security POV, but it is
an optional feature. If people are using SASL Password auth and want to
automate libvirt logins, there's not much choice in the matter. If they
want something more secure they can setup SSH keys, or policy kit or
Kerberos tickets.

I envisage this as relevant for test/dev scenarios rather than production.

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]