The attached patch changes the virt-* cli tools to use the libvirt
openAuth function for opening connections. This allows using PolicyKit
and SASL auth with the tools.
polkit-auth is forced to run in cli mode, so no graphical dialog will be
launched. I've thought about having the --prompt flag play a role here,
but since the use cases this fulfills did not previously work, there
shouldn't be any chance of breaking existing uses.
Thanks,
Cole
# HG changeset patch
# User Cole Robinson <crobinso@xxxxxxxxxx>
# Date 1241723712 14400
# Node ID 0c58ccf22773e2906853f3ac95fb3cc9ceaa158d
# Parent 2ac98205eb469857ea4110125502eab23dd8e24f
Allow PolicyKit and SASL authentication.
Use openAuth when opening the initial connection: allows PolicyKit and
SASA username/password auth.
diff -r 2ac98205eb46 -r 0c58ccf22773 virtinst/cli.py
--- a/virtinst/cli.py Thu May 07 13:47:49 2009 -0400
+++ b/virtinst/cli.py Thu May 07 15:15:12 2009 -0400
@@ -117,6 +117,7 @@
print _("Exiting at user request.")
sys.exit(0)
+# Connection opening helper functions
def getConnection(connect):
if not User.current().has_priv(User.PRIV_CREATE_DOMAIN, connect):
fail(_("Must be root to create Xen guests"))
@@ -124,7 +125,105 @@
fail(_("Could not find usable default libvirt connection."))
logging.debug("Using libvirt URI '%s'" % connect)
- return libvirt.open(connect)
+ return open_connection(connect)
+
+def open_connection(uri):
+ open_flags = 0
+ valid_auth_options = [libvirt.VIR_CRED_AUTHNAME,
+ libvirt.VIR_CRED_PASSPHRASE,
+ libvirt.VIR_CRED_EXTERNAL]
+ authcb = do_creds
+ authcb_data = None
+
+ return libvirt.openAuth(uri, [valid_auth_options, authcb, authcb_data],
+ open_flags)
+
+def do_creds(creds, cbdata):
+ try:
+ return _do_creds(creds, cbdata)
+ except:
+ _util.log_exception("Error in creds callback.")
+ raise
+
+def _do_creds(creds, cbdata_ignore):
+
+ if (len(creds) == 1 and
+ creds[0][0] == libvirt.VIR_CRED_EXTERNAL and
+ creds[0][2] == "PolicyKit"):
+ return _do_creds_polkit(creds[0][1])
+
+ for cred in creds:
+ if cred[0] == libvirt.VIR_CRED_EXTERNAL:
+ return -1
+
+ return _do_creds_authname(creds)
+
+# PolicyKit auth
+def _do_creds_polkit(action):
+ if os.getuid() == 0:
+ logging.debug("Skipping policykit check as root")
+ return 0 # Success
+ logging.debug("Doing policykit for %s" % action)
+
+ import subprocess
+ import commands
+
+ bin_path = "/usr/bin/polkit-auth"
+
+ if not os.path.exists(bin_path):
+ logging.debug("%s not present, skipping polkit auth." % bin_path)
+ return 0
+
+ cmdstr = "%s %s" % (bin_path, "--explicit")
+ output = commands.getstatusoutput(cmdstr)
+ if output[1].count(action):
+ logging.debug("User already authorized for %s." % action)
+ # Hide spurious output from polkit-auth
+ popen_stdout = subprocess.PIPE
+ popen_stderr = subprocess.PIPE
+ else:
+ popen_stdout = None
+ popen_stderr = None
+
+ # Force polkit prompting to be text mode. Not strictly required, but
+ # launching a dialog is overkill.
+ env = os.environ.copy()
+ env["POLKIT_AUTH_FORCE_TEXT"] = "set"
+
+ cmd = [bin_path, "--obtain", action]
+ proc = subprocess.Popen(cmd, env=env, stdout=popen_stdout,
+ stderr=popen_stderr)
+ out, err = proc.communicate()
+
+ if out and popen_stdout:
+ logging.debug("polkit-auth stdout: %s" % out)
+ if err and popen_stderr:
+ logging.debug("polkit-auth stderr: %s" % err)
+
+ return 0
+
+# SASL username/pass auth
+def _do_creds_authname(creds):
+ retindex = 4
+
+ for cred in creds:
+ credtype, prompt, ignore, ignore, ignore = cred
+ prompt += ": "
+
+ res = cred[retindex]
+ if credtype == libvirt.VIR_CRED_AUTHNAME:
+ res = raw_input(prompt)
+ elif credtype == libvirt.VIR_CRED_PASSPHRASE:
+ import getpass
+ res = getpass.getpass(prompt)
+ else:
+ logging.debug("Unknown auth type in creds callback: %d" %
+ credtype)
+ return -1
+
+ cred[retindex] = res
+
+ return 0
#
# Prompting
_______________________________________________
et-mgmt-tools mailing list
et-mgmt-tools@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/et-mgmt-tools
