Daniel P. Berrange wrote: > On Thu, Jan 05, 2012 at 01:12:37PM -0700, Eric Blake wrote: > >> On 01/03/2012 03:35 PM, Jim Fehlig wrote: >> >>> I previously mentioned [1] a PolicyKit issue where libvirt would >>> proceed with authentication even though polkit-auth failed: >>> >>> testusr xen134:~> virsh list --all >>> Attempting to obtain authorization for org.libvirt.unix.manage. >>> polkit-grant-helper: given auth type (8 -> yes) is bogus >>> Failed to obtain authorization for org.libvirt.unix.manage. >>> Id Name State >>> ---------------------------------- >>> 0 Domain-0 running >>> - sles11sp1-pv shut off >>> >>> AFAICT, libvirt attempts to obtain a privilege it already has, >>> causing polkit-auth to fail with above message. Instead of calling >>> obtain and then checking auth, IMO the workflow should be for the >>> server to check auth first, and if that fails ask the client to >>> obtain it and check again. This workflow also allows for checking >>> only successful exit of polkit-auth in virConnectAuthGainPolkit(). >>> >>> [1] https://www.redhat.com/archives/libvir-list/2011-December/msg00837.html >>> --- >>> src/libvirt.c | 2 +- >>> src/remote/remote_driver.c | 11 +++++++++++ >>> 2 files changed, 12 insertions(+), 1 deletions(-) >>> >> This looks reasonable to me, but I'd like a second opinion from someone >> more familiar with the PolicyKit code before you push anything (that >> would probably be DV or danpb). If they agree, then I think it can go >> in 0.9.9. >> > > ACK > I've pushed this now that 0.9.9 has been released. Thanks, Jim -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list