On Fri, Nov 30, 2012 at 11:33:30AM -0500, Dmitri Pal wrote: > On 11/30/2012 10:20 AM, Daniel P. Berrange wrote: > > On Fri, Nov 30, 2012 at 04:16:56PM +0100, Natxo Asenjo wrote: > >> On Fri, Nov 30, 2012 at 4:04 PM, Daniel P. Berrange <berrange@xxxxxxxxxx> wrote: > >>> On Fri, Nov 30, 2012 at 03:56:14PM +0100, Natxo Asenjo wrote: > >>>> hi, > >>>> > >>>> sasl_allowed_username_list = ["admin@xxxxxxxxxxxxxxx" ] > >>>> > >>>> if I leave this field commented out (default setting), everybody can > >>>> manage the kvm host. > >>> Oh it isn't very obvious, but in this log message: > >>> > >>>>>>> 2012-11-30 12:00:53.403+0000: 7786: error : > >>>>>>> virNetSASLContextCheckIdentity:146 : SASL client admin not allowed in > >>> 'admin' is the identity being matched against. > >>> > >>> We ought to quote that string int he log message to make it more > >>> obvious. > >>> > >>> So I guess SASL/GSSAPI is not giving us back the REALM, just > >>> the username > >>> > >>> So you need to change your whitelist to leave out the realm. > >> Bingo! > >> > >> Thanks. If I may just hijack this thread: is it possible to whitelist > >> groups instead of individual users to use virsh/virtual manager? > >> > >> I know sasl only deals with the authentication stuff, buy here you are > >> also authorizing in the whitelist. If this authorization could go > >> further to allow ipa groups, that would be ideal from an admin point > >> of view ;-) > > It is desirable, but we don't have any way to find out information about > > groups. The authorization problem is something we've yet to really get > > a good pluggable solution for, though perhaps policykit would help here. > > > > Daniel > Policy kit is local escalation to admin privileges. The policy kit > policies are not centrally managed, they are preinstalled. > Are you sure it is the right mechanism? > Should there be some more centrally managed mechanism for access control > rules like HBAC or SUDO? You're referring to the traditional policykit backed based on a local policy file database. More generally policykit is pluggable, so you could reference an off-node policy store. In theory the new javascript engine for policykit could be used to do a check against ldap or IPA, but I've no idea if that'd work out in reality, without more investigation. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| _______________________________________________ libvirt-users mailing list libvirt-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvirt-users
