From ed3bac713c3cfc055ef551cbfe92a061084382c3 Mon Sep 17 00:00:00 2001 From: "Daniel P. Berrange" Date: Wed, 17 Apr 2013 12:01:24 +0100 Subject: [PATCH] Setup default access control manager in libvirtd Add a new 'access_drivers' config parameter to the libvirtd.conf configuration file. This allows admins to setup the default access control drivers to use for API authorization. The same driver is to be used by all internal drivers & APIs Signed-off-by: Daniel P. Berrange --- daemon/Makefile.am | 1 + daemon/libvirtd-config.c | 4 ++++ daemon/libvirtd-config.h | 2 ++ daemon/libvirtd.aug | 1 + daemon/libvirtd.c | 33 ++++++++++++++++++++++++++++++++- daemon/libvirtd.conf | 9 +++++++++ daemon/test_libvirtd.aug.in | 2 ++ src/libvirt_private.syms | 3 +++ 8 files changed, 54 insertions(+), 1 deletion(-) diff --git a/daemon/Makefile.am b/daemon/Makefile.am index fca0eacf7e..e8a8371585 100644 --- a/daemon/Makefile.am +++ b/daemon/Makefile.am @@ -24,6 +24,7 @@ INCLUDES = \ -I$(top_srcdir)/src/conf \ -I$(top_srcdir)/src/rpc \ -I$(top_srcdir)/src/remote \ + -I$(top_srcdir)/src/access \ $(GETTEXT_CPPFLAGS) CLEANFILES = diff --git a/daemon/libvirtd-config.c b/daemon/libvirtd-config.c index d9357b7470..6f60256e47 100644 --- a/daemon/libvirtd-config.c +++ b/daemon/libvirtd-config.c @@ -379,6 +379,10 @@ daemonConfigLoadOptions(struct daemonConfig *data, if (remoteConfigGetAuth(conf, "auth_tls", &data->auth_tls, filename) < 0) goto error; + if (remoteConfigGetStringList(conf, "access_drivers", + &data->access_drivers, filename) < 0) + goto error; + GET_CONF_STR(conf, filename, unix_sock_group); GET_CONF_STR(conf, filename, unix_sock_ro_perms); GET_CONF_STR(conf, filename, unix_sock_rw_perms); diff --git a/daemon/libvirtd-config.h b/daemon/libvirtd-config.h index 07118de408..973e0eab74 100644 --- a/daemon/libvirtd-config.h +++ b/daemon/libvirtd-config.h @@ -45,6 +45,8 @@ struct daemonConfig { int auth_tcp; int auth_tls; + char **access_drivers; + int mdns_adv; char *mdns_name; diff --git a/daemon/libvirtd.aug b/daemon/libvirtd.aug index f32b3a1397..7c56a41112 100644 --- a/daemon/libvirtd.aug +++ b/daemon/libvirtd.aug @@ -51,6 +51,7 @@ module Libvirtd = | bool_entry "tls_no_sanity_certificate" | str_array_entry "tls_allowed_dn_list" | str_array_entry "sasl_allowed_username_list" + | str_array_entry "access_drivers" let processing_entry = int_entry "min_workers" | int_entry "max_workers" diff --git a/daemon/libvirtd.c b/daemon/libvirtd.c index ae6a15c7bd..3db4f1cdf8 100644 --- a/daemon/libvirtd.c +++ b/daemon/libvirtd.c @@ -52,8 +52,9 @@ #include "remote.h" #include "virhook.h" #include "viraudit.h" -#include "locking/lock_manager.h" #include "virstring.h" +#include "locking/lock_manager.h" +#include "viraccessmanager.h" #ifdef WITH_DRIVER_MODULES # include "driver.h" @@ -728,6 +729,26 @@ error: } +static int +daemonSetupAccessManager(struct daemonConfig *config) +{ + virAccessManagerPtr mgr; + const char *none[] = { "none", NULL }; + const char **driver = (const char **)config->access_drivers; + + if (!driver || + !driver[0]) + driver = none; + + if (!(mgr = virAccessManagerNewStack(driver))) + return -1; + + virAccessManagerSetDefault(mgr); + virObjectUnref(mgr); + return 0; +} + + /* Display version information. */ static void daemonVersion(const char *argv0) @@ -872,6 +893,9 @@ handleSystemMessageFunc(DBusConnection *connection ATTRIBUTE_UNUSED, static void daemonRunStateInit(void *opaque) { virNetServerPtr srv = opaque; + virIdentityPtr sysident = virIdentityGetSystem(); + + virIdentitySetCurrent(sysident); /* Since driver initialization can take time inhibit daemon shutdown until we're done so clients get a chance to connect */ @@ -914,6 +938,8 @@ static void daemonRunStateInit(void *opaque) cleanup: daemonInhibitCallback(false, srv); virObjectUnref(srv); + virObjectUnref(sysident); + virIdentitySetCurrent(NULL); } static int daemonStateInit(virNetServerPtr srv) @@ -1260,6 +1286,11 @@ int main(int argc, char **argv) { exit(EXIT_FAILURE); } + if (daemonSetupAccessManager(config) < 0) { + VIR_ERROR(_("Can't initialize access manager")); + exit(EXIT_FAILURE); + } + if (!pid_file && daemonPidFilePath(privileged, &pid_file) < 0) { diff --git a/daemon/libvirtd.conf b/daemon/libvirtd.conf index 47da5208eb..9d7879c982 100644 --- a/daemon/libvirtd.conf +++ b/daemon/libvirtd.conf @@ -155,6 +155,15 @@ #auth_tls = "none" +# Change the API access control scheme +# +# By default an authenticated user is allowed access +# to all APIs. Access drivers can place restrictions +# on this. By default the 'nop' driver is enabled, +# meaning no access control checks are done once a +# client has authenticated with libvirtd +# +#access_drivers = [ ] ################################################################# # diff --git a/daemon/test_libvirtd.aug.in b/daemon/test_libvirtd.aug.in index 455b74a196..b9df7117bd 100644 --- a/daemon/test_libvirtd.aug.in +++ b/daemon/test_libvirtd.aug.in @@ -17,6 +17,8 @@ module Test_libvirtd = { "auth_unix_rw" = "none" } { "auth_tcp" = "sasl" } { "auth_tls" = "none" } + { "access_drivers" + } { "key_file" = "/etc/pki/libvirt/private/serverkey.pem" } { "cert_file" = "/etc/pki/libvirt/servercert.pem" } { "ca_file" = "/etc/pki/CA/cacert.pem" } diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 9217ab90a4..9401d93c66 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -1388,9 +1388,12 @@ virHookPresent; # util/viridentity.h virIdentityGetAttr; +virIdentityGetCurrent; +virIdentityGetSystem; virIdentityIsEqual; virIdentityNew; virIdentitySetAttr; +virIdentitySetCurrent; # util/virinitctl.h