Libguestfs - Oct 2012 - Proposed libguestfs API for implementing libvirt virConnectOpenAuth

As in the example code below.

static void
do_auth (guestfs_h *g,
         void *opaque,
         uint64_t event,
         int event_handle,
         int flags,
         const char *buf, size_t buf_len,
         const uint64_t *array, size_t array_len)
{
  char **creds;
  size_t i;
  char *prompt;
  char *reply;
  size_t replylen;

  // buf will be the libvirt URI.  It is always \0-terminated so
  // buf_len can be ignored in this case.
  printf ("Authentication required for libvirt connection
'%s'\n", buf);

  // Ask libguestfs what credentials libvirt is demanding.
  creds = guestfs_get_libvirt_requested_credentials (g);

  // Now ask the user for answers.
  for (i = 0; creds[i] != NULL; ++i) {
    if (strcmp (creds[i], "authname") == 0 ||
        strcmp (creds[i], "passphrase") == 0) {
      prompt = guestfs_get_libvirt_requested_credential_prompt (g, i);
      printf ("%s: ", prompt);
      free (prompt);

      // ...

      // Input from user is in 'reply', length 'replylen'
(bytes).
      guestfs_set_libvirt_requested_credential (g, i, reply, replylen);
    }

    free (creds[i]);
  }

  free (creds);

  // On return from this function (libguestfs event), the libvirt
  // event returns too.
}

// ...
{
  guestfs_h *g;
  char *creds[] = { "authname", "passphrase", NULL };

  g = guestfs_create ();
  guestfs_set_libvirt_supported_credentials (g, creds);
  guestfs_set_event_callback (g, do_auth,
      GUESTFS_EVENT_LIBVIRT_AUTH, 0, NULL);

  // An example of a function that would open a libvirt connection:
  guestfs_add_domain (g, "dom",
      GUESTFS_ADD_DOMAIN_LIBVIRTURI, "qemu:///system",
      -1);
}

----------------------------------------------------------------------

By the way, some of the virt tools can open multiple connections to
libvirt, and it is architecturally hard to change this:
https://www.redhat.com/archives/libguestfs/2012-October/msg00065.html

Does libvirt (or policy kit?) provide any mechanism for caching these
credentials within the same process, so that we don't have to provide
the same creds back to libvirt for multiple connections?

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-df lists disk usage of guests without needing to install any
software inside the virtual machine.  Supports Linux and Windows.
http://et.redhat.com/~rjones/virt-df/

On 10/13/2012 05:31 AM, Richard W.M. Jones wrote:
> 
> Does libvirt (or policy kit?) provide any mechanism for caching these
> credentials within the same process, so that we don't have to provide
> the same creds back to libvirt for multiple connections?
> 
Yeah, that's the 'keep' in 'auth_admin_keep' in
libvirt's policykit rules:

http://libvirt.org/git/?p=libvirt.git;a=blob;f=daemon/libvirtd.policy.in

But libvirt only enables it for local, active sessions, which doesn't
include
SSH logins for example. libvirt should s/auth_admin/auth_admin_keep/g

- Cole

On Sun, Oct 14, 2012 at 07:44:44PM -0400, Cole Robinson
wrote:
> On 10/13/2012 05:31 AM, Richard W.M. Jones wrote:
> 
> > 
> > Does libvirt (or policy kit?) provide any mechanism for caching these
> > credentials within the same process, so that we don't have to
provide
> > the same creds back to libvirt for multiple connections?
> > 
> 
> Yeah, that's the 'keep' in 'auth_admin_keep' in
libvirt's policykit rules:
> 
> http://libvirt.org/git/?p=libvirt.git;a=blob;f=daemon/libvirtd.policy.in
> 
> But libvirt only enables it for local, active sessions, which doesn't
include
> SSH logins for example. libvirt should s/auth_admin/auth_admin_keep/g
So if I understand correctly, how about this patch?

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-top is 'top' for virtual machines.  Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://et.redhat.com/~rjones/virt-top
-------------- next part --------------