libvirt users - May 2018 - Re: Libvirt access control drivers

I actually didn't quite catch,why oVirt can't just pass user information
and you could check against it? This may require to create some
configuration files for libvirt about end users.
What is a advantage of authenticating oVirt, and then impersonation for end
user?

2018-05-11 16:37 GMT+03:00 Daniel P. Berrangé <berrange@redhat.com>:
> On Fri, May 11, 2018 at 04:26:36PM +0300, Anastasiya Ruzhanskaya wrote:
> > Excuse me for renewing this discussion, but I am curious if you would
add
> > new module, which will be able to process users not based on unix
> > processes, from where do you plan to get usernames? I mean,
virt-manager
> > could give them, as there is authentication in GUI, but for example
when
> > using oVirt, none of the usernames reach libvirt through the
> communication
> > between server and nodes.
>
> The identity attributes would have to use information that libvirt acquires
> from its authentication modules.  When using TLS, if client certificates
> are
> requested by libvirtd, then we can check the x509 cert distinguished name
> field.  When using SASL,  if the SASL mechanism returns a username, we can
> check that.
>
> NB, we would *not* be trying to check the end user that oVirt knows about,
> rather we are authenticating oVirt itself.
>
> To check end users defined by the higher level mgmt app would require an
> extra set of functionality in the public API, to allow oVirt to do user
> impersonation with libvirt.  eg libvirt would first authenticate ovirt,
> ovirt would then sya it wants to impersonate "fred" and from
there all
> APIs get checked against "fred".
>
> This gets pretty difficult though, because oVirt and most similar mgmt
> apps generally only have a single connection to libvirt but are doing
> work for 100's of different users on it. So in reality it is not very
> practical for libvirt to try to validate ovirt's users.
>
> Regards,
> Daniel
> --
> |: https://berrange.com      -o-    https://www.flickr.com/photos/
> dberrange :|
> |: https://libvirt.org         -o-
> https://fstop138.berrange.com :|
> |: https://entangle-photo.org    -o-    https://www.instagram.com/
> dberrange :|
>

On Sat, May 12, 2018 at 11:36:08AM +0300, Anastasiya Ruzhanskaya
wrote:
> I actually didn't quite catch,why oVirt can't just pass user
information
> and you could check against it? This may require to create some
> configuration files for libvirt about end users.
> What is a advantage of authenticating oVirt, and then impersonation for end
> user?
Libvirt authentication happens when a connection is opened - oVirt doesn't
open a connection for each user. So you have to have a way to authenticate
the initial connection, and then authorize individual APIs made on it.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

Hello!
I still want to clarify one question. Instead of making authentication of
oVirt and then impersonation of each user, oVirt can just pass user
information inside messages and libvirt at the end can read this user
information inside rpc messages (perhaps user login could be written in one
of string fields in RPC message, simply login = <...> inside message). Why
this (assume that it is possible to implement this for everyone) will not
work?

2018-05-14 12:25 GMT+03:00 Daniel P. Berrangé <berrange@redhat.com>:
> On Sat, May 12, 2018 at 11:36:08AM +0300, Anastasiya Ruzhanskaya wrote:
> > I actually didn't quite catch,why oVirt can't just pass user
information
> > and you could check against it? This may require to create some
> > configuration files for libvirt about end users.
> > What is a advantage of authenticating oVirt, and then impersonation
for
> end
> > user?
>
> Libvirt authentication happens when a connection is opened - oVirt
doesn't
> open a connection for each user. So you have to have a way to authenticate
> the initial connection, and then authorize individual APIs made on it.
>
> Regards,
> Daniel
> --
> |: https://berrange.com      -o-    https://www.flickr.com/photos/
> dberrange :|
> |: https://libvirt.org         -o-
> https://fstop138.berrange.com :|
> |: https://entangle-photo.org    -o-    https://www.instagram.com/
> dberrange :|
>