On Fri, Nov 30, 2012 at 11:33:30AM -0500, Dmitri Pal wrote:
> On 11/30/2012 10:20 AM, Daniel P. Berrange wrote:
> > On Fri, Nov 30, 2012 at 04:16:56PM +0100, Natxo Asenjo wrote:
> >> On Fri, Nov 30, 2012 at 4:04 PM, Daniel P. Berrange <berra...@redhat.com> 
> >> wrote:
> >>> On Fri, Nov 30, 2012 at 03:56:14PM +0100, Natxo Asenjo wrote:
> >>>> hi,
> >>>>
> >>>> sasl_allowed_username_list = ["ad...@ipa.example.com" ]
> >>>>
> >>>> if I leave this field commented out (default setting), everybody can
> >>>> manage the kvm host.
> >>> Oh it isn't very obvious, but in this log message:
> >>>
> >>>>>>> 2012-11-30 12:00:53.403+0000: 7786: error :
> >>>>>>> virNetSASLContextCheckIdentity:146 : SASL client admin not allowed in
> >>> 'admin' is the identity being matched against.
> >>>
> >>> We ought to quote that string int he log message to make it more
> >>> obvious.
> >>>
> >>> So I guess SASL/GSSAPI is not giving us back the REALM, just
> >>> the username
> >>>
> >>> So you need to change your whitelist to leave out the realm.
> >> Bingo!
> >>
> >> Thanks. If I may just hijack this thread: is it possible to whitelist
> >> groups instead of individual users to use virsh/virtual manager?
> >>
> >> I know sasl only deals with the authentication stuff, buy here you are
> >> also authorizing in the whitelist. If this authorization could go
> >> further to allow ipa groups, that would be ideal from an admin point
> >> of view ;-)
> > It is desirable, but we don't have any way to find out information about
> > groups. The authorization problem is something we've yet to really get
> > a good pluggable solution for, though perhaps policykit would help here.
> >
> > Daniel
> Policy kit is local escalation to admin privileges. The policy kit
> policies are not centrally managed, they are preinstalled.
> Are you sure it is the right mechanism?
> Should there be some more centrally managed mechanism for access control
> rules like HBAC or SUDO?

You're referring to the traditional policykit backed based on
a local policy file database. More generally policykit is
pluggable, so you could reference an off-node policy store.
In theory the new javascript engine for policykit could be
used to do a check against ldap or IPA, but I've no idea if
that'd work out in reality, without more investigation.

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to