On Fri, Nov 30, 2012 at 11:33:30AM -0500, Dmitri Pal wrote: > On 11/30/2012 10:20 AM, Daniel P. Berrange wrote: > > On Fri, Nov 30, 2012 at 04:16:56PM +0100, Natxo Asenjo wrote: > >> On Fri, Nov 30, 2012 at 4:04 PM, Daniel P. Berrange <berra...@redhat.com> > >> wrote: > >>> On Fri, Nov 30, 2012 at 03:56:14PM +0100, Natxo Asenjo wrote: > >>>> hi, > >>>> > >>>> sasl_allowed_username_list = ["ad...@ipa.example.com" ] > >>>> > >>>> if I leave this field commented out (default setting), everybody can > >>>> manage the kvm host. > >>> Oh it isn't very obvious, but in this log message: > >>> > >>>>>>> 2012-11-30 12:00:53.403+0000: 7786: error : > >>>>>>> virNetSASLContextCheckIdentity:146 : SASL client admin not allowed in > >>> 'admin' is the identity being matched against. > >>> > >>> We ought to quote that string int he log message to make it more > >>> obvious. > >>> > >>> So I guess SASL/GSSAPI is not giving us back the REALM, just > >>> the username > >>> > >>> So you need to change your whitelist to leave out the realm. > >> Bingo! > >> > >> Thanks. If I may just hijack this thread: is it possible to whitelist > >> groups instead of individual users to use virsh/virtual manager? > >> > >> I know sasl only deals with the authentication stuff, buy here you are > >> also authorizing in the whitelist. If this authorization could go > >> further to allow ipa groups, that would be ideal from an admin point > >> of view ;-) > > It is desirable, but we don't have any way to find out information about > > groups. The authorization problem is something we've yet to really get > > a good pluggable solution for, though perhaps policykit would help here. > > > > Daniel > Policy kit is local escalation to admin privileges. The policy kit > policies are not centrally managed, they are preinstalled. > Are you sure it is the right mechanism? > Should there be some more centrally managed mechanism for access control > rules like HBAC or SUDO?