git.ipfire.org Git - thirdparty/libvirt.git/commit

author	John Ferlan <jferlan@redhat.com>
	Thu, 11 May 2017 13:17:09 +0000 (09:17 -0400)
committer	John Ferlan <jferlan@redhat.com>
	Thu, 25 May 2017 16:19:20 +0000 (12:19 -0400)
commit	2453501fc82d3b247affb6c9054dc65bf2f669b3
tree	f48f127e72a7bce204f1bdc997dea0417914fd10	tree \| snapshot
parent	0d3aff58e7ed190c97b40ee92f58cb0180cef6fe	commit \| diff

virsh: Track when create pkttyagent

https://bugzilla.redhat.com/show_bug.cgi?id=1374126

Due to how the processing for authentication using polkit works, the
virshConnect code must first "attempt" an virConnectOpenAuth and then
check for a "special" return error code VIR_ERR_AUTH_UNAVAILABLE in
order to attempt to "retry" the authentication after performing a creation
of a pkttyagent to handle the challenge/response for the client.

However, if pkttyagent creation is not possible for the authentication
being attempted (such as perhaps a "qemu+ssh://someuser@localhost/system"),
then the same failure pattern would be returned and another attempt to
create a pkttyagent would be done. This would continue "forever" until
someone forced quit (e.g. ctrl-c) from virsh as the 'authfail' was not
incremented when creating the pkttyagent.

So add a 'agentCreated' boolean to track if we've attempted to create the
agent at least once and force a failure if that creation returned the same
error pattern.

This resolves a possible never ending loop and will generate an error:

error: failed to connect to the hypervisor
error: authentication unavailable: no polkit agent available to authenticate action 'org.libvirt.unix.manage'

NB: If the authentication was for a sufficiently privileged client, such as
qemu+ssh://root@localhost/system, then the remoteDispatchAuthList "allows"
the authentication to use libvirt since @callerUid would be 0.