Setup default access control manager in libvirtd

Add a new 'access_drivers' config parameter to the libvirtd.conf
configuration file. This allows admins to setup the default
access control drivers to use for API authorization. The same
driver is to be used by all internal drivers & APIs

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

diff --git a/daemon/Makefile.am b/daemon/Makefile.am
index fca0eacf7e37b22648b007b383ec59f7413cb028..e8a8371585965ebca2da529ea217cf606c1369c8 100644 (file)
--- a/daemon/Makefile.am
+++ b/daemon/Makefile.am
@@ -24,6 +24,7 @@ INCLUDES = \
        -I$(top_srcdir)/src/conf \
        -I$(top_srcdir)/src/rpc \
        -I$(top_srcdir)/src/remote \
+       -I$(top_srcdir)/src/access \
        $(GETTEXT_CPPFLAGS)
 
 CLEANFILES =

diff --git a/daemon/libvirtd-config.c b/daemon/libvirtd-config.c
index d9357b7470b490e727942af2c60e90c1c6acd357..6f60256e473f68495e2d435619106e6e0889d3ee 100644 (file)
--- a/daemon/libvirtd-config.c
+++ b/daemon/libvirtd-config.c
@@ -379,6 +379,10 @@ daemonConfigLoadOptions(struct daemonConfig *data,
     if (remoteConfigGetAuth(conf, "auth_tls", &data->auth_tls, filename) < 0)
         goto error;
 
+    if (remoteConfigGetStringList(conf, "access_drivers",
+                                  &data->access_drivers, filename) < 0)
+        goto error;
+
     GET_CONF_STR(conf, filename, unix_sock_group);
     GET_CONF_STR(conf, filename, unix_sock_ro_perms);
     GET_CONF_STR(conf, filename, unix_sock_rw_perms);

diff --git a/daemon/libvirtd-config.h b/daemon/libvirtd-config.h
index 07118de4083596d9fab7256d175a5acbe393902c..973e0eab7445d8c9cac4fa41de450b16b817cad1 100644 (file)
--- a/daemon/libvirtd-config.h
+++ b/daemon/libvirtd-config.h
@@ -45,6 +45,8 @@ struct daemonConfig {
     int auth_tcp;
     int auth_tls;
 
+    char **access_drivers;
+
     int mdns_adv;
     char *mdns_name;
 

diff --git a/daemon/libvirtd.aug b/daemon/libvirtd.aug
index f32b3a1397ed289f40a1cd2cd026afb9ca9a9748..7c56a4111279a942c6151b09de85f466b623e8ae 100644 (file)
--- a/daemon/libvirtd.aug
+++ b/daemon/libvirtd.aug
@@ -51,6 +51,7 @@ module Libvirtd =
                            | bool_entry "tls_no_sanity_certificate"
                            | str_array_entry "tls_allowed_dn_list"
                            | str_array_entry "sasl_allowed_username_list"
+                           | str_array_entry "access_drivers"
 
    let processing_entry = int_entry "min_workers"
                         | int_entry "max_workers"

diff --git a/daemon/libvirtd.c b/daemon/libvirtd.c
index ae6a15c7bd0c79b1e22145ac8988581c878a23e1..3db4f1cdf8d86003a1ee7cd5458e4609d42ab895 100644 (file)
--- a/daemon/libvirtd.c
+++ b/daemon/libvirtd.c
@@ -52,8 +52,9 @@
 #include "remote.h"
 #include "virhook.h"
 #include "viraudit.h"
-#include "locking/lock_manager.h"
 #include "virstring.h"
+#include "locking/lock_manager.h"
+#include "viraccessmanager.h"
 
 #ifdef WITH_DRIVER_MODULES
 # include "driver.h"
@@ -728,6 +729,26 @@ error:
 }
 
 
+static int
+daemonSetupAccessManager(struct daemonConfig *config)
+{
+    virAccessManagerPtr mgr;
+    const char *none[] = { "none", NULL };
+    const char **driver = (const char **)config->access_drivers;
+
+    if (!driver ||
+        !driver[0])
+        driver = none;
+
+    if (!(mgr = virAccessManagerNewStack(driver)))
+        return -1;
+
+    virAccessManagerSetDefault(mgr);
+    virObjectUnref(mgr);
+    return 0;
+}
+
+
 /* Display version information. */
 static void
 daemonVersion(const char *argv0)
@@ -872,6 +893,9 @@ handleSystemMessageFunc(DBusConnection *connection ATTRIBUTE_UNUSED,
 static void daemonRunStateInit(void *opaque)
 {
     virNetServerPtr srv = opaque;
+    virIdentityPtr sysident = virIdentityGetSystem();
+
+    virIdentitySetCurrent(sysident);
 
     /* Since driver initialization can take time inhibit daemon shutdown until
        we're done so clients get a chance to connect */
@@ -914,6 +938,8 @@ static void daemonRunStateInit(void *opaque)
 cleanup:
     daemonInhibitCallback(false, srv);
     virObjectUnref(srv);
+    virObjectUnref(sysident);
+    virIdentitySetCurrent(NULL);
 }
 
 static int daemonStateInit(virNetServerPtr srv)
@@ -1260,6 +1286,11 @@ int main(int argc, char **argv) {
         exit(EXIT_FAILURE);
     }
 
+    if (daemonSetupAccessManager(config) < 0) {
+        VIR_ERROR(_("Can't initialize access manager"));
+        exit(EXIT_FAILURE);
+    }
+
     if (!pid_file &&
         daemonPidFilePath(privileged,
                           &pid_file) < 0) {

diff --git a/daemon/libvirtd.conf b/daemon/libvirtd.conf
index 47da5208eb19798e1d1b5942d153200277ba1b1f..9d7879c9825b39851b3ef5ad7e2c7bc84b7d1124 100644 (file)
--- a/daemon/libvirtd.conf
+++ b/daemon/libvirtd.conf
@@ -155,6 +155,15 @@
 #auth_tls = "none"
 
 
+# Change the API access control scheme
+#
+# By default an authenticated user is allowed access
+# to all APIs. Access drivers can place restrictions
+# on this. By default the 'nop' driver is enabled,
+# meaning no access control checks are done once a
+# client has authenticated with libvirtd
+#
+#access_drivers = [ ]
 
 #################################################################
 #

diff --git a/daemon/test_libvirtd.aug.in b/daemon/test_libvirtd.aug.in
index 455b74a196a7d71fe9a198549dc73d892cc6ca83..b9df7117bdf5fd2bcf803b64a9b4eed87bac4a94 100644 (file)
--- a/daemon/test_libvirtd.aug.in
+++ b/daemon/test_libvirtd.aug.in
@@ -17,6 +17,8 @@ module Test_libvirtd =
         { "auth_unix_rw" = "none" }
         { "auth_tcp" = "sasl" }
         { "auth_tls" = "none" }
+        { "access_drivers"
+        }
         { "key_file" = "/etc/pki/libvirt/private/serverkey.pem" }
         { "cert_file" = "/etc/pki/libvirt/servercert.pem" }
         { "ca_file" = "/etc/pki/CA/cacert.pem" }

diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 9217ab90a4edf82725fd013ab29d02e2010b998a..9401d93c66b5509f7c988e3d83f31b489312bb86 100644 (file)
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -1388,9 +1388,12 @@ virHookPresent;
 
 # util/viridentity.h
 virIdentityGetAttr;
+virIdentityGetCurrent;
+virIdentityGetSystem;
 virIdentityIsEqual;
 virIdentityNew;
 virIdentitySetAttr;
+virIdentitySetCurrent;
 
 
 # util/virinitctl.h