Setup default access control manager in libvirtd

Add a new 'access_drivers' config parameter to the libvirtd.conf configuration file. This allows admins to setup the default access control drivers to use for API authorization. The same driver is to be used by all internal drivers & APIs Signed-off-by: N Daniel P. Berrange <berrange@redhat.com>

Setup default access control manager in libvirtd
Add a new 'access_drivers' config parameter to the libvirtd.conf configuration file. This allows admins to setup the default access control drivers to use for API authorization. The same driver is to be used by all internal drivers & APIs Signed-off-by: N Daniel P. Berrange <berrange@redhat.com>
ed3bac71 · Daniel P. Berrange · ba7b867b · ed3bac71 · ed3bac71 · ed3bac71
8 changed file
--- a/daemon/Makefile.am
+++ b/daemon/Makefile.am
@@ -24,6 +24,7 @@ INCLUDES = \
 	-I$(top_srcdir)/src/conf \
 	-I$(top_srcdir)/src/rpc \
 	-I$(top_srcdir)/src/remote \
+	-I$(top_srcdir)/src/access \
 	$(GETTEXT_CPPFLAGS)

 CLEANFILES =

--- a/daemon/libvirtd-config.c
+++ b/daemon/libvirtd-config.c
@@ -379,6 +379,10 @@ daemonConfigLoadOptions(struct daemonConfig *data,
    if (remoteConfigGetAuth(conf, "auth_tls", &data->auth_tls, filename) < 0)
        goto error;

+    if (remoteConfigGetStringList(conf, "access_drivers",
+                                  &data->access_drivers, filename) < 0)
+        goto error;
+
    GET_CONF_STR(conf, filename, unix_sock_group);
    GET_CONF_STR(conf, filename, unix_sock_ro_perms);
    GET_CONF_STR(conf, filename, unix_sock_rw_perms);

--- a/daemon/libvirtd-config.h
+++ b/daemon/libvirtd-config.h
@@ -45,6 +45,8 @@ struct daemonConfig {
    int auth_tcp;
    int auth_tls;

+    char **access_drivers;
+
    int mdns_adv;
    char *mdns_name;


--- a/daemon/libvirtd.aug
+++ b/daemon/libvirtd.aug
@@ -51,6 +51,7 @@ module Libvirtd =
                           | bool_entry "tls_no_sanity_certificate"
                           | str_array_entry "tls_allowed_dn_list"
                           | str_array_entry "sasl_allowed_username_list"
+                           | str_array_entry "access_drivers"

   let processing_entry = int_entry "min_workers"
                        | int_entry "max_workers"

--- a/daemon/libvirtd.c
+++ b/daemon/libvirtd.c
@@ -52,8 +52,9 @@
 #include "remote.h"
 #include "virhook.h"
 #include "viraudit.h"
-#include "locking/lock_manager.h"
 #include "virstring.h"
+#include "locking/lock_manager.h"
+#include "viraccessmanager.h"

 #ifdef WITH_DRIVER_MODULES
 # include "driver.h"
@@ -728,6 +729,26 @@ error:
 }


+static int
+daemonSetupAccessManager(struct daemonConfig *config)
+{
+    virAccessManagerPtr mgr;
+    const char *none[] = { "none", NULL };
+    const char **driver = (const char **)config->access_drivers;
+
+    if (!driver ||
+        !driver[0])
+        driver = none;
+
+    if (!(mgr = virAccessManagerNewStack(driver)))
+        return -1;
+
+    virAccessManagerSetDefault(mgr);
+    virObjectUnref(mgr);
+    return 0;
+}
+
+
 /* Display version information. */
 static void
 daemonVersion(const char *argv0)
@@ -872,6 +893,9 @@ handleSystemMessageFunc(DBusConnection *connection ATTRIBUTE_UNUSED,
 static void daemonRunStateInit(void *opaque)
 {
    virNetServerPtr srv = opaque;
+    virIdentityPtr sysident = virIdentityGetSystem();
+
+    virIdentitySetCurrent(sysident);

    /* Since driver initialization can take time inhibit daemon shutdown until
       we're done so clients get a chance to connect */
@@ -914,6 +938,8 @@ static void daemonRunStateInit(void *opaque)
 cleanup:
    daemonInhibitCallback(false, srv);
    virObjectUnref(srv);
+    virObjectUnref(sysident);
+    virIdentitySetCurrent(NULL);
 }

 static int daemonStateInit(virNetServerPtr srv)
@@ -1260,6 +1286,11 @@ int main(int argc, char **argv) {
        exit(EXIT_FAILURE);
    }

+    if (daemonSetupAccessManager(config) < 0) {
+        VIR_ERROR(_("Can't initialize access manager"));
+        exit(EXIT_FAILURE);
+    }
+
    if (!pid_file &&
        daemonPidFilePath(privileged,
                          &pid_file) < 0) {

--- a/daemon/libvirtd.conf
+++ b/daemon/libvirtd.conf
@@ -155,6 +155,15 @@
 #auth_tls = "none"


+# Change the API access control scheme
+#
+# By default an authenticated user is allowed access
+# to all APIs. Access drivers can place restrictions
+# on this. By default the 'nop' driver is enabled,
+# meaning no access control checks are done once a
+# client has authenticated with libvirtd
+#
+#access_drivers = [ ]

 #################################################################
 #

--- a/daemon/test_libvirtd.aug.in
+++ b/daemon/test_libvirtd.aug.in
@@ -17,6 +17,8 @@ module Test_libvirtd =
        { "auth_unix_rw" = "none" }
        { "auth_tcp" = "sasl" }
        { "auth_tls" = "none" }
+        { "access_drivers"
+        }
        { "key_file" = "/etc/pki/libvirt/private/serverkey.pem" }
        { "cert_file" = "/etc/pki/libvirt/servercert.pem" }
        { "ca_file" = "/etc/pki/CA/cacert.pem" }

--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -1388,9 +1388,12 @@ virHookPresent;

 # util/viridentity.h
 virIdentityGetAttr;
+virIdentityGetCurrent;
+virIdentityGetSystem;
 virIdentityIsEqual;
 virIdentityNew;
 virIdentitySetAttr;
+virIdentitySetCurrent;


 # util/virinitctl.h