Re: [libvirt] [PATCH 12/14] Add APIs for handling lookup of auth credentials from config file
On Thu, Mar 22, 2012 at 07:02:31AM -0600, Eric Blake wrote: On 03/20/2012 11:33 AM, Daniel P. Berrange wrote: From: Daniel P. Berrange berra...@redhat.com This defines the format for the auth credential config file and provides APIs to access the data. The config file contains one or more named 'credential' sets [credentials-$NAME] credname1=value1 credname2=value2 eg [credentials-test] authname=fred password=123456 I'm not always a fan of plain-text passwords; do you have plans to further enhance this to hook into our virSecret design, where the config file can list the name of a secret to reference, which in turn will trigger appropriate calls to the virSecret API to grab credentials on first use, securely caching them for later uses that need the same credentials but without the drawbacks of plain-text config files? But that's future enhancement, and doesn't stop this patch from going in once you address Osier's review comments. These credentials are required in order to establish a connection to libvirt, so we don't have any virSecret APIs available yet. In addition this is client side, while the virSecret APIs are server side. Obviously this is not an ideal scenario from a security POV, but it is an optional feature. If people are using SASL Password auth and want to automate libvirt logins, there's not much choice in the matter. If they want something more secure they can setup SSH keys, or policy kit or Kerberos tickets. I envisage this as relevant for test/dev scenarios rather than production. Daniel -- |: http://berrange.com -o-http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH 12/14] Add APIs for handling lookup of auth credentials from config file
On 2012年03月21日 01:33, Daniel P. Berrange wrote: From: Daniel P. Berrangeberra...@redhat.com This defines the format for the auth credential config file and provides APIs to access the data. The config file contains one or more named 'credential' sets [credentials-$NAME] credname1=value1 credname2=value2 eg [credentials-test] authname=fred password=123456 [credentials-prod] authname=bar password=letmein There are then one or more 'auth' sets which match services/hosts and map to credential sets. [auth-$SERVICE-$HOSTNAME] credentials=$CREDENTIALS eg [auth-libvirt-test1.example.com] credentials=test [auth-libvirt-test2.example.com] credentials=test [auth-libvirt-demo3.example.com] credentials=test [auth-libvirt-prod1.example.com] credentials=prod * docs/auth.html.in: Document use of client auth config files * src/Makefile.am, src/libvirt_private.syms, src/util/virauthconfig.c, src/util/virauthconfig.h: Add APIs for processing auth.conf file --- docs/auth.html.in | 118 ++- po/POTFILES.in|1 + src/Makefile.am |1 + src/libvirt_private.syms |7 ++ src/util/virauthconfig.c | 175 + src/util/virauthconfig.h | 45 tests/Makefile.am |9 ++- tests/virauthconfigtest.c | 140 8 files changed, 494 insertions(+), 2 deletions(-) create mode 100644 src/util/virauthconfig.c create mode 100644 src/util/virauthconfig.h create mode 100644 tests/virauthconfigtest.c diff --git a/docs/auth.html.in b/docs/auth.html.in index 2163959..ecff0fc 100644 --- a/docs/auth.html.in +++ b/docs/auth.html.in @@ -1,7 +1,7 @@ ?xml version=1.0? html body -h1Access control/h1 +h1Authenticationamp; access control/h1 p When connecting to libvirt, some connections may require client authentication before allowing use of the APIs. The set of possible @@ -11,6 +11,122 @@ ul id=toc/ul +h2a name=Auth_client_configClient configuration/a/h2 + +p + When connecting to a remote hypervisor which requires authentication, +most libvirt applications will prompt the user for the credentials. It is +also possible to provide a client configuration file containing all the +authentication credentials, avoiding any interaction. Libvirt will look +for the authentication file using the following sequence: +/p +ol +liThe file path specified by the $LIBVIRT_AUTH_FILE environment +variable./li +liThe file path specified by the authfile=/some/file URI +query parameter/li +liThe file $HOME/.libvirt/auth.conf/li +liThe file /etc/libvirt/auth.conf/li +/ol + +p + The auth configuration file uses the traditionalcode.ini/code + style syntax. There are two types of groups that can be present in + the config. First there are one or morestrongcredential/strong + sets, which provide the actual authentication credentials. The keys + within the group may be: +/p + +ul +licodeusername/code: the user login name to act as. This +is relevant for ESX, Xen, HyperV and SSH, but probably not +the one you want to libvirtd with SASL./li +licodeauthname/code: the name to authorize as. This is +what is commonly required for libvirtd with SASL./li +licodepassword/code: the secret password/li +licoderealm/code: the domain realm for SASL, mostly +unused/li +/ul + +p + Each set of credentials has a name, which is part of the group + entry name. Overall the syntax is +/p + +pre +[credentials-$NAME] +credname1=value1 +credname2=value2/pre + +p + For example, to define two sets of credentials used for production + and test machines, using libvirtd, and a further ESX server for dev: +/p +pre +[credentials-test] +authname=fred +password=123456 + +[credentials-prod] +authname=bar +password=letmein + +[credentials-dev] +username=joe +password=hello/pre + +p + The second set of groups provide mappings of credentials to + specific machine services. The config file group names compromise + the service type and host: +/p + +pre +[auth-$SERVICE-$HOSTNAME] +credentials=$CREDENTIALS/pre + +p + For example, following the previous example, here is how to + list some machines +/p + +pre +[auth-libvirt-test1.example.com] +credentials=test + +[auth-libvirt-test2.example.com] +credentials=test + +[auth-libvirt-demo3.example.com] +credentials=test + +[auth-libvirt-prod1.example.com] +credentials=prod + +[auth-esx-dev1.example.com] +credentials=dev/pre + +p + The following service types are known to libvirt +/p + +ol +licodelibvirt/code - used for connections to a libvirtd +server, which is configured with SASL auth/li +licodessh/code - used for connections to a Phyp server +over SSH/li +licodeesx/code - used for connections to an ESX or +VirtualCenter
Re: [libvirt] [PATCH 12/14] Add APIs for handling lookup of auth credentials from config file
On 03/20/2012 11:33 AM, Daniel P. Berrange wrote: From: Daniel P. Berrange berra...@redhat.com This defines the format for the auth credential config file and provides APIs to access the data. The config file contains one or more named 'credential' sets [credentials-$NAME] credname1=value1 credname2=value2 eg [credentials-test] authname=fred password=123456 I'm not always a fan of plain-text passwords; do you have plans to further enhance this to hook into our virSecret design, where the config file can list the name of a secret to reference, which in turn will trigger appropriate calls to the virSecret API to grab credentials on first use, securely caching them for later uses that need the same credentials but without the drawbacks of plain-text config files? But that's future enhancement, and doesn't stop this patch from going in once you address Osier's review comments. -- Eric Blake ebl...@redhat.com+1-919-301-3266 Libvirt virtualization library http://libvirt.org signature.asc Description: OpenPGP digital signature -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
[libvirt] [PATCH 12/14] Add APIs for handling lookup of auth credentials from config file
From: Daniel P. Berrange berra...@redhat.com This defines the format for the auth credential config file and provides APIs to access the data. The config file contains one or more named 'credential' sets [credentials-$NAME] credname1=value1 credname2=value2 eg [credentials-test] authname=fred password=123456 [credentials-prod] authname=bar password=letmein There are then one or more 'auth' sets which match services/hosts and map to credential sets. [auth-$SERVICE-$HOSTNAME] credentials=$CREDENTIALS eg [auth-libvirt-test1.example.com] credentials=test [auth-libvirt-test2.example.com] credentials=test [auth-libvirt-demo3.example.com] credentials=test [auth-libvirt-prod1.example.com] credentials=prod * docs/auth.html.in: Document use of client auth config files * src/Makefile.am, src/libvirt_private.syms, src/util/virauthconfig.c, src/util/virauthconfig.h: Add APIs for processing auth.conf file --- docs/auth.html.in | 118 ++- po/POTFILES.in|1 + src/Makefile.am |1 + src/libvirt_private.syms |7 ++ src/util/virauthconfig.c | 175 + src/util/virauthconfig.h | 45 tests/Makefile.am |9 ++- tests/virauthconfigtest.c | 140 8 files changed, 494 insertions(+), 2 deletions(-) create mode 100644 src/util/virauthconfig.c create mode 100644 src/util/virauthconfig.h create mode 100644 tests/virauthconfigtest.c diff --git a/docs/auth.html.in b/docs/auth.html.in index 2163959..ecff0fc 100644 --- a/docs/auth.html.in +++ b/docs/auth.html.in @@ -1,7 +1,7 @@ ?xml version=1.0? html body -h1 Access control/h1 +h1 Authentication amp; access control/h1 p When connecting to libvirt, some connections may require client authentication before allowing use of the APIs. The set of possible @@ -11,6 +11,122 @@ ul id=toc/ul +h2a name=Auth_client_configClient configuration/a/h2 + +p + When connecting to a remote hypervisor which requires authentication, +most libvirt applications will prompt the user for the credentials. It is +also possible to provide a client configuration file containing all the +authentication credentials, avoiding any interaction. Libvirt will look +for the authentication file using the following sequence: +/p +ol + liThe file path specified by the $LIBVIRT_AUTH_FILE environment +variable./li + liThe file path specified by the authfile=/some/file URI +query parameter/li + liThe file $HOME/.libvirt/auth.conf/li + liThe file /etc/libvirt/auth.conf/li +/ol + +p + The auth configuration file uses the traditional code.ini/code + style syntax. There are two types of groups that can be present in + the config. First there are one or more strongcredential/strong + sets, which provide the actual authentication credentials. The keys + within the group may be: +/p + +ul + licodeusername/code: the user login name to act as. This +is relevant for ESX, Xen, HyperV and SSH, but probably not +the one you want to libvirtd with SASL./li + licodeauthname/code: the name to authorize as. This is +what is commonly required for libvirtd with SASL./li + licodepassword/code: the secret password/li + licoderealm/code: the domain realm for SASL, mostly +unused/li +/ul + +p + Each set of credentials has a name, which is part of the group + entry name. Overall the syntax is +/p + +pre +[credentials-$NAME] +credname1=value1 +credname2=value2/pre + +p + For example, to define two sets of credentials used for production + and test machines, using libvirtd, and a further ESX server for dev: +/p +pre +[credentials-test] +authname=fred +password=123456 + +[credentials-prod] +authname=bar +password=letmein + +[credentials-dev] +username=joe +password=hello/pre + +p + The second set of groups provide mappings of credentials to + specific machine services. The config file group names compromise + the service type and host: +/p + +pre +[auth-$SERVICE-$HOSTNAME] +credentials=$CREDENTIALS/pre + +p + For example, following the previous example, here is how to + list some machines +/p + +pre +[auth-libvirt-test1.example.com] +credentials=test + +[auth-libvirt-test2.example.com] +credentials=test + +[auth-libvirt-demo3.example.com] +credentials=test + +[auth-libvirt-prod1.example.com] +credentials=prod + +[auth-esx-dev1.example.com] +credentials=dev/pre + +p + The following service types are known to libvirt +/p + +ol + licodelibvirt/code - used for connections to a libvirtd +server, which is configured with SASL auth/li + licodessh/code - used for connections to a Phyp server +over SSH/li +