On Thu, 2014-07-17 at 10:38 +0200, Jan Safranek wrote:
Hello,
I've been working on reusing polkit authorization for OpenLMI providers, which use a DBus service (e.g. NetworkManager, PackageKit, realmd, systemd, ...).
Jan, can customers modify or create access policies or is this hardcoded into the Providers?
I've documented the architecture on our wiki [1] and I submitted review in our review-board. I won't push the patches until we get to an agreement that it's the way to go and also the implementation is secure
- please review carefully. There are *no* changes needed in our provider
code and/or in the DBus services we work with.
1: https://fedorahosted.org/openlmi/wiki/PolkitAuthorization 2: https://reviewboard-openlmi.rhcloud.com/users/jsafrane/
In short, the concept is similar to Cockpit's reauthorization [3], we just don't play tricks with user passwords - we don't have one on CIM provider level. Instead, we register a polkit agent, which bluntly authenticates every request from polkit in its PAM session.
3: https://github.com/cockpit-project/cockpit/blob/master/doc/reauthorize.md
[Kudos to Cockpit guys, I used their code to implement polkit agent and helper.]
Just a side note: right now, users with remote CIM access must be members of 'pegasus' group, otherwise they cannot start a provider. Is it good or bad? Should _any_ user be able to use CIM by default and let polkit decide? It's trivial to fix, just set different file/directory permissions in tog-pegasus.rpm. And there is /etc/Pegasus/access.conf, which can control access properly if sysadmin wishes, so the question is just about the default setting.
Jan
openlmi-devel mailing list openlmi-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/openlmi-devel