Dont show system session for user #1917
Conversation
jelly
force-pushed
the
dont-show-system-session-for-user
branch
from
b3dcf68 to
54f83f0
Compare
test/check-machines-create
Outdated
| b.click("#create-new-vm") | ||
| b.wait_visible("#create-vm-dialog") | ||
| b.wait_not_present("#connection") |
There was a problem hiding this comment.
Do we have any other test which covers VM creation in unprivileged mode? If so, this would better fit there. If not, that's a major gap indeed, and this test should actually create the VM and check that it starts and boots fine (including the "wait for login prompt").
There was a problem hiding this comment.
I believe this is confusingly what TestMachinesLifecycle does:
def _testBasic(self, user=None, superuser=True, expect_empty_list=False, run_pixel_tests=False):
b = self.browser
m = self.machine
# We want no initial watchdog
args = self.createVm("subVmTest1", os="linux2016")
self.login_and_go("/machines", user=user, superuser=superuser)
So we can drop this test
|
|
||
| const detailsTab = ( | ||
| <> | ||
| {superuser.allowed && |
There was a problem hiding this comment.
Hmm, I think people can create polkit rules to allow non-priv users access to the "system" connection. In fact cockpit-machines always connects to both "system" and "session" on initialization and tolerates AccessDenied errors for non-priv users.
So I think we should make a new global flag that says "can't access system connection", and use that instead of superuser.allowed in this PR. The place to set that flag is app.jsx:94, I guess.
There was a problem hiding this comment.
Polkit is a disaster if you ask me, we have no way to detect it. But plumbing the state through should work. But looking at our code this is all a bit confusing I guess we look at systemSocketInactive?
There was a problem hiding this comment.
This turns into a yakshave...
} else if ((superuser.allowed && systemSocketInactive) || loadingResources) {
So seems my solution is "correct" :) But ofcourse we can rework this.
There was a problem hiding this comment.
Or not, not sure why this even exists.
There was a problem hiding this comment.
Right, and with the move virt-xml, being able to connect to the system session vuia D-Bus does not mean that you can successfully run virt-xml.
Let's keep the superuser.allowed check.
There was a problem hiding this comment.
Or does virt-xml call the D-Bus API?
There was a problem hiding this comment.
No, but polkit works inside th actual libvirt daemon as well, and I expect virt-install, virt-xml etc to be subject to the same polkit rules as D-Bus clients.
I'll research this properly.
There was a problem hiding this comment.
It's complicated. There are two places to define policy, one for native policy for libvirtd that affects direct clients like virsh and virt-xml, and another one for the D-Bus API, which affects clients using that, like half of cockpit-machines.
This is annoying but it can be made to work, and we should not break people arbitrarily that do that.
jelly
force-pushed
the
dont-show-system-session-for-user
branch
from
54f83f0 to
3a96bad
Compare
jelly
force-pushed
the
dont-show-system-session-for-user
branch
from
3a96bad to
09ec08f
Compare
|
Sorry, I have to look at this again. Luckily I learned a thing or two about c-machines in the mean time. |
There was a problem hiding this comment.
Thanks, I think this is the right thing to do.
Being able to connecting to the qemu:///system connection does indeed mean that virt-install and virt-xml are also able to work. For example, a limited user in the libvirt group can create and manage VMs on the system connection, using our mix of D-Bus, virt-install, and virt-xml.
Libvirt can use polkit internally (not via D-Bus) for fine grained access control. I have not tested it, but I expect that the D-Bus interface as well as virt-install and virt-xml are subject to it equally.
|
|
||
| const detailsTab = ( | ||
| <> | ||
| {this.props.systemSocketAvailable && |
There was a problem hiding this comment.
Instead of completely hiding the connection selector, it should turn read-only and just say "User session" without any radio buttons.
There was a problem hiding this comment.
Sure :) But I did something else woops just disabled both.
There was a problem hiding this comment.
Hmm. I have pushed a version without radio buttons.
jelly
force-pushed
the
dont-show-system-session-for-user
branch
4 times, most recently
from
df841ed to
009b375
Compare
Hah, being young and naive... |
|
The tests don't want to go green... I'll have a look. |
A limited access user cannot create a system session virtual machine so this would just throw an error after creation.
|
Rebased. Now looking at the tests... |
mvollmer
force-pushed
the
dont-show-system-session-for-user
branch
from
342d31e to
76ac05d
Compare
| id="connectionName-session" | ||
| label={rephraseUI("connections", LIBVIRT_SESSION_CONNECTION)} /> | ||
| { isDisabled | ||
| ? rephraseUI("connections", connectionName) |
There was a problem hiding this comment.
This added line is not executed by any test. Details
| ? rephraseUI("connections", connectionName) | ||
| : <> | ||
| <Radio isChecked={connectionName === LIBVIRT_SYSTEM_CONNECTION} | ||
| onChange={() => onValueChanged('connectionName', LIBVIRT_SYSTEM_CONNECTION)} |
There was a problem hiding this comment.
This added line is not executed by any test. Details
| vmName: '', | ||
| suggestedVmName: '', | ||
| connectionName: LIBVIRT_SYSTEM_CONNECTION, | ||
| connectionName: this.props.systemSocketAvailable ? LIBVIRT_SYSTEM_CONNECTION : LIBVIRT_SESSION_CONNECTION, |
There was a problem hiding this comment.
This added line is not executed by any test. Details
4 participants
This throws an error when trying to create a system session vm as limited user.