Here is some information from a colleague of mine. I don't have any other information than this, so hopefully it helps. Jason PolicyKit auth works on 0.4.6 (openSUSE11.1 and SLE11). Here are some notes I took while testing this functionality. With libvirt PolicyKit support, access control options are more advanced. The unix_sock_auth parameter will default to polkit, and the file permissions will default to 0777 even on the RW socket. Upon connecting to the socket, the client application will be required to identify itself with PolicyKit. The default policy for the RW daemon socket will require any application running in the current desktop session to authenticate using the user's password. This is akin to sudo auth, but does not require that the client application ultimately run as root. Default policy will still allow any application to connect to the RO socket. The default policy can be overridden by the administrator using the PolicyKit master configuration file in /etc/PolicyKit/PolicyKit.conf. The PolicyKit.conf(5) manual page provides details on the syntax available. The two libvirt daemon actions available are named org.libvirt.unix.monitor for the RO socket, and org.libvirt.unix.manage for the RW socket. As an example, to allow a user fredfull access to the RW socket, while requiring joe to authenticate with the admin password, would require adding the following snippet to PolicyKit.conf. <match action="org.libvirt.unix.manage"> <match user="fred"> <return result="yes"/> </match> </match> <match action="org.libvirt.unix.manage"> <match user="joe"> <return result="auth_admin"/> </match> </match> Notes: As a test, I added <match action="org.libvirt.unix.manage"> <match user="jfehlig"> <return result="yes"/> </match> </match> to /etc/PolicyKit/PolicyKit.conf (within the <config> element) and was able to access libvirt RW as user jfehlig.

...

...

On 1/26/2009 at 03:35 PM, in message <dbd51810901261435h7b2cd5aaqa367ae909070bd60@mail.gmail.com>, PGNet <pgnet.trash+osvm@gmail.com> wrote: I'm connecting to a remote Opensuse 11.1 box remotely, using nxclient.

Using VNC (now disable), I was able to login as root and run @KDE4, virt-manager without problem.

xn does not permit root login, so i'm logged in as a normal user. unfortunately, @ virt-manager launch, I get a dialog:

Unable to open a connection to the Xen hypervisor/daemon.

Verify that: - A Xen host kernel was booted - The Xen service has been started

Detail:

Unable to open connection to hypervisor URI 'xen:///': <class 'libvirt.libvirtError'> unable to connect to '/var/run/libvirt/libvirt-sock': Connection ref Traceback (most recent call last): File "/usr/share/virt-manager/virtManager/connection.py", line 325, in _open_thread self.vmm = libvirt.openReadOnly(self.uri) File "/usr/lib64/python2.6/site-packages/libvirt.py", line 149, in openReadOnly if ret is None:raise libvirtError('virConnectOpenReadOnly() failed') libvirtError: unable to connect to '/var/run/libvirt/libvirt-sock': Connection refused

digging, I find @

http://fedoraproject.org/wiki/Features/VirtPolicyKit

"The virt-manager application currently runs as root when managing a local hypervisor. It uses console-helper to authentication from a desktop session. Running GTK applications as root is evil. By integrating with PolicyKit it will be possible to run virt-manager as a regular user"

Obviously, for Fedora9. Does this apply for Opensuse 11.1, as well?

I'm reading thru the referenced,

http://libvirt.org/auth.html

Is this the right approach under OS 11.1?

Thanks.

-- To unsubscribe, e-mail: opensuse-virtual+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-virtual+help@opensuse.org