The 'auth' parameter for the libvirt 'openAuth' method
should be a list of 3 values, a list of credential types,
a function callback and an opaque data value. For unknown
reasons the libvirt driver is passing the string 'root'
instead of the function callback.
This causes any attempt to invoke the callback to fail
with a python exception, which gets swallowed since it
is called asynchronously from libvirt. The upshot of
this is that it is not possible to connect Nova to a
libvirt instance that requires authentication.
Although Nova has no way to provide custom credentials
to libvirt, it is possible to rely on libvirt's client
auth file to provide credentials. ALl that is required
is for the auth callback to return '0' if no credentials
were asked for.
Fixing the Nova params for openAuth() thus enable use of
SASL or Kerberos auth+encryption with Nova eg for SASL
# augtool -s set /files/etc/libvirt/libvirtd.conf/auth_unix_rw sasl
Saved 1 file(s)
# saslpasswd -a libvirt nova
Password: XYZ
Again (for verification): XYZ
# su - nova -s /bin/sh
$ mkdir -p $HOME/.config/libvirt
$ cat > $HOME/.config/libvirt <<EOF
[credentials-nova]
authname=nova
password=XYZ
[auth-libvirt-localhost]
credentials=nova
EOF
Finally just restart libvirtd and nova compute services
Change-Id: I011b406e54728a01eb90a7851ae2b1f536674197
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>