On 06/24/2016 06:28 AM, Peter Krempa wrote: > On Thu, Jun 23, 2016 at 13:28:59 -0400, John Ferlan wrote: >> Add a new secret type known as "passphrase" - it will handle adding the >> secret objects that need a passphrase without a specific username. >> >> The format is: >> >> <secret ...> >> <uuid>...</uuid> >> ... >> <usage type='passphrase'> >> <id>mumblyfratz</id> >> </usage> >> </secret> >> >> Signed-off-by: John Ferlan <jferlan@xxxxxxxxxx> >> --- >> docs/aclpolkit.html.in | 4 +++ >> docs/formatsecret.html.in | 57 ++++++++++++++++++++++++++++-- >> docs/schemas/secret.rng | 10 ++++++ >> include/libvirt/libvirt-secret.h | 3 +- >> src/access/viraccessdriverpolkit.c | 13 +++++++ >> src/conf/secret_conf.c | 26 +++++++++++++- >> src/conf/secret_conf.h | 1 + >> src/conf/virsecretobj.c | 5 +++ >> tests/secretxml2xmlin/usage-passphrase.xml | 7 ++++ >> tests/secretxml2xmltest.c | 1 + >> 10 files changed, 123 insertions(+), 4 deletions(-) >> create mode 100644 tests/secretxml2xmlin/usage-passphrase.xml >> >> diff --git a/docs/formatsecret.html.in b/docs/formatsecret.html.in >> index 599cb38..79c4082 100644 >> --- a/docs/formatsecret.html.in >> +++ b/docs/formatsecret.html.in > > [..] > >> @@ -241,5 +242,57 @@ >> <secret usage='libvirtiscsi'/> >> </auth> >> </pre> >> + >> + <h3><a name="passphraseUsageType">Usage type "passphrase"</a></h3> >> + >> + <p> >> + This secret is a general purpose secret to be used by various libvirt >> + objects to provide a single passphrase as required by the object in >> + order to perform its authentication. >> + <span class="since">Since 2.0.0</span>. The following is an example >> + of a secret.xml file: >> + </p> >> + >> + <pre> >> + # cat secret.xml >> + <secret ephemeral='no' private='yes'> >> + <description>sample passphrase secret</description> >> + <usage type='passphrase'> >> + <id>id_example</id> > > 'id' implies a number. Any reason for not using 'name'? Name is fine with me. Id is just shorter to type. > >> + </usage> >> + </secret> >> + >> + # virsh secret-define secret.xml >> + Secret 718c71bd-67b5-4a2b-87ec-a24e8ca200dc created >> + >> + # virsh secret-list >> + UUID Usage >> + ----------------------------------------------------------- >> + 718c71bd-67b5-4a2b-87ec-a24e8ca200dc passphrase id_example > > Header is misaligned. > Ironically the others are off too... This was some cut-n-paste, followed by deletion of a line in order to grab the output of the actual command that I ran... I'll fix it (and others too) - I assume those are trivial... >> + # >> + >> + </pre> >> + >> + <p> >> + A secret may also be defined via the >> + <a href="html/libvirt-libvirt-secret.html#virSecretDefineXML"> >> + <code>virSecretDefineXML</code></a> API. >> + >> + Once the secret is defined, a secret value will need to be set. This >> + value would be the same used to create and use the volume. >> + The following is a simple example of using >> + <code>virsh secret-set-value</code> to set the secret value. The >> + <a href="html/libvirt-libvirt-secret.html#virSecretSetValue"> >> + <code>virSecretSetValue</code></a> API may also be used to set >> + a more secure secret without using printable/readable characters. >> + </p> >> + >> + <pre> >> + # MYSECRET=`printf %s "letmein" | base64` >> + # virsh secret-set-value 718c71bd-67b5-4a2b-87ec-a24e8ca200dc $MYSECRET >> + Secret value set >> + >> + </pre> >> + >> </body> >> </html> > > [...] > >> diff --git a/src/conf/secret_conf.c b/src/conf/secret_conf.c >> index de9e6cf..77477b6 100644 >> --- a/src/conf/secret_conf.c >> +++ b/src/conf/secret_conf.c > > >> @@ -92,6 +100,7 @@ virSecretDefFree(virSecretDefPtr def) >> VIR_FREE(def); >> } >> >> + > > Spurious whitespace change. > >> static int >> virSecretDefParseUsage(xmlXPathContextPtr ctxt, >> virSecretDefPtr def) >> @@ -145,6 +154,14 @@ virSecretDefParseUsage(xmlXPathContextPtr ctxt, >> } >> break; >> >> + case VIR_SECRET_USAGE_TYPE_PASSPHRASE: >> + if (!(def->usage.id = virXPathString("string(./usage/id)", ctxt))) { >> + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", >> + _("passphrase usage specified, but id is missing")); >> + return -1; > > This diallows missing ID. > >> + } >> + break; >> + >> default: >> virReportError(VIR_ERR_INTERNAL_ERROR, >> _("unexpected secret usage type %d"), >> @@ -305,6 +322,13 @@ virSecretDefFormatUsage(virBufferPtr buf, >> } >> break; >> >> + case VIR_SECRET_USAGE_TYPE_PASSPHRASE: >> + if (def->usage.id != NULL) { > > This allows missing id. > True - but it follows other elements of the case. I could trivially change those as well. John >> + virBufferEscapeString(buf, "<id>%s</id>\n", >> + def->usage.id); >> + } >> + break; >> + >> default: >> virReportError(VIR_ERR_INTERNAL_ERROR, >> _("unexpected secret usage type %d"), -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list