[PATCH 4/7] fspools: acl support for filesystem pools

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



From: Olga Krishtal <okrishtal@xxxxxxxxxxxxx>

Signed-off-by: Nikolay Shirokovskiy <nshirokovskiy@xxxxxxxxxxxxx>
---
 src/access/viraccessdriver.h       |  12 ++++
 src/access/viraccessdrivernop.c    |  19 ++++++
 src/access/viraccessdriverpolkit.c |  47 ++++++++++++++
 src/access/viraccessdriverstack.c  |  49 +++++++++++++++
 src/access/viraccessmanager.c      |  31 ++++++++++
 src/access/viraccessmanager.h      |  11 ++++
 src/access/viraccessperm.c         |  15 ++++-
 src/access/viraccessperm.h         | 124 +++++++++++++++++++++++++++++++++++++
 src/libvirt_private.syms           |   6 ++
 9 files changed, 313 insertions(+), 1 deletion(-)

diff --git a/src/access/viraccessdriver.h b/src/access/viraccessdriver.h
index e3050b6..e0d505e 100644
--- a/src/access/viraccessdriver.h
+++ b/src/access/viraccessdriver.h
@@ -61,6 +61,16 @@ typedef int (*virAccessDriverCheckStorageVolDrv)(virAccessManagerPtr manager,
                                                  virStorageVolDefPtr vol,
                                                  virAccessPermStorageVol av);
 
+typedef int (*virAccessDriverCheckFsPoolDrv)(virAccessManagerPtr manager,
+                                             const char *driverName,
+                                             virFsPoolDefPtr fspool,
+                                             virAccessPermFsPool av);
+typedef int (*virAccessDriverCheckFsItemDrv)(virAccessManagerPtr manager,
+                                             const char *driverName,
+                                             virFsPoolDefPtr fspool,
+                                             virFsItemDefPtr item,
+                                             virAccessPermFsItem av);
+
 typedef int (*virAccessDriverSetupDrv)(virAccessManagerPtr manager);
 typedef void (*virAccessDriverCleanupDrv)(virAccessManagerPtr manager);
 
@@ -83,6 +93,8 @@ struct _virAccessDriver {
     virAccessDriverCheckSecretDrv checkSecret;
     virAccessDriverCheckStoragePoolDrv checkStoragePool;
     virAccessDriverCheckStorageVolDrv checkStorageVol;
+    virAccessDriverCheckFsPoolDrv checkFsPool;
+    virAccessDriverCheckFsItemDrv checkFsItem;
 };
 
 
diff --git a/src/access/viraccessdrivernop.c b/src/access/viraccessdrivernop.c
index 86ceef3..1ed8b35 100644
--- a/src/access/viraccessdrivernop.c
+++ b/src/access/viraccessdrivernop.c
@@ -103,7 +103,24 @@ virAccessDriverNopCheckStorageVol(virAccessManagerPtr manager ATTRIBUTE_UNUSED,
     return 1; /* Allow */
 }
 
+static int
+virAccessDriverNopCheckFsPool(virAccessManagerPtr manager ATTRIBUTE_UNUSED,
+                              const char *driverName ATTRIBUTE_UNUSED,
+                              virFsPoolDefPtr fspool ATTRIBUTE_UNUSED,
+                              virAccessPermFsPool perm ATTRIBUTE_UNUSED)
+{
+    return 1; /* Allow */
+}
 
+static int
+virAccessDriverNopCheckFsItem(virAccessManagerPtr manager ATTRIBUTE_UNUSED,
+                              const char *driverName ATTRIBUTE_UNUSED,
+                              virFsPoolDefPtr fspool ATTRIBUTE_UNUSED,
+                              virFsItemDefPtr item ATTRIBUTE_UNUSED,
+                              virAccessPermFsItem perm ATTRIBUTE_UNUSED)
+{
+    return 1; /* Allow */
+}
 virAccessDriver accessDriverNop = {
     .name = "none",
     .checkConnect = virAccessDriverNopCheckConnect,
@@ -115,4 +132,6 @@ virAccessDriver accessDriverNop = {
     .checkSecret = virAccessDriverNopCheckSecret,
     .checkStoragePool = virAccessDriverNopCheckStoragePool,
     .checkStorageVol = virAccessDriverNopCheckStorageVol,
+    .checkFsPool = virAccessDriverNopCheckFsPool,
+    .checkFsItem = virAccessDriverNopCheckFsItem,
 };
diff --git a/src/access/viraccessdriverpolkit.c b/src/access/viraccessdriverpolkit.c
index 89bc890..fae3f26 100644
--- a/src/access/viraccessdriverpolkit.c
+++ b/src/access/viraccessdriverpolkit.c
@@ -385,6 +385,50 @@ virAccessDriverPolkitCheckStorageVol(virAccessManagerPtr manager,
                                       virAccessPermStorageVolTypeToString(perm),
                                       attrs);
 }
+static int
+virAccessDriverPolkitCheckFsPool(virAccessManagerPtr manager,
+                                 const char *driverName,
+                                 virFsPoolDefPtr fspool,
+                                 virAccessPermFsPool perm)
+{
+    char uuidstr[VIR_UUID_STRING_BUFLEN];
+    const char *attrs[] = {
+        "connect_driver", driverName,
+        "fspool_name", fspool->name,
+        "fspool_uuid", uuidstr,
+        NULL,
+    };
+    virUUIDFormat(fspool->uuid, uuidstr);
+
+    return virAccessDriverPolkitCheck(manager,
+                                      "fs-pool",
+                                      virAccessPermFsPoolTypeToString(perm),
+                                      attrs);
+}
+
+static int
+virAccessDriverPolkitCheckFsItem(virAccessManagerPtr manager,
+                                 const char *driverName,
+                                 virFsPoolDefPtr fspool,
+                                 virFsItemDefPtr item,
+                                 virAccessPermFsItem perm)
+{
+    char uuidstr[VIR_UUID_STRING_BUFLEN];
+    const char *attrs[] = {
+        "connect_driver", driverName,
+        "fspool_name", fspool->name,
+        "fspool_uuid", uuidstr,
+        "item_name", item->name,
+        "item_key", item->key,
+        NULL,
+    };
+    virUUIDFormat(fspool->uuid, uuidstr);
+
+    return virAccessDriverPolkitCheck(manager,
+                                      "fs-item",
+                                      virAccessPermStorageVolTypeToString(perm),
+                                      attrs);
+}
 
 virAccessDriver accessDriverPolkit = {
     .privateDataLen = sizeof(virAccessDriverPolkitPrivate),
@@ -399,4 +443,7 @@ virAccessDriver accessDriverPolkit = {
     .checkSecret = virAccessDriverPolkitCheckSecret,
     .checkStoragePool = virAccessDriverPolkitCheckStoragePool,
     .checkStorageVol = virAccessDriverPolkitCheckStorageVol,
+    .checkFsPool = virAccessDriverPolkitCheckFsPool,
+    .checkFsItem = virAccessDriverPolkitCheckFsItem,
+
 };
diff --git a/src/access/viraccessdriverstack.c b/src/access/viraccessdriverstack.c
index b43a743..c78c321 100644
--- a/src/access/viraccessdriverstack.c
+++ b/src/access/viraccessdriverstack.c
@@ -267,6 +267,53 @@ virAccessDriverStackCheckStorageVol(virAccessManagerPtr manager,
     return ret;
 }
 
+static int
+virAccessDriverStackCheckFsPool(virAccessManagerPtr manager,
+                                const char *driverName,
+                                virFsPoolDefPtr fspool,
+                                virAccessPermFsPool perm)
+{
+    virAccessDriverStackPrivatePtr priv = virAccessManagerGetPrivateData(manager);
+    int ret = 1;
+    size_t i;
+
+    for (i = 0; i < priv->managersLen; i++) {
+        int rv;
+        /* We do not short-circuit on first denial - always check all drivers */
+        rv = virAccessManagerCheckFsPool(priv->managers[i], driverName, fspool, perm);
+        if (rv == 0 && ret != -1)
+            ret = 0;
+        else if (rv < 0)
+            ret = -1;
+    }
+
+    return ret;
+}
+
+static int
+virAccessDriverStackCheckFsItem(virAccessManagerPtr manager,
+                                const char *driverName,
+                                virFsPoolDefPtr fspool,
+                                virFsItemDefPtr item,
+                                virAccessPermFsItem perm)
+{
+    virAccessDriverStackPrivatePtr priv = virAccessManagerGetPrivateData(manager);
+    int ret = 1;
+    size_t i;
+
+    for (i = 0; i < priv->managersLen; i++) {
+        int rv;
+        /* We do not short-circuit on first denial - always check all drivers */
+        rv = virAccessManagerCheckFsItem(priv->managers[i], driverName, fspool, item, perm);
+        if (rv == 0 && ret != -1)
+            ret = 0;
+        else if (rv < 0)
+            ret = -1;
+    }
+
+    return ret;
+}
+
 virAccessDriver accessDriverStack = {
     .privateDataLen = sizeof(virAccessDriverStackPrivate),
     .name = "stack",
@@ -280,4 +327,6 @@ virAccessDriver accessDriverStack = {
     .checkSecret = virAccessDriverStackCheckSecret,
     .checkStoragePool = virAccessDriverStackCheckStoragePool,
     .checkStorageVol = virAccessDriverStackCheckStorageVol,
+    .checkFsPool = virAccessDriverStackCheckFsPool,
+    .checkFsItem = virAccessDriverStackCheckFsItem,
 };
diff --git a/src/access/viraccessmanager.c b/src/access/viraccessmanager.c
index bcf552b..6882c03 100644
--- a/src/access/viraccessmanager.c
+++ b/src/access/viraccessmanager.c
@@ -344,3 +344,34 @@ int virAccessManagerCheckStorageVol(virAccessManagerPtr manager,
 
     return virAccessManagerSanitizeError(ret);
 }
+
+int virAccessManagerCheckFsPool(virAccessManagerPtr manager,
+                                const char *driverName,
+                                virFsPoolDefPtr fspool,
+                                virAccessPermFsPool perm)
+{
+    int ret = 0;
+    VIR_DEBUG("manager=%p(name=%s) driver=%s pool=%p perm=%d",
+              manager, manager->drv->name, driverName, fspool, perm);
+
+    if (manager->drv->checkFsPool)
+        ret = manager->drv->checkFsPool(manager, driverName, fspool, perm);
+
+    return virAccessManagerSanitizeError(ret);
+}
+
+int virAccessManagerCheckFsItem(virAccessManagerPtr manager,
+                                const char *driverName,
+                                virFsPoolDefPtr fspool,
+                                virFsItemDefPtr item,
+                                virAccessPermFsItem perm)
+{
+    int ret = 0;
+    VIR_DEBUG("manager=%p(name=%s) driver=%s pool=%p vol=%p perm=%d",
+              manager, manager->drv->name, driverName, fspool, item, perm);
+
+    if (manager->drv->checkFsItem)
+        ret = manager->drv->checkFsItem(manager, driverName, fspool, item, perm);
+
+    return virAccessManagerSanitizeError(ret);
+}
diff --git a/src/access/viraccessmanager.h b/src/access/viraccessmanager.h
index e7eb15d..69cddb5 100644
--- a/src/access/viraccessmanager.h
+++ b/src/access/viraccessmanager.h
@@ -27,6 +27,7 @@
 # include "conf/nwfilter_conf.h"
 # include "conf/node_device_conf.h"
 # include "conf/storage_conf.h"
+# include "conf/fs_conf.h"
 # include "conf/secret_conf.h"
 # include "conf/interface_conf.h"
 # include "access/viraccessperm.h"
@@ -86,6 +87,16 @@ int virAccessManagerCheckStorageVol(virAccessManagerPtr manager,
                                     virStoragePoolDefPtr pool,
                                     virStorageVolDefPtr vol,
                                     virAccessPermStorageVol perm);
+int virAccessManagerCheckFsPool(virAccessManagerPtr manager,
+                                const char *driverName,
+                                virFsPoolDefPtr fspool,
+                                virAccessPermFsPool perm);
+int virAccessManagerCheckFsItem(virAccessManagerPtr manager,
+                                const char *driverName,
+                                virFsPoolDefPtr fspool,
+                                virFsItemDefPtr item,
+                                virAccessPermFsItem perm);
+
 
 
 #endif /* __VIR_ACCESS_MANAGER_H__ */
diff --git a/src/access/viraccessperm.c b/src/access/viraccessperm.c
index 0f58290..5ac7162 100644
--- a/src/access/viraccessperm.c
+++ b/src/access/viraccessperm.c
@@ -29,7 +29,7 @@ VIR_ENUM_IMPL(virAccessPermConnect,
               "search_domains", "search_networks",
               "search_storage_pools", "search_node_devices",
               "search_interfaces", "search_secrets",
-              "search_nwfilters",
+              "search_nwfilters", "search_fs_pools",
               "detect_storage_pools", "pm_control",
               "interface_transaction");
 
@@ -83,3 +83,16 @@ VIR_ENUM_IMPL(virAccessPermStorageVol,
               "getattr", "read", "create", "delete",
               "format", "resize", "data_read",
               "data_write");
+
+VIR_ENUM_IMPL(virAccessPermFsPool,
+              VIR_ACCESS_PERM_FS_POOL_LAST,
+              "getattr", "read", "write",
+              "save", "delete", "start", "stop",
+              "refresh", "search_items",
+              "format");
+
+VIR_ENUM_IMPL(virAccessPermFsItem,
+              VIR_ACCESS_PERM_FS_ITEM_LAST,
+              "getattr", "read", "create", "delete",
+              "format", "data_read",
+              "data_write");
diff --git a/src/access/viraccessperm.h b/src/access/viraccessperm.h
index 1817da7..7a29de5 100644
--- a/src/access/viraccessperm.h
+++ b/src/access/viraccessperm.h
@@ -67,6 +67,12 @@ typedef enum {
     VIR_ACCESS_PERM_CONNECT_SEARCH_STORAGE_POOLS,
 
     /**
+     * @desc: List fs pools
+     * @message: Listing fs pools requires authorization
+     * @anonymous: 1
+     */
+    VIR_ACCESS_PERM_CONNECT_SEARCH_FS_POOLS,
+    /**
      * @desc: List node devices
      * @message: Listing node devices requires authorization
      * @anonymous: 1
@@ -651,6 +657,122 @@ typedef enum {
     VIR_ACCESS_PERM_STORAGE_VOL_LAST
 } virAccessPermStorageVol;
 
+typedef enum {
+
+    /**
+     * @desc: Access fs pool
+     * @message: Accessing fs pool requires authorization
+     * @anonymous: 1
+     */
+    VIR_ACCESS_PERM_FS_POOL_GETATTR,
+
+    /**
+     * @desc: Read fs pool
+     * @message: Reading fs pool configuration requires authorization
+     * @anonymous: 1
+     */
+    VIR_ACCESS_PERM_FS_POOL_READ,
+
+    /**
+     * @desc: Write fs pool
+     * @message: Writing fs pool configuration requires authorization
+     */
+    VIR_ACCESS_PERM_FS_POOL_WRITE,
+
+    /**
+     * @desc: Save fs pool
+     * @message: Saving fs pool configuration requires authorization
+     */
+    VIR_ACCESS_PERM_FS_POOL_SAVE,
+
+    /**
+     * @desc: Delete fs pool
+     * @message: Deleting fs pool configuration requires authorization
+     */
+    VIR_ACCESS_PERM_FS_POOL_DELETE,
+
+    /**
+     * @desc: Start fs pool
+     * @message: Starting fs pool configuration requires authorization
+     */
+    VIR_ACCESS_PERM_FS_POOL_START,
+
+    /**
+     * @desc: Stop fs pool
+     * @message: Stopping fs pool configuration requires authorization
+     */
+    VIR_ACCESS_PERM_FS_POOL_STOP,
+
+    /**
+     * @desc: Refresh fs pool
+     * @message: Refreshing fs pool items requires authorization
+     */
+    VIR_ACCESS_PERM_FS_POOL_REFRESH,
+
+    /**
+     * @desc: List fs pool items
+     * @message: Listing fs pool items requires authorization
+     */
+    VIR_ACCESS_PERM_FS_POOL_SEARCH_ITEMS,
+
+    /**
+     * @desc: Format fs pool
+     * @message: Formatting fs pool data requires authorization
+     */
+    VIR_ACCESS_PERM_FS_POOL_FORMAT,
+
+    VIR_ACCESS_PERM_FS_POOL_LAST
+} virAccessPermFsPool;
+
+typedef enum {
+
+    /**
+     * @desc: Access fs item
+     * @message: Acceessing fs item requires authorization
+     * @anonymous: 1
+     */
+    VIR_ACCESS_PERM_FS_ITEM_GETATTR,
+
+    /**
+     * @desc: Read fs item
+     * @message: Reading fs item configuration requires authorization
+     * @anonymous: 1
+     */
+    VIR_ACCESS_PERM_FS_ITEM_READ,
+
+    /**
+     * @desc: Create fs item
+     * @message: Creating fs item requires authorization
+     */
+    VIR_ACCESS_PERM_FS_ITEM_CREATE,
+
+    /**
+     * @desc: Delete fs item
+     * @message: Deleting fs item requires authorization
+     */
+    VIR_ACCESS_PERM_FS_ITEM_DELETE,
+
+    /**
+     * @desc: Format fs item
+     * @message: Formatting fs item data requires authorization
+     */
+    VIR_ACCESS_PERM_FS_ITEM_FORMAT,
+
+    /**
+     * @desc: Read fs item data
+     * @message: Reading fs item data requires authorization
+     */
+    VIR_ACCESS_PERM_FS_ITEM_DATA_READ,
+
+    /**
+     * @desc: Write fs item data
+     * @message: Writing fs item data requires authorization
+     */
+    VIR_ACCESS_PERM_FS_ITEM_DATA_WRITE,
+
+    VIR_ACCESS_PERM_FS_ITEM_LAST
+} virAccessPermFsItem;
+
 VIR_ENUM_DECL(virAccessPermConnect);
 VIR_ENUM_DECL(virAccessPermDomain);
 VIR_ENUM_DECL(virAccessPermInterface);
@@ -660,5 +782,7 @@ VIR_ENUM_DECL(virAccessPermNWFilter);
 VIR_ENUM_DECL(virAccessPermSecret);
 VIR_ENUM_DECL(virAccessPermStoragePool);
 VIR_ENUM_DECL(virAccessPermStorageVol);
+VIR_ENUM_DECL(virAccessPermFsPool);
+VIR_ENUM_DECL(virAccessPermFsItem);
 
 #endif /* __VIR_ACCESS_PERM_H__ */
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 9c3fe6a..4b87c37 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -8,6 +8,8 @@
 # access/viraccessmanager.h
 virAccessManagerCheckConnect;
 virAccessManagerCheckDomain;
+virAccessManagerCheckFsItem;
+virAccessManagerCheckFsPool;
 virAccessManagerCheckInterface;
 virAccessManagerCheckNetwork;
 virAccessManagerCheckNodeDevice;
@@ -26,6 +28,10 @@ virAccessPermConnectTypeFromString;
 virAccessPermConnectTypeToString;
 virAccessPermDomainTypeFromString;
 virAccessPermDomainTypeToString;
+virAccessPermFsItemTypeFromString;
+virAccessPermFsItemTypeToString;
+virAccessPermFsPoolTypeFromString;
+virAccessPermFsPoolTypeToString;
 virAccessPermInterfaceTypeFromString;
 virAccessPermInterfaceTypeToString;
 virAccessPermNetworkTypeFromString;
-- 
1.8.3.1

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list



[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]