Re: [PATCH 09/10] storage: open secret driver connection at time of use

Peter Krempa <pkrempa@xxxxxxxxxx> · Mon, 29 Jan 2018 11:50:36 +0100

On Fri, Jan 26, 2018 at 13:35:36 +0000, Daniel Berrange wrote:
> Instead of passing around a virConnectPtr object, just open a connection
> to the secret driver at time of use. Opening connections on demand will
> be beneficial when the secret driver is in a separate daemon. It also
> solves the problem that a number of callers just pass in a NULL
> connection today which prevents secret lookup working at all.
> 
> Signed-off-by: Daniel P. Berrangé <berrange@xxxxxxxxxx>
> ---
>  src/storage/storage_backend_iscsi.c   | 14 +++---
>  src/storage/storage_backend_logical.c |  2 +-
>  src/storage/storage_backend_rbd.c     | 41 +++++++--------
>  src/storage/storage_util.c            | 95 ++++++++++++++++-------------------
>  src/storage/storage_util.h            |  6 +--
>  5 files changed, 71 insertions(+), 87 deletions(-)
> 
> diff --git a/src/storage/storage_backend_iscsi.c b/src/storage/storage_backend_iscsi.c
> index b0c5096adb..921215c9e9 100644
> --- a/src/storage/storage_backend_iscsi.c
> +++ b/src/storage/storage_backend_iscsi.c
> @@ -273,13 +273,13 @@ virStorageBackendISCSICheckPool(virStoragePoolObjPtr pool,
>  
>  static int
>  virStorageBackendISCSISetAuth(const char *portal,
> -                              virConnectPtr conn,
>                                virStoragePoolSourcePtr source)
>  {
>      unsigned char *secret_value = NULL;
>      size_t secret_size;
>      virStorageAuthDefPtr authdef = source->auth;
>      int ret = -1;
> +    virConnectPtr conn = NULL;
>  
>      if (!authdef || authdef->authType == VIR_STORAGE_AUTH_TYPE_NONE)
>          return 0;
> @@ -292,12 +292,9 @@ virStorageBackendISCSISetAuth(const char *portal,
>          return -1;
>      }
>  
> -    if (!conn) {
> -        virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
> -                       _("iscsi 'chap' authentication not supported "
> -                         "for autostarted pools"));
> +    conn = virConnectOpen(geteuid() == 0 ? "secret:///system" : "secret:///session");

You should add this as a helper function. If we decide that geteuid() is
not a good enough check whether a connection is privileged or anything
else we'd need to fix a lot of similar ugly ternary conditions.

Same for the connection to the secret driver in this patch.
Attachment:
signature.asc

Description: PGP signature
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list