[libvirt PATCH 02/23] rpc: remove use of the term 'whitelist' from RPC code

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The term "access control list" better describes the concept involved.

Signed-off-by: Daniel P. Berrangé <berrange@xxxxxxxxxx>
---
 docs/internals/rpc.html.in          |  9 ++++----
 src/remote/libvirtd.conf.in         |  6 +++---
 src/remote/remote_daemon_dispatch.c |  4 ++--
 src/rpc/virnetsaslcontext.c         | 10 ++++-----
 src/rpc/virnetsaslcontext.h         |  2 +-
 src/rpc/virnettlscontext.c          | 32 ++++++++++++++---------------
 src/rpc/virnettlscontext.h          |  4 ++--
 tests/virconfdata/libvirtd.conf     |  6 +++---
 tests/virconfdata/libvirtd.out      |  6 +++---
 9 files changed, 40 insertions(+), 39 deletions(-)

diff --git a/docs/internals/rpc.html.in b/docs/internals/rpc.html.in
index 40d844f31c..129945bf1c 100644
--- a/docs/internals/rpc.html.in
+++ b/docs/internals/rpc.html.in
@@ -447,7 +447,8 @@ C &lt;--  |32| 8 | 1 | 3 | 1 | 1 | 0 | .o.oOo |  &lt;-- S  (reply)
       <dt><code>virNetSASLContextPtr</code> (virnetsaslcontext.h)</dt>
       <dd>The virNetSASLContext APIs maintain SASL state for a network
         service (server or client). This is primarily used on the server
-        to provide a whitelist of allowed SASL usernames for clients.
+        to provide an access control list of SASL usernames permitted as
+        clients.
       </dd>
 
       <dt><code>virNetSASLSessionPtr</code> (virnetsaslcontext.h)</dt>
@@ -460,7 +461,7 @@ C &lt;--  |32| 8 | 1 | 3 | 1 | 1 | 0 | .o.oOo |  &lt;-- S  (reply)
       <dt><code>virNetTLSContextPtr</code> (virnettlscontext.h)</dt>
       <dd>The virNetTLSContext APIs maintain TLS state for a network
         service (server or client). This is primarily used on the server
-        to provide a whitelist of allowed x509 distinguished names, as
+        to provide an access control list of x509 distinguished names, as
         well as diffie-hellman keys. It can also do validation of
         x509 certificates prior to initiating a connection, in order
         to improve detection of configuration errors.
@@ -760,8 +761,8 @@ C &lt;--  |32| 8 | 1 | 3 | 1 | 1 | 0 | .o.oOo |  &lt;-- S  (reply)
       next step is to decode the RPC header. The header is validated to
       ensure the request is sensible, ie the server should not receive a
       method reply from a client. If the client has not yet authenticated,
-      a security check is also applied to make sure the procedure is on the
-      whitelist of those allowed prior to auth. If the packet is a method
+      an access control list check is also performed to make sure the procedure
+      is one of those allowed prior to auth. If the packet is a method
       call, it will be placed on a global processing queue. The event loop
       thread is now done with the packet for the time being.
     </p>
diff --git a/src/remote/libvirtd.conf.in b/src/remote/libvirtd.conf.in
index 34741183cc..2607fbad86 100644
--- a/src/remote/libvirtd.conf.in
+++ b/src/remote/libvirtd.conf.in
@@ -253,11 +253,11 @@
 # will be rejected.
 #
 # Default is to always verify. Uncommenting this will disable
-# verification - make sure an IP whitelist is set
+# verification.
 #tls_no_verify_certificate = 1
 
 
-# A whitelist of allowed x509 Distinguished Names
+# An access control list of allowed x509 Distinguished Names
 # This list may contain wildcards such as
 #
 #    "C=GB,ST=London,L=London,O=Red Hat,CN=*"
@@ -282,7 +282,7 @@
 
 
 @END@
-# A whitelist of allowed SASL usernames. The format for username
+# An access control list of allowed SASL usernames. The format for username
 # depends on the SASL authentication mechanism. Kerberos usernames
 # look like username@REALM
 #
diff --git a/src/remote/remote_daemon_dispatch.c b/src/remote/remote_daemon_dispatch.c
index 831e7d165c..67b86cff78 100644
--- a/src/remote/remote_daemon_dispatch.c
+++ b/src/remote/remote_daemon_dispatch.c
@@ -3861,7 +3861,7 @@ remoteDispatchAuthSaslStart(virNetServerPtr server,
     if (err == VIR_NET_SASL_CONTINUE) {
         ret->complete = 0;
     } else {
-        /* Check username whitelist ACL */
+        /* Check username ACL */
         if ((err = remoteSASLFinish(server, client)) < 0) {
             if (err == -2)
                 goto authdeny;
@@ -3957,7 +3957,7 @@ remoteDispatchAuthSaslStep(virNetServerPtr server,
     if (err == VIR_NET_SASL_CONTINUE) {
         ret->complete = 0;
     } else {
-        /* Check username whitelist ACL */
+        /* Check username ACL */
         if ((err = remoteSASLFinish(server, client)) < 0) {
             if (err == -2)
                 goto authdeny;
diff --git a/src/rpc/virnetsaslcontext.c b/src/rpc/virnetsaslcontext.c
index e7ed8f4390..9253771787 100644
--- a/src/rpc/virnetsaslcontext.c
+++ b/src/rpc/virnetsaslcontext.c
@@ -36,7 +36,7 @@ VIR_LOG_INIT("rpc.netsaslcontext");
 struct _virNetSASLContext {
     virObjectLockable parent;
 
-    const char *const*usernameWhitelist;
+    const char *const *usernameACL;
 };
 
 struct _virNetSASLSession {
@@ -121,7 +121,7 @@ virNetSASLContextPtr virNetSASLContextNewClient(void)
     return ctxt;
 }
 
-virNetSASLContextPtr virNetSASLContextNewServer(const char *const*usernameWhitelist)
+virNetSASLContextPtr virNetSASLContextNewServer(const char *const *usernameACL)
 {
     virNetSASLContextPtr ctxt;
 
@@ -132,7 +132,7 @@ virNetSASLContextPtr virNetSASLContextNewServer(const char *const*usernameWhitel
     if (!(ctxt = virObjectLockableNew(virNetSASLContextClass)))
         return NULL;
 
-    ctxt->usernameWhitelist = usernameWhitelist;
+    ctxt->usernameACL = usernameACL;
 
     return ctxt;
 }
@@ -146,7 +146,7 @@ int virNetSASLContextCheckIdentity(virNetSASLContextPtr ctxt,
     virObjectLock(ctxt);
 
     /* If the list is not set, allow any DN. */
-    wildcards = ctxt->usernameWhitelist;
+    wildcards = ctxt->usernameACL;
     if (!wildcards) {
         ret = 1; /* No ACL, allow all */
         goto cleanup;
@@ -162,7 +162,7 @@ int virNetSASLContextCheckIdentity(virNetSASLContextPtr ctxt,
     }
 
     /* Denied */
-    VIR_ERROR(_("SASL client identity '%s' not allowed in whitelist"), identity);
+    VIR_ERROR(_("SASL client identity '%s' not allowed by ACL"), identity);
 
     /* This is the most common error: make it informative. */
     virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
diff --git a/src/rpc/virnetsaslcontext.h b/src/rpc/virnetsaslcontext.h
index 4d1845e643..618230f42d 100644
--- a/src/rpc/virnetsaslcontext.h
+++ b/src/rpc/virnetsaslcontext.h
@@ -38,7 +38,7 @@ enum {
 };
 
 virNetSASLContextPtr virNetSASLContextNewClient(void);
-virNetSASLContextPtr virNetSASLContextNewServer(const char *const*usernameWhitelist);
+virNetSASLContextPtr virNetSASLContextNewServer(const char *const *usernameACL);
 
 int virNetSASLContextCheckIdentity(virNetSASLContextPtr ctxt,
                                    const char *identity);
diff --git a/src/rpc/virnettlscontext.c b/src/rpc/virnettlscontext.c
index a8104cf484..168f3010ae 100644
--- a/src/rpc/virnettlscontext.c
+++ b/src/rpc/virnettlscontext.c
@@ -60,7 +60,7 @@ struct _virNetTLSContext {
 
     bool isServer;
     bool requireValidCert;
-    const char *const*x509dnWhitelist;
+    const char *const *x509dnACL;
     char *priority;
 };
 
@@ -356,8 +356,8 @@ static int virNetTLSContextCheckCertKeyPurpose(gnutls_x509_crt_t cert,
 
 /* Check DN is on tls_allowed_dn_list. */
 static int
-virNetTLSContextCheckCertDNWhitelist(const char *dname,
-                                     const char *const*wildcards)
+virNetTLSContextCheckCertDNACL(const char *dname,
+                               const char *const *wildcards)
 {
     while (*wildcards) {
         if (g_pattern_match_simple(*wildcards, dname))
@@ -367,7 +367,7 @@ virNetTLSContextCheckCertDNWhitelist(const char *dname,
     }
 
     /* Log the client's DN for debugging */
-    VIR_DEBUG("Failed whitelist check for client DN '%s'", dname);
+    VIR_DEBUG("Failed ACL check for client DN '%s'", dname);
 
     /* This is the most common error: make it informative. */
     virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
@@ -385,10 +385,10 @@ virNetTLSContextCheckCertDN(gnutls_x509_crt_t cert,
                             const char *certFile,
                             const char *hostname,
                             const char *dname,
-                            const char *const* whitelist)
+                            const char *const *acl)
 {
-    if (whitelist && dname &&
-        virNetTLSContextCheckCertDNWhitelist(dname, whitelist) <= 0)
+    if (acl && dname &&
+        virNetTLSContextCheckCertDNACL(dname, acl) <= 0)
         return -1;
 
     if (hostname &&
@@ -675,7 +675,7 @@ static virNetTLSContextPtr virNetTLSContextNew(const char *cacert,
                                                const char *cacrl,
                                                const char *cert,
                                                const char *key,
-                                               const char *const*x509dnWhitelist,
+                                               const char *const *x509dnACL,
                                                const char *priority,
                                                bool sanityCheckCert,
                                                bool requireValidCert,
@@ -740,7 +740,7 @@ static virNetTLSContextPtr virNetTLSContextNew(const char *cacert,
     }
 
     ctxt->requireValidCert = requireValidCert;
-    ctxt->x509dnWhitelist = x509dnWhitelist;
+    ctxt->x509dnACL = x509dnACL;
     ctxt->isServer = isServer;
 
     PROBE(RPC_TLS_CONTEXT_NEW,
@@ -855,7 +855,7 @@ static int virNetTLSContextLocateCredentials(const char *pkipath,
 
 static virNetTLSContextPtr virNetTLSContextNewPath(const char *pkipath,
                                                    bool tryUserPkiPath,
-                                                   const char *const*x509dnWhitelist,
+                                                   const char *const *x509dnACL,
                                                    const char *priority,
                                                    bool sanityCheckCert,
                                                    bool requireValidCert,
@@ -869,7 +869,7 @@ static virNetTLSContextPtr virNetTLSContextNewPath(const char *pkipath,
         return NULL;
 
     ctxt = virNetTLSContextNew(cacert, cacrl, cert, key,
-                               x509dnWhitelist, priority, sanityCheckCert,
+                               x509dnACL, priority, sanityCheckCert,
                                requireValidCert, isServer);
 
     VIR_FREE(cacert);
@@ -882,12 +882,12 @@ static virNetTLSContextPtr virNetTLSContextNewPath(const char *pkipath,
 
 virNetTLSContextPtr virNetTLSContextNewServerPath(const char *pkipath,
                                                   bool tryUserPkiPath,
-                                                  const char *const*x509dnWhitelist,
+                                                  const char *const *x509dnACL,
                                                   const char *priority,
                                                   bool sanityCheckCert,
                                                   bool requireValidCert)
 {
-    return virNetTLSContextNewPath(pkipath, tryUserPkiPath, x509dnWhitelist, priority,
+    return virNetTLSContextNewPath(pkipath, tryUserPkiPath, x509dnACL, priority,
                                    sanityCheckCert, requireValidCert, true);
 }
 
@@ -906,12 +906,12 @@ virNetTLSContextPtr virNetTLSContextNewServer(const char *cacert,
                                               const char *cacrl,
                                               const char *cert,
                                               const char *key,
-                                              const char *const*x509dnWhitelist,
+                                              const char *const *x509dnACL,
                                               const char *priority,
                                               bool sanityCheckCert,
                                               bool requireValidCert)
 {
-    return virNetTLSContextNew(cacert, cacrl, cert, key, x509dnWhitelist, priority,
+    return virNetTLSContextNew(cacert, cacrl, cert, key, x509dnACL, priority,
                                sanityCheckCert, requireValidCert, true);
 }
 
@@ -1063,7 +1063,7 @@ static int virNetTLSContextValidCertificate(virNetTLSContextPtr ctxt,
             VIR_DEBUG("Peer DN is %s", dname);
 
             if (virNetTLSContextCheckCertDN(cert, "[session]", sess->hostname, dname,
-                                            ctxt->x509dnWhitelist) < 0) {
+                                            ctxt->x509dnACL) < 0) {
                 gnutls_x509_crt_deinit(cert);
                 goto authdeny;
             }
diff --git a/src/rpc/virnettlscontext.h b/src/rpc/virnettlscontext.h
index fe885aed9a..8ac84027b2 100644
--- a/src/rpc/virnettlscontext.h
+++ b/src/rpc/virnettlscontext.h
@@ -34,7 +34,7 @@ void virNetTLSInit(void);
 
 virNetTLSContextPtr virNetTLSContextNewServerPath(const char *pkipath,
                                                   bool tryUserPkiPath,
-                                                  const char *const*x509dnWhitelist,
+                                                  const char *const *x509dnACL,
                                                   const char *priority,
                                                   bool sanityCheckCert,
                                                   bool requireValidCert);
@@ -49,7 +49,7 @@ virNetTLSContextPtr virNetTLSContextNewServer(const char *cacert,
                                               const char *cacrl,
                                               const char *cert,
                                               const char *key,
-                                              const char *const*x509dnWhitelist,
+                                              const char *const *x509dnACL,
                                               const char *priority,
                                               bool sanityCheckCert,
                                               bool requireValidCert);
diff --git a/tests/virconfdata/libvirtd.conf b/tests/virconfdata/libvirtd.conf
index 791d6c972b..6d1fd33dcd 100644
--- a/tests/virconfdata/libvirtd.conf
+++ b/tests/virconfdata/libvirtd.conf
@@ -174,11 +174,11 @@ crl_file = "/etc/pki/CA/crl.pem"
 # will be rejected.
 #
 # Default is to always verify. Uncommenting this will disable
-# verification - make sure an IP whitelist is set
+# verification.
 tls_no_verify_certificate = 1
 
 
-# A whitelist of allowed x509  Distinguished Names
+# An access control list of allowed x509  Distinguished Names
 # This list may contain wildcards such as
 #
 #    "C=GB,ST=London,L=London,O=Red Hat,CN=*"
@@ -194,7 +194,7 @@ tls_no_verify_certificate = 1
 tls_allowed_dn_list = ["DN1", "DN2"]
 
 
-# A whitelist of allowed SASL usernames. The format for usernames
+# An access control list of allowed SASL usernames. The format for usernames
 # depends on the SASL authentication mechanism. Kerberos usernames
 # look like username@REALM
 #
diff --git a/tests/virconfdata/libvirtd.out b/tests/virconfdata/libvirtd.out
index cfdd23fd21..ce50480b8c 100644
--- a/tests/virconfdata/libvirtd.out
+++ b/tests/virconfdata/libvirtd.out
@@ -140,9 +140,9 @@ crl_file = "/etc/pki/CA/crl.pem"
 # will be rejected.
 #
 # Default is to always verify. Uncommenting this will disable
-# verification - make sure an IP whitelist is set
+# verification.
 tls_no_verify_certificate = 1
-# A whitelist of allowed x509  Distinguished Names
+# An access control list of allowed x509  Distinguished Names
 # This list may contain wildcards such as
 #
 #    "C=GB,ST=London,L=London,O=Red Hat,CN=*"
@@ -156,7 +156,7 @@ tls_no_verify_certificate = 1
 #
 # By default, no DN's are checked
 tls_allowed_dn_list = [ "DN1", "DN2" ]
-# A whitelist of allowed SASL usernames. The format for usernames
+# An access control list of allowed SASL usernames. The format for usernames
 # depends on the SASL authentication mechanism. Kerberos usernames
 # look like username@REALM
 #
-- 
2.24.1




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux