mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-10-30 09:53:10 +00:00
util: introduce concept of a system token into identities
We want a way to distinguish between calls from a libvirt daemon, and a regular client application when both are running as the same user account. This is not possible with the current set of attributes recorded against an identity, as there is nothing that is common to all of the modular libvirt daemons, while distinct to all other processes. We thus introduce the idea of a system token, which is simply a random hex string that is only known by the libvirt daemons, to be recorded against the system identity. Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
parent
1ca3959712
commit
d5d011f767
@ -2404,6 +2404,7 @@ virIdentityGetProcessTime;
|
|||||||
virIdentityGetSASLUserName;
|
virIdentityGetSASLUserName;
|
||||||
virIdentityGetSELinuxContext;
|
virIdentityGetSELinuxContext;
|
||||||
virIdentityGetSystem;
|
virIdentityGetSystem;
|
||||||
|
virIdentityGetSystemToken;
|
||||||
virIdentityGetUNIXGroupID;
|
virIdentityGetUNIXGroupID;
|
||||||
virIdentityGetUNIXUserID;
|
virIdentityGetUNIXUserID;
|
||||||
virIdentityGetUserName;
|
virIdentityGetUserName;
|
||||||
@ -2416,6 +2417,7 @@ virIdentitySetProcessID;
|
|||||||
virIdentitySetProcessTime;
|
virIdentitySetProcessTime;
|
||||||
virIdentitySetSASLUserName;
|
virIdentitySetSASLUserName;
|
||||||
virIdentitySetSELinuxContext;
|
virIdentitySetSELinuxContext;
|
||||||
|
virIdentitySetSystemToken;
|
||||||
virIdentitySetUNIXGroupID;
|
virIdentitySetUNIXGroupID;
|
||||||
virIdentitySetUNIXUserID;
|
virIdentitySetUNIXUserID;
|
||||||
virIdentitySetUserName;
|
virIdentitySetUserName;
|
||||||
|
@ -40,6 +40,8 @@
|
|||||||
|
|
||||||
#define VIR_FROM_THIS VIR_FROM_IDENTITY
|
#define VIR_FROM_THIS VIR_FROM_IDENTITY
|
||||||
|
|
||||||
|
#define VIR_CONNECT_IDENTITY_SYSTEM_TOKEN "system.token"
|
||||||
|
|
||||||
VIR_LOG_INIT("util.identity");
|
VIR_LOG_INIT("util.identity");
|
||||||
|
|
||||||
struct _virIdentity {
|
struct _virIdentity {
|
||||||
@ -382,6 +384,17 @@ int virIdentityGetSELinuxContext(virIdentity *ident,
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
int virIdentityGetSystemToken(virIdentity *ident,
|
||||||
|
const char **token)
|
||||||
|
{
|
||||||
|
*token = NULL;
|
||||||
|
return virTypedParamsGetString(ident->params,
|
||||||
|
ident->nparams,
|
||||||
|
VIR_CONNECT_IDENTITY_SYSTEM_TOKEN,
|
||||||
|
token);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
int virIdentitySetUserName(virIdentity *ident,
|
int virIdentitySetUserName(virIdentity *ident,
|
||||||
const char *username)
|
const char *username)
|
||||||
{
|
{
|
||||||
@ -554,6 +567,25 @@ int virIdentitySetSELinuxContext(virIdentity *ident,
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
int virIdentitySetSystemToken(virIdentity *ident,
|
||||||
|
const char *token)
|
||||||
|
{
|
||||||
|
if (virTypedParamsGet(ident->params,
|
||||||
|
ident->nparams,
|
||||||
|
VIR_CONNECT_IDENTITY_SYSTEM_TOKEN)) {
|
||||||
|
virReportError(VIR_ERR_OPERATION_DENIED, "%s",
|
||||||
|
_("Identity attribute is already set"));
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
return virTypedParamsAddString(&ident->params,
|
||||||
|
&ident->nparams,
|
||||||
|
&ident->maxparams,
|
||||||
|
VIR_CONNECT_IDENTITY_SYSTEM_TOKEN,
|
||||||
|
token);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
int virIdentitySetParameters(virIdentity *ident,
|
int virIdentitySetParameters(virIdentity *ident,
|
||||||
virTypedParameterPtr params,
|
virTypedParameterPtr params,
|
||||||
int nparams)
|
int nparams)
|
||||||
@ -577,6 +609,8 @@ int virIdentitySetParameters(virIdentity *ident,
|
|||||||
VIR_TYPED_PARAM_STRING,
|
VIR_TYPED_PARAM_STRING,
|
||||||
VIR_CONNECT_IDENTITY_SELINUX_CONTEXT,
|
VIR_CONNECT_IDENTITY_SELINUX_CONTEXT,
|
||||||
VIR_TYPED_PARAM_STRING,
|
VIR_TYPED_PARAM_STRING,
|
||||||
|
VIR_CONNECT_IDENTITY_SYSTEM_TOKEN,
|
||||||
|
VIR_TYPED_PARAM_STRING,
|
||||||
NULL) < 0)
|
NULL) < 0)
|
||||||
return -1;
|
return -1;
|
||||||
|
|
||||||
|
@ -52,6 +52,8 @@ int virIdentityGetX509DName(virIdentity *ident,
|
|||||||
const char **dname);
|
const char **dname);
|
||||||
int virIdentityGetSELinuxContext(virIdentity *ident,
|
int virIdentityGetSELinuxContext(virIdentity *ident,
|
||||||
const char **context);
|
const char **context);
|
||||||
|
int virIdentityGetSystemToken(virIdentity *ident,
|
||||||
|
const char **token);
|
||||||
|
|
||||||
|
|
||||||
int virIdentitySetUserName(virIdentity *ident,
|
int virIdentitySetUserName(virIdentity *ident,
|
||||||
@ -72,6 +74,8 @@ int virIdentitySetX509DName(virIdentity *ident,
|
|||||||
const char *dname);
|
const char *dname);
|
||||||
int virIdentitySetSELinuxContext(virIdentity *ident,
|
int virIdentitySetSELinuxContext(virIdentity *ident,
|
||||||
const char *context);
|
const char *context);
|
||||||
|
int virIdentitySetSystemToken(virIdentity *ident,
|
||||||
|
const char *token);
|
||||||
|
|
||||||
int virIdentitySetParameters(virIdentity *ident,
|
int virIdentitySetParameters(virIdentity *ident,
|
||||||
virTypedParameterPtr params,
|
virTypedParameterPtr params,
|
||||||
|
Loading…
Reference in New Issue
Block a user