External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-03-20 07:59:00 +00:00
Code

Add ACL annotations to all RPC messages

Browse Source 
Introduce annotations to all RPC messages to declare what
access control checks are required. There are two new
annotations defined:

 @acl: <object>:<permission>
 @acl: <object>:<permission>:<flagname>

  Declare the access control requirements for the API. May be repeated
  multiple times, if multiple rules are required.

    <object> is one of 'connect', 'domain', 'network', 'storagepool',
             'interface', 'nodedev', 'secret'.
    <permission> is one of the permissions in access/viraccessperm.h
    <flagname> indicates the rule only applies if the named flag
    is set in the API call

 @aclfilter: <object>:<permission>

  Declare an access control filter that will be applied to a list
  of objects being returned by an API. This allows the returned
  list to be filtered to only show those the user has permissions
  against

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
This commit is contained in:
Daniel P. Berrange 2013-04-18 12:08:47 +01:00
parent b904bba7f4
commit e341435e50
5 changed files with 420 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/locking/lock_protocol.x
View File

@ -105,41 +105,49 @@ enum virLockSpaceProtocolProcedure {
/**
* @generate: none
* @acl: none
*/
VIR_LOCK_SPACE_PROTOCOL_PROC_REGISTER = 1,
/**
* @generate: none
* @acl: none
*/
VIR_LOCK_SPACE_PROTOCOL_PROC_RESTRICT = 2,
/**
* @generate: none
* @acl: none
*/
VIR_LOCK_SPACE_PROTOCOL_PROC_NEW = 3,
/**
* @generate: none
* @acl: none
*/
VIR_LOCK_SPACE_PROTOCOL_PROC_CREATE_RESOURCE = 4,
/**
* @generate: none
* @acl: none
*/
VIR_LOCK_SPACE_PROTOCOL_PROC_DELETE_RESOURCE = 5,
/**
* @generate: none
* @acl: none
*/
VIR_LOCK_SPACE_PROTOCOL_PROC_ACQUIRE_RESOURCE = 6,
/**
* @generate: none
* @acl: none
*/
VIR_LOCK_SPACE_PROTOCOL_PROC_RELEASE_RESOURCE = 7,
/**
* @generate: none
* @acl: none
*/
VIR_LOCK_SPACE_PROTOCOL_PROC_CREATE_LOCKSPACE = 8
};

1
src/remote/lxc_protocol.x
View File

@ -65,6 +65,7 @@ enum lxc_procedure {
/**
* @generate: none
* @priority: low
* @acl: domain:open_namespace
*/
LXC_PROC_DOMAIN_OPEN_NAMESPACE = 1
};

4
src/remote/qemu_protocol.x
View File

@ -91,18 +91,22 @@ enum qemu_procedure {
/**
* @generate: none
* @priority: low
* @acl: domain:write
*/
QEMU_PROC_DOMAIN_MONITOR_COMMAND = 1,
/**
* @generate: both
* @priority: low
* @acl: domain:start
* @acl: domain:write
*/
QEMU_PROC_DOMAIN_ATTACH = 2,
/**
* @generate: both
* @priority: low
* @acl: domain:write
*/
QEMU_PROC_DOMAIN_AGENT_COMMAND = 3
};

406
src/remote/remote_protocol.x
View File

File diff suppressed because it is too large Load Diff

2
src/rpc/gendispatch.pl
View File

@ -123,7 +123,7 @@ while (<PROTOCOL>) {
push(@{$calls{$name}->{ret_members}}, $1);
}
} elsif ($collect_opts) {
if (m,^\s*\*\s*\@(\w+)\s*:\s*(\w+)\s*$,) {
if (m,^\s*\*\s*\@(\w+)\s*:\s*((?:\w|:|\!|\|)+)\s*$,) {
$opts{$1} = $2;
} elsif (m,^\s*\*/\s*$,) {
$collect_opts = 0;