openkylin
/
libvirt
mirror of https://gitee.com/openkylin/libvirt.git
9
0
Fork 0
Code Issues Projects Releases Wiki Activity

conf: Add new secret type "passphrase" 

Add a new secret type known as "passphrase" - it will handle adding the
secret objects that need a passphrase without a specific username.

The format is:

   <secret ...>
     <uuid>...</uuid>
     ...
     <usage type='passphrase'>
       <name>mumblyfratz</name>
     </usage>
   </secret>

Signed-off-by: John Ferlan <jferlan@redhat.com>
This commit is contained in:
John Ferlan 2016-06-01 15:00:57 -04:00
parent 3977c386f6
commit c84380106f
10 changed files with 119 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
docs/aclpolkit.html.in
View File

@ -224,6 +224,10 @@
<td>secret_usage_target</td>
<td>Name of the associated iSCSI target, if any</td>
</tr>
<tr>
<td>secret_usage_name</td>
<td>Name of be associated passphrase secret, if any</td>
</tr>
</tbody>
</table>

57
docs/formatsecret.html.in
View File

@ -41,8 +41,9 @@
<dd>
Specifies what this secret is used for. A mandatory
<code>type</code> attribute specifies the usage category, currently
only <code>volume</code>, <code>ceph</code> and <code>iscsi</code>
are defined. Specific usage categories are described below.
only <code>volume</code>, <code>ceph</code>, <code>iscsi</code>,
and <code>passphrase</code> are defined. Specific usage categories
are described below.
</dd>
</dl>
@ -241,5 +242,57 @@
&lt;secret usage='libvirtiscsi'/&gt;
&lt;/auth&gt;
</pre>
<h3><a name="passphraseUsageType">Usage type "passphrase"</a></h3>
<p>
This secret is a general purpose secret to be used by various libvirt
objects to provide a single passphrase as required by the object in
order to perform its authentication.
<span class="since">Since 2.1.0</span>. The following is an example
of a secret.xml file:
</p>
<pre>
# cat secret.xml
&lt;secret ephemeral='no' private='yes'&gt;
&lt;description&gt;sample passphrase secret&lt;/description&gt;
&lt;usage type='passphrase'&gt;
&lt;name&gt;name_example&lt;/name&gt;
&lt;/usage&gt;
&lt;/secret&gt;
# virsh secret-define secret.xml
Secret 718c71bd-67b5-4a2b-87ec-a24e8ca200dc created
# virsh secret-list
UUID Usage
-----------------------------------------------------------
718c71bd-67b5-4a2b-87ec-a24e8ca200dc passphrase name_example
#
</pre>
<p>
A secret may also be defined via the
<a href="html/libvirt-libvirt-secret.html#virSecretDefineXML">
<code>virSecretDefineXML</code></a> API.
Once the secret is defined, a secret value will need to be set. This
value would be the same used to create and use the volume.
The following is a simple example of using
<code>virsh secret-set-value</code> to set the secret value. The
<a href="html/libvirt-libvirt-secret.html#virSecretSetValue">
<code>virSecretSetValue</code></a> API may also be used to set
a more secure secret without using printable/readable characters.
</p>
<pre>
# MYSECRET=`printf %s "letmein" | base64`
# virsh secret-set-value 718c71bd-67b5-4a2b-87ec-a24e8ca200dc $MYSECRET
Secret value set
</pre>
</body>
</html>

10
docs/schemas/secret.rng
View File

@ -36,6 +36,7 @@
<ref name='usagevolume'/>
<ref name='usageceph'/>
<ref name='usageiscsi'/>
<ref name='usagepassphrase'/>
<!-- More choices later -->
</choice>
</element>
@ -71,4 +72,13 @@
</element>
</define>
<define name='usagepassphrase'>
<attribute name='type'>
<value>passphrase</value>
</attribute>
<element name='name'>
<ref name='genericName'/>
</element>
</define>
</grammar>

3
include/libvirt/libvirt-secret.h
View File

@ -4,7 +4,7 @@
* Description: Provides APIs for the management of secrets
* Author: Daniel Veillard <veillard@redhat.com>
*
* Copyright (C) 2006-2014 Red Hat, Inc.
* Copyright (C) 2006-2014, 2016 Red Hat, Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@ -43,6 +43,7 @@ typedef enum {
VIR_SECRET_USAGE_TYPE_VOLUME = 1,
VIR_SECRET_USAGE_TYPE_CEPH = 2,
VIR_SECRET_USAGE_TYPE_ISCSI = 3,
VIR_SECRET_USAGE_TYPE_PASSPHRASE = 4,
# ifdef VIR_ENUM_SENTINELS
VIR_SECRET_USAGE_TYPE_LAST

13
src/access/viraccessdriverpolkit.c
View File

@ -338,6 +338,19 @@ virAccessDriverPolkitCheckSecret(virAccessManagerPtr manager,
virAccessPermSecretTypeToString(perm),
attrs);
} break;
case VIR_SECRET_USAGE_TYPE_PASSPHRASE: {
const char *attrs[] = {
"connect_driver", driverName,
"secret_uuid", uuidstr,
"secret_usage_name", secret->usage.name,
NULL,
};
return virAccessDriverPolkitCheck(manager,
"secret",
virAccessPermSecretTypeToString(perm),
attrs);
} break;
}
}

22
src/conf/secret_conf.c
View File

@ -29,6 +29,7 @@
#include "viralloc.h"
#include "secret_conf.h"
#include "virsecretobj.h"
#include "virstring.h"
#include "virerror.h"
#include "virxml.h"
#include "viruuid.h"
@ -38,7 +39,7 @@
VIR_LOG_INIT("conf.secret_conf");
VIR_ENUM_IMPL(virSecretUsage, VIR_SECRET_USAGE_TYPE_LAST,
"none", "volume", "ceph", "iscsi")
"none", "volume", "ceph", "iscsi", "passphrase")
const char *
virSecretUsageIDForDef(virSecretDefPtr def)
@ -56,6 +57,9 @@ virSecretUsageIDForDef(virSecretDefPtr def)
case VIR_SECRET_USAGE_TYPE_ISCSI:
return def->usage.target;
case VIR_SECRET_USAGE_TYPE_PASSPHRASE:
return def->usage.name;
default:
return NULL;
}
@ -85,6 +89,10 @@ virSecretDefFree(virSecretDefPtr def)
VIR_FREE(def->usage.target);
break;
case VIR_SECRET_USAGE_TYPE_PASSPHRASE:
VIR_FREE(def->usage.name);
break;
default:
VIR_ERROR(_("unexpected secret usage type %d"), def->usage_type);
break;
@ -145,6 +153,14 @@ virSecretDefParseUsage(xmlXPathContextPtr ctxt,
}
break;
case VIR_SECRET_USAGE_TYPE_PASSPHRASE:
if (!(def->usage.name = virXPathString("string(./usage/name)", ctxt))) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
_("passphrase usage specified, but name is missing"));
return -1;
}
break;
default:
virReportError(VIR_ERR_INTERNAL_ERROR,
_("unexpected secret usage type %d"),
@ -297,6 +313,10 @@ virSecretDefFormatUsage(virBufferPtr buf,
virBufferEscapeString(buf, "<target>%s</target>\n", def->usage.target);
break;
case VIR_SECRET_USAGE_TYPE_PASSPHRASE:
virBufferEscapeString(buf, "<name>%s</name>\n", def->usage.name);
break;
default:
virReportError(VIR_ERR_INTERNAL_ERROR,
_("unexpected secret usage type %d"),

1
src/conf/secret_conf.h
View File

@ -40,6 +40,7 @@ struct _virSecretDef {
char *volume; /* May be NULL */
char *ceph;
char *target;
char *name;
} usage;
};

5
src/conf/virsecretobj.c
View File

@ -237,6 +237,11 @@ virSecretObjSearchName(const void *payload,
if (STREQ(secret->def->usage.target, data->usageID))
found = 1;
break;
case VIR_SECRET_USAGE_TYPE_PASSPHRASE:
if (STREQ(secret->def->usage.name, data->usageID))
found = 1;
break;
}
cleanup:

7
tests/secretxml2xmlin/usage-passphrase.xml Normal file
View File

@ -0,0 +1,7 @@
<secret ephemeral='no' private='no'>
<uuid>f52a81b2-424e-490c-823d-6bd4235bc572</uuid>
<description>Sample Passphrase Secret</description>
<usage type='passphrase'>
<name>mumblyfratz</name>
</usage>
</secret>

1
tests/secretxml2xmltest.c
View File

@ -80,6 +80,7 @@ mymain(void)
DO_TEST("usage-volume");
DO_TEST("usage-ceph");
DO_TEST("usage-iscsi");
DO_TEST("usage-passphrase");
return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
}