mirror of https://gitee.com/openkylin/libvirt.git
305cdc37f0
When using the fine grained access control mechanism for APIs, when a client connects to libvirtd, the latter will fetch the uid, gid, selinux info of the remote client on the UNIX domain socket. This is then used as the identity when checking ACLs. With the new split daemons things are a bit more complicated. The user can connect to virtproxyd, which in turn connects to virtqemud. When virtqemud requests the identity over the UNIX domain socket, it will get the identity that virtproxyd is running as, not the identity of the real end user/application. virproxyd knows what the real identity is, and needs to be able to forward this information to virtqemud. The virConnectSetIdentity API provides a mechanism for doing this. Obviously virtqemud should not accept such identity overrides from any client, it must only honour it from a trusted client, aka one running as the same uid/gid as itself. The typed parameters exposed in the API are the same as those currently supported by the internal virIdentity class, with a few small name changes. Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> |
||
|---|---|---|
| .. | ||
| Makefile.am | ||
| libvirt-admin.h | ||
| libvirt-common.h.in | ||
| libvirt-domain-checkpoint.h | ||
| libvirt-domain-snapshot.h | ||
| libvirt-domain.h | ||
| libvirt-event.h | ||
| libvirt-host.h | ||
| libvirt-interface.h | ||
| libvirt-lxc.h | ||
| libvirt-network.h | ||
| libvirt-nodedev.h | ||
| libvirt-nwfilter.h | ||
| libvirt-qemu.h | ||
| libvirt-secret.h | ||
| libvirt-storage.h | ||
| libvirt-stream.h | ||
| libvirt.h | ||
| virterror.h | ||