[libvirt] [PATCH 02/20] Secret manipulation step 2: Internal API

Daniel P. Berrange berrange at redhat.com
Thu Aug 27 16:39:55 UTC 2009 

On Thu, Aug 20, 2009 at 08:18:00PM +0200, Miloslav Trma?? wrote:
> Adds a new driver type.
> 
> Changes since the third submission:
> - Add "flags" parameter to virSecretDefineXML(), virSecretGetXMLDesc(),
>   virSecretGetValue(), virSecretSetValue(), and all derived interfaces.
> - Fix a copy&pasted comment
> ---
>  include/libvirt/virterror.h |    1 +
>  src/datatypes.c             |  155 +++++++++++++++++++++++++++++++++++++++++++
>  src/datatypes.h             |   28 ++++++++
>  src/driver.h                |   61 +++++++++++++++++
>  src/libvirt.c               |   53 +++++++++++++++
>  src/libvirt_private.syms    |    2 +
>  src/virterror.c             |    6 ++
>  7 files changed, 306 insertions(+), 0 deletions(-)

ACK, with exception of


> +typedef unsigned char *
> +    (*virDrvSecretGetValue)                  (virSecretPtr secret,
> +                                              size_t *value_size,
> +                                              bool libvirt_internal_call,
> +                                              unsigned int flags);

The 'bool libvirt_internal_call' bit is not too nice - the driver.h
prototypes should always match the public API prototypes exactly.

This is there so that public API callers can't get the value of a secret
which has the private='yes' attribute set in its XML. 

Ultimately this kind of thing needs to be done using a API-wide access
control mechanism in the public API, so that we can do more fine grained
control. eg, allow a sufficiently authenticated user to see even private
secrets, but not everyone else.

For now, I think we should just make use of the existing unused flags
parameter on this API - we already do that for a few other places.

eg, In secret_driver.h define a

 enum {
   VIR_SECRET_VALUE_PRIVATE = (1<<16)
 };


And in the virSecretGetValue() impl in src/libvirt.c, mask out the top
16 bits of the flags passed in from the public API, to prevent them
ever setting this flag behind our backs.  Thus, internal code can just
pass VIR_SECRET_VALUE_PRIVATE  directly to the driver methods (which
bypass the checking).

Daniel
-- 
|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

More information about the libvir-list mailing list