[libvirt PATCH v2 09/10] src: elevate current identity privilege when fetching secret
Daniel P. Berrangé
berrange at redhat.com
Mon May 10 15:44:38 UTC 2021
On Mon, May 10, 2021 at 01:32:20PM +0200, Michal Prívozník wrote:
> On 5/7/21 6:24 PM, Daniel P. Berrangé wrote:
> > When fetching the value of a private secret, we need to use an elevated
> > identity otherwise the secret driver will deny access.
> >
> > When using the modular daemons, the elevated identity needs to be active
> > before the secret driver connection is opened, and it will apply to all
> > APIs calls made on that conncetion.
> >
> > When using the monolithic daemon, the identity at time of opening the
> > connection is ignored, and the elevated identity needs to be active
> > precisely at the time the virSecretGetValue API call is made.
> >
> > After acquiring the secret value, the elevated identity should be
> > cleared.
> >
> > This sounds complex, but is fairly straightfoward with the automatic
> > cleanup callbacks.
> >
> > Signed-off-by: Daniel P. Berrangé <berrange at redhat.com>
> > ---
> > src/libxl/libxl_conf.c | 5 +++++
> > src/qemu/qemu_domain.c | 11 ++++++++++-
> > src/qemu/qemu_tpm.c | 5 +++++
> > src/storage/storage_backend_iscsi.c | 5 +++++
> > src/storage/storage_backend_iscsi_direct.c | 5 +++++
> > src/storage/storage_backend_rbd.c | 5 +++++
> > src/storage/storage_util.c | 5 +++++
> > 7 files changed, 40 insertions(+), 1 deletion(-)
> >
>
>
> After this, I see qemuxml2argv test crash (because of NULL passed to
> open() in the area I'm raising in 03/10). With the fix I'm suggesting I
> see a different error:
>
> internal error: No current identity to elevate
>
> That's because we failed to initialize identity. Unfortunately, I will
> have to leave this up to you.
Yep, the test suite needs to call virIdentitySetCurrent now we have a
dependancy on the identity APIs for internal secret access.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
More information about the libvir-list
mailing list