From nobody Thu Apr 25 07:22:33 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28
 as permitted sender) client-ip=209.132.183.28;
 envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com;
Authentication-Results: mx.zohomail.com;
	spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
Return-Path: <libvir-list-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by
 mx.zohomail.com
	with SMTPS id 1539614235299121.79801861378166;
 Mon, 15 Oct 2018 07:37:15 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com
 [10.5.11.11])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 5F1E130588D2;
	Mon, 15 Oct 2018 14:37:12 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 213927A25F;
	Mon, 15 Oct 2018 14:37:12 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id BDF23180613A;
	Mon, 15 Oct 2018 14:37:11 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com
	[10.5.11.12])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id w9FEQe61006933 for <libvir-list@listman.util.phx.redhat.com>;
	Mon, 15 Oct 2018 10:26:40 -0400
Received: by smtp.corp.redhat.com (Postfix)
	id 2EAC0850F; Mon, 15 Oct 2018 14:26:40 +0000 (UTC)
Received: from unknown54ee7586bd10.attlocal.net.com
	(ovpn-116-156.phx2.redhat.com [10.3.116.156])
	by smtp.corp.redhat.com (Postfix) with ESMTP id DB05A770EF
	for <libvir-list@redhat.com>; Mon, 15 Oct 2018 14:26:39 +0000 (UTC)
From: John Ferlan <jferlan@redhat.com>
To: libvir-list@redhat.com
Date: Mon, 15 Oct 2018 10:26:33 -0400
Message-Id: <20181015142634.26205-2-jferlan@redhat.com>
In-Reply-To: <20181015142634.26205-1-jferlan@redhat.com>
References: <20181015142634.26205-1-jferlan@redhat.com>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12
X-loop: libvir-list@redhat.com
Subject: [libvirt] [PATCH 1/2] access: Modify the VIR_ERR_ACCESS_DENIED to
	include driverName
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11
X-Greylist: Sender IP whitelisted,
 not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.41]);
 Mon, 15 Oct 2018 14:37:13 +0000 (UTC)
X-ZohoMail: RDMRC_0  RSF_0  Z_629925259 SPT_0
Content-Type: text/plain; charset="utf-8"

https://bugzilla.redhat.com/show_bug.cgi?id=3D1631606

Changes made to manage and utilize a secondary connection
driver to APIs outside the scope of the primary connection
driver have resulted in some confusion processing polkit rules
since the simple "access denied" error message doesn't provide
enough of a clue when combined with the "authentication failed:
access denied by policy" as to which connection driver refused
or failed the ACL check.

In order to provide some context, let's modify the existing
"access denied" error returne from the various vir*EnsureACL
API's to provide the connection driver name that is causing
the failure. This should provide the context for writing the
polkit rules that would allow access via the driver.

Signed-off-by: John Ferlan <jferlan@redhat.com>
---
 src/access/viraccessmanager.c | 25 +++++++++++++------------
 src/rpc/gendispatch.pl        |  2 +-
 src/util/virerror.c           |  4 ++--
 3 files changed, 16 insertions(+), 15 deletions(-)

diff --git a/src/access/viraccessmanager.c b/src/access/viraccessmanager.c
index e7b5bf38da..1dfff32b9d 100644
--- a/src/access/viraccessmanager.c
+++ b/src/access/viraccessmanager.c
@@ -196,11 +196,12 @@ static void virAccessManagerDispose(void *object)
  * should the admin need to debug things
  */
 static int
-virAccessManagerSanitizeError(int ret)
+virAccessManagerSanitizeError(int ret,
+                              const char *driverName)
 {
     if (ret < 0) {
         virResetLastError();
-        virAccessError(VIR_ERR_ACCESS_DENIED, NULL);
+        virAccessError(VIR_ERR_ACCESS_DENIED, driverName, NULL);
     }
=20
     return ret;
@@ -217,7 +218,7 @@ int virAccessManagerCheckConnect(virAccessManagerPtr ma=
nager,
     if (manager->drv->checkConnect)
         ret =3D manager->drv->checkConnect(manager, driverName, perm);
=20
-    return virAccessManagerSanitizeError(ret);
+    return virAccessManagerSanitizeError(ret, driverName);
 }
=20
=20
@@ -233,7 +234,7 @@ int virAccessManagerCheckDomain(virAccessManagerPtr man=
ager,
     if (manager->drv->checkDomain)
         ret =3D manager->drv->checkDomain(manager, driverName, domain, per=
m);
=20
-    return virAccessManagerSanitizeError(ret);
+    return virAccessManagerSanitizeError(ret, driverName);
 }
=20
 int virAccessManagerCheckInterface(virAccessManagerPtr manager,
@@ -248,7 +249,7 @@ int virAccessManagerCheckInterface(virAccessManagerPtr =
manager,
     if (manager->drv->checkInterface)
         ret =3D manager->drv->checkInterface(manager, driverName, iface, p=
erm);
=20
-    return virAccessManagerSanitizeError(ret);
+    return virAccessManagerSanitizeError(ret, driverName);
 }
=20
 int virAccessManagerCheckNetwork(virAccessManagerPtr manager,
@@ -263,7 +264,7 @@ int virAccessManagerCheckNetwork(virAccessManagerPtr ma=
nager,
     if (manager->drv->checkNetwork)
         ret =3D manager->drv->checkNetwork(manager, driverName, network, p=
erm);
=20
-    return virAccessManagerSanitizeError(ret);
+    return virAccessManagerSanitizeError(ret, driverName);
 }
=20
 int virAccessManagerCheckNodeDevice(virAccessManagerPtr manager,
@@ -278,7 +279,7 @@ int virAccessManagerCheckNodeDevice(virAccessManagerPtr=
 manager,
     if (manager->drv->checkNodeDevice)
         ret =3D manager->drv->checkNodeDevice(manager, driverName, nodedev=
, perm);
=20
-    return virAccessManagerSanitizeError(ret);
+    return virAccessManagerSanitizeError(ret, driverName);
 }
=20
 int virAccessManagerCheckNWFilter(virAccessManagerPtr manager,
@@ -293,7 +294,7 @@ int virAccessManagerCheckNWFilter(virAccessManagerPtr m=
anager,
     if (manager->drv->checkNWFilter)
         ret =3D manager->drv->checkNWFilter(manager, driverName, nwfilter,=
 perm);
=20
-    return virAccessManagerSanitizeError(ret);
+    return virAccessManagerSanitizeError(ret, driverName);
 }
=20
 int virAccessManagerCheckNWFilterBinding(virAccessManagerPtr manager,
@@ -308,7 +309,7 @@ int virAccessManagerCheckNWFilterBinding(virAccessManag=
erPtr manager,
     if (manager->drv->checkNWFilterBinding)
         ret =3D manager->drv->checkNWFilterBinding(manager, driverName, bi=
nding, perm);
=20
-    return virAccessManagerSanitizeError(ret);
+    return virAccessManagerSanitizeError(ret, driverName);
 }
=20
 int virAccessManagerCheckSecret(virAccessManagerPtr manager,
@@ -323,7 +324,7 @@ int virAccessManagerCheckSecret(virAccessManagerPtr man=
ager,
     if (manager->drv->checkSecret)
         ret =3D manager->drv->checkSecret(manager, driverName, secret, per=
m);
=20
-    return virAccessManagerSanitizeError(ret);
+    return virAccessManagerSanitizeError(ret, driverName);
 }
=20
 int virAccessManagerCheckStoragePool(virAccessManagerPtr manager,
@@ -338,7 +339,7 @@ int virAccessManagerCheckStoragePool(virAccessManagerPt=
r manager,
     if (manager->drv->checkStoragePool)
         ret =3D manager->drv->checkStoragePool(manager, driverName, pool, =
perm);
=20
-    return virAccessManagerSanitizeError(ret);
+    return virAccessManagerSanitizeError(ret, driverName);
 }
=20
 int virAccessManagerCheckStorageVol(virAccessManagerPtr manager,
@@ -354,5 +355,5 @@ int virAccessManagerCheckStorageVol(virAccessManagerPtr=
 manager,
     if (manager->drv->checkStorageVol)
         ret =3D manager->drv->checkStorageVol(manager, driverName, pool, v=
ol, perm);
=20
-    return virAccessManagerSanitizeError(ret);
+    return virAccessManagerSanitizeError(ret, driverName);
 }
diff --git a/src/rpc/gendispatch.pl b/src/rpc/gendispatch.pl
index 0c4648c0fb..f599002056 100755
--- a/src/rpc/gendispatch.pl
+++ b/src/rpc/gendispatch.pl
@@ -2199,7 +2199,7 @@ elsif ($mode eq "client") {
                     print "        virObjectUnref(mgr);\n";
                     if ($action eq "Ensure") {
                         print "        if (rv =3D=3D 0)\n";
-                        print "            virReportError(VIR_ERR_ACCESS_D=
ENIED, NULL);\n";
+                        print "            virReportError(VIR_ERR_ACCESS_D=
ENIED, conn->driver->name, NULL);\n";
                         print "        return $fail;\n";
                     } else {
                         print "        virResetLastError();\n";
diff --git a/src/util/virerror.c b/src/util/virerror.c
index 683e51aa19..10f1b55c5f 100644
--- a/src/util/virerror.c
+++ b/src/util/virerror.c
@@ -1442,9 +1442,9 @@ virErrorMsg(virErrorNumber error, const char *info)
             break;
         case VIR_ERR_ACCESS_DENIED:
             if (info =3D=3D NULL)
-                errmsg =3D _("access denied");
+                errmsg =3D _("access denied from '%s'");
             else
-                errmsg =3D _("access denied: %s");
+                errmsg =3D _("access denied from '%s': %s");
             break;
         case VIR_ERR_DBUS_SERVICE:
             if (info =3D=3D NULL)
--=20
2.17.2

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
From nobody Thu Apr 25 07:22:33 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28
 as permitted sender) client-ip=209.132.183.28;
 envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com;
Authentication-Results: mx.zohomail.com;
	spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
Return-Path: <libvir-list-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by
 mx.zohomail.com
	with SMTPS id 1539614538525924.5554687638135;
 Mon, 15 Oct 2018 07:42:18 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com
 [10.5.11.13])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 2C7EF30C0EB1;
	Mon, 15 Oct 2018 14:42:16 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 6E22685679;
	Mon, 15 Oct 2018 14:42:15 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 700F74CAA0;
	Mon, 15 Oct 2018 14:42:14 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com
	[10.5.11.12])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id w9FEQeo7006938 for <libvir-list@listman.util.phx.redhat.com>;
	Mon, 15 Oct 2018 10:26:40 -0400
Received: by smtp.corp.redhat.com (Postfix)
	id A0EEA850F; Mon, 15 Oct 2018 14:26:40 +0000 (UTC)
Received: from unknown54ee7586bd10.attlocal.net.com
	(ovpn-116-156.phx2.redhat.com [10.3.116.156])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 5A8E96715B
	for <libvir-list@redhat.com>; Mon, 15 Oct 2018 14:26:40 +0000 (UTC)
From: John Ferlan <jferlan@redhat.com>
To: libvir-list@redhat.com
Date: Mon, 15 Oct 2018 10:26:34 -0400
Message-Id: <20181015142634.26205-3-jferlan@redhat.com>
In-Reply-To: <20181015142634.26205-1-jferlan@redhat.com>
References: <20181015142634.26205-1-jferlan@redhat.com>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12
X-loop: libvir-list@redhat.com
Subject: [libvirt] [PATCH 2/2] docs: Enhance polkit documentation to
	describe secondary connection
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13
X-Greylist: Sender IP whitelisted,
 not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.40]);
 Mon, 15 Oct 2018 14:42:17 +0000 (UTC)
X-ZohoMail: RDMRC_0  RSF_0  Z_629925259 SPT_0
Content-Type: text/plain; charset="utf-8"

https://bugzilla.redhat.com/show_bug.cgi?id=3D1631608

Since commit 8259255 usage of a primary connection driver for
a virConnect has been modified to open (virConnectOpen) and use
a connection to the specific driver in order to handle the API
calls to/for that driver. This causes some confusion and issues
for ACL polkit rule scripts to know exactly which driver by
name will be used.

Add some documentation describing the processing of the primary
and secondary connection as well as the list of the connect_driver
names used for each driver.

Signed-off-by: John Ferlan <jferlan@redhat.com>
---
 docs/aclpolkit.html.in | 117 +++++++++++++++++++++++++++++++++++++++++
 docs/libvirt.css       |   1 +
 2 files changed, 118 insertions(+)

diff --git a/docs/aclpolkit.html.in b/docs/aclpolkit.html.in
index ee00b98461..ac54f125da 100644
--- a/docs/aclpolkit.html.in
+++ b/docs/aclpolkit.html.in
@@ -287,6 +287,123 @@
       </tbody>
     </table>
=20
+    <h2><a id=3D"connect_driver">Hypervisor Driver connect_driver</a></h2>
+    <p>
+      The <code>connect_driver</code> parameter describes the
+      client's <a href=3D"remote.html">remote Connection Driver</a>
+      name based on the <a href=3D"uri.html">URI</a> used for the
+      connection.
+    </p>
+    <p>
+      <span class=3D"since">Since 4.1.0</span>, when calling an API
+      outside the scope of the primary connection driver, the
+      primary driver will attempt to open a secondary connection
+      to the specific API driver in order to process the API. For
+      example, when hypervisor domain processing needs to make an
+      API call within the storage driver or the network filter driver
+      an attempt to open a connection to the "storage" or "nwfilter"
+      driver will be made. Similarly, a "storage" primary connection
+      may need to create a connection to the "secret" driver in order
+      to process secrets for the API. If successful, then calls to
+      those API's will occur in the <code>connect_driver</code> context
+      of the secondary connection driver rather than in the context of
+      the primary driver. This affects the <code>connect_driver</code>
+      returned from rule generation from the <code>action.loookup</code>
+      function. The following table provides a list of the various
+      connection drivers and the <code>connect_driver</code> name
+      used by each regardless of primary or secondary connection.
+      The access denied error message from libvirt will list the
+      connection driver by name that denied the access.
+    </p>
+
+    <h3><a id=3D"object_connect_driver">Connection Driver Name</a></h3>
+    <table class=3D"acl">
+      <thead>
+        <tr>
+          <th>Connection Driver</th>
+          <th><code>connect_driver</code> name</th>
+        </tr>
+      </thead>
+      <tbody>
+        <tr>
+          <td>bhyve</td>
+          <td>bhyve</td>
+        </tr>
+        <tr>
+          <td>esx</td>
+          <td>ESX</td>
+        </tr>
+        <tr>
+          <td>hyperv</td>
+          <td>Hyper-V</td>
+        </tr>
+        <tr>
+          <td>interface</td>
+          <td>interface</td>
+        </tr>
+        <tr>
+          <td>libxl</td>
+          <td>xenlight</td>
+        </tr>
+        <tr>
+          <td>lxc</td>
+          <td>LXC</td>
+        </tr>
+        <tr>
+          <td>network</td>
+          <td>network</td>
+        </tr>
+        <tr>
+          <td>nodedev</td>
+          <td>nodedev</td>
+        </tr>
+        <tr>
+          <td>nwfilter</td>
+          <td>NWFilter</td>
+        </tr>
+        <tr>
+          <td>openvz</td>
+          <td>OPENVZ</td>
+        </tr>
+        <tr>
+          <td>phyp</td>
+          <td>PHYP</td>
+        </tr>
+        <tr>
+          <td>qemu</td>
+          <td>QEMU</td>
+        </tr>
+        <tr>
+          <td>secret</td>
+          <td>secret</td>
+        </tr>
+        <tr>
+          <td>storage</td>
+          <td>storage</td>
+        </tr>
+        <tr>
+          <td>uml</td>
+          <td>UML</td>
+        </tr>
+        <tr>
+          <td>vbox</td>
+          <td>VBOX</td>
+        </tr>
+        <tr>
+          <td>vmware</td>
+          <td>VMWARE</td>
+        </tr>
+        <tr>
+          <td>vz</td>
+          <td>vz</td>
+        </tr>
+        <tr>
+          <td>xenapi</td>
+          <td>XenAPI</td>
+        </tr>
+      </tbody>
+    </table>
+
=20
     <h2><a id=3D"user">User identity attributes</a></h2>
=20
diff --git a/docs/libvirt.css b/docs/libvirt.css
index b2ed33926a..e590b33cfb 100644
--- a/docs/libvirt.css
+++ b/docs/libvirt.css
@@ -393,6 +393,7 @@ table.acl {
=20
 table.acl tr, table.acl td {
     padding: 0.3em;
+    border: 1px solid #ccc;
 }
=20
 table.acl thead {
--=20
2.17.2

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list