NuKVM/libvirt
3
0
Fork 0
mirror of https://github.com/libvirt/libvirt.git synced 2025-02-25 18:55:26 -06:00
Code Issues Packages Projects Releases Wiki Activity

access: Modify the VIR_ERR_ACCESS_DENIED to include driverName

Browse Source 
https://bugzilla.redhat.com/show_bug.cgi?id=1631606

Changes made to manage and utilize a secondary connection
driver to APIs outside the scope of the primary connection
driver have resulted in some confusion processing polkit rules
since the simple "access denied" error message doesn't provide
enough of a clue when combined with the "authentication failed:
access denied by policy" as to which connection driver refused
or failed the ACL check.

In order to provide some context, let's modify the existing
"access denied" error returned from the various vir*EnsureACL
API's to provide the connection driver name that is causing
the failure. This should provide the context for writing the
polkit rules that would allow access via the driver, but yet
still adhere to the virAccessManagerSanitizeError commentary
regarding not telling the user why access was denied.

Signed-off-by: John Ferlan <jferlan@redhat.com>
This commit is contained in:
John Ferlan 2018-11-12 08:15:02 -05:00
parent b08396a5fe
commit 605496be60
2 changed files with 16 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
src/access/viraccessmanager.c
View File

@ -196,11 +196,13 @@ static void virAccessManagerDispose(void *object)
* should the admin need to debug things * should the admin need to debug things
*/ */
static int static int
virAccessManagerSanitizeError(int ret) virAccessManagerSanitizeError(int ret,
const char *driverName)
{ {
if (ret < 0) { if (ret < 0) {
virResetLastError(); virResetLastError();
virAccessError(VIR_ERR_ACCESS_DENIED, NULL); virAccessError(VIR_ERR_ACCESS_DENIED,
_("'%s' denied access"), driverName);
} }
return ret; return ret;
@ -217,7 +219,7 @@ int virAccessManagerCheckConnect(virAccessManagerPtr manager,
if (manager->drv->checkConnect) if (manager->drv->checkConnect)
ret = manager->drv->checkConnect(manager, driverName, perm); ret = manager->drv->checkConnect(manager, driverName, perm);
return virAccessManagerSanitizeError(ret); return virAccessManagerSanitizeError(ret, driverName);
} }
@ -233,7 +235,7 @@ int virAccessManagerCheckDomain(virAccessManagerPtr manager,
if (manager->drv->checkDomain) if (manager->drv->checkDomain)
ret = manager->drv->checkDomain(manager, driverName, domain, perm); ret = manager->drv->checkDomain(manager, driverName, domain, perm);
return virAccessManagerSanitizeError(ret); return virAccessManagerSanitizeError(ret, driverName);
} }
int virAccessManagerCheckInterface(virAccessManagerPtr manager, int virAccessManagerCheckInterface(virAccessManagerPtr manager,
@ -248,7 +250,7 @@ int virAccessManagerCheckInterface(virAccessManagerPtr manager,
if (manager->drv->checkInterface) if (manager->drv->checkInterface)
ret = manager->drv->checkInterface(manager, driverName, iface, perm); ret = manager->drv->checkInterface(manager, driverName, iface, perm);
return virAccessManagerSanitizeError(ret); return virAccessManagerSanitizeError(ret, driverName);
} }
int virAccessManagerCheckNetwork(virAccessManagerPtr manager, int virAccessManagerCheckNetwork(virAccessManagerPtr manager,
@ -263,7 +265,7 @@ int virAccessManagerCheckNetwork(virAccessManagerPtr manager,
if (manager->drv->checkNetwork) if (manager->drv->checkNetwork)
ret = manager->drv->checkNetwork(manager, driverName, network, perm); ret = manager->drv->checkNetwork(manager, driverName, network, perm);
return virAccessManagerSanitizeError(ret); return virAccessManagerSanitizeError(ret, driverName);
} }
int virAccessManagerCheckNodeDevice(virAccessManagerPtr manager, int virAccessManagerCheckNodeDevice(virAccessManagerPtr manager,
@ -278,7 +280,7 @@ int virAccessManagerCheckNodeDevice(virAccessManagerPtr manager,
if (manager->drv->checkNodeDevice) if (manager->drv->checkNodeDevice)
ret = manager->drv->checkNodeDevice(manager, driverName, nodedev, perm); ret = manager->drv->checkNodeDevice(manager, driverName, nodedev, perm);
return virAccessManagerSanitizeError(ret); return virAccessManagerSanitizeError(ret, driverName);
} }
int virAccessManagerCheckNWFilter(virAccessManagerPtr manager, int virAccessManagerCheckNWFilter(virAccessManagerPtr manager,
@ -293,7 +295,7 @@ int virAccessManagerCheckNWFilter(virAccessManagerPtr manager,
if (manager->drv->checkNWFilter) if (manager->drv->checkNWFilter)
ret = manager->drv->checkNWFilter(manager, driverName, nwfilter, perm); ret = manager->drv->checkNWFilter(manager, driverName, nwfilter, perm);
return virAccessManagerSanitizeError(ret); return virAccessManagerSanitizeError(ret, driverName);
} }
int virAccessManagerCheckNWFilterBinding(virAccessManagerPtr manager, int virAccessManagerCheckNWFilterBinding(virAccessManagerPtr manager,
@ -308,7 +310,7 @@ int virAccessManagerCheckNWFilterBinding(virAccessManagerPtr manager,
if (manager->drv->checkNWFilterBinding) if (manager->drv->checkNWFilterBinding)
ret = manager->drv->checkNWFilterBinding(manager, driverName, binding, perm); ret = manager->drv->checkNWFilterBinding(manager, driverName, binding, perm);
return virAccessManagerSanitizeError(ret); return virAccessManagerSanitizeError(ret, driverName);
} }
int virAccessManagerCheckSecret(virAccessManagerPtr manager, int virAccessManagerCheckSecret(virAccessManagerPtr manager,
@ -323,7 +325,7 @@ int virAccessManagerCheckSecret(virAccessManagerPtr manager,
if (manager->drv->checkSecret) if (manager->drv->checkSecret)
ret = manager->drv->checkSecret(manager, driverName, secret, perm); ret = manager->drv->checkSecret(manager, driverName, secret, perm);
return virAccessManagerSanitizeError(ret); return virAccessManagerSanitizeError(ret, driverName);
} }
int virAccessManagerCheckStoragePool(virAccessManagerPtr manager, int virAccessManagerCheckStoragePool(virAccessManagerPtr manager,
@ -338,7 +340,7 @@ int virAccessManagerCheckStoragePool(virAccessManagerPtr manager,
if (manager->drv->checkStoragePool) if (manager->drv->checkStoragePool)
ret = manager->drv->checkStoragePool(manager, driverName, pool, perm); ret = manager->drv->checkStoragePool(manager, driverName, pool, perm);
return virAccessManagerSanitizeError(ret); return virAccessManagerSanitizeError(ret, driverName);
} }
int virAccessManagerCheckStorageVol(virAccessManagerPtr manager, int virAccessManagerCheckStorageVol(virAccessManagerPtr manager,
@ -354,5 +356,5 @@ int virAccessManagerCheckStorageVol(virAccessManagerPtr manager,
if (manager->drv->checkStorageVol) if (manager->drv->checkStorageVol)
ret = manager->drv->checkStorageVol(manager, driverName, pool, vol, perm); ret = manager->drv->checkStorageVol(manager, driverName, pool, vol, perm);
return virAccessManagerSanitizeError(ret); return virAccessManagerSanitizeError(ret, driverName);
} }

3
src/rpc/gendispatch.pl
View File

@ -2199,7 +2199,8 @@ elsif ($mode eq "client") {
print " virObjectUnref(mgr);\n"; print " virObjectUnref(mgr);\n";
if ($action eq "Ensure") { if ($action eq "Ensure") {
print " if (rv == 0)\n"; print " if (rv == 0)\n";
print " virReportError(VIR_ERR_ACCESS_DENIED, NULL);\n"; print " virReportError(VIR_ERR_ACCESS_DENIED,\n";
print" _(\"'%s' denied access\"), conn->driver->name);\n";
print " return $fail;\n"; print " return $fail;\n";
} else { } else {
print " virResetLastError();\n"; print " virResetLastError();\n";