[PATCH] docs: ACL: Show which permissions are allowed for unauthenticated connections

Peter Krempa posted 1 patch 1 year, 1 month ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/5d380b77688e0ebb1579be761e7cc6a05aaed00e.1676647992.git.pkrempa@redhat.com
docs/acl.html.in       | 3 ++-
scripts/genaclperms.py | 7 +++++++
2 files changed, 9 insertions(+), 1 deletion(-)
[PATCH] docs: ACL: Show which permissions are allowed for unauthenticated connections
Posted by Peter Krempa 1 year, 1 month ago
Certain APIs are allowed also without authentication but the ACL page
didn't outline which. Generate a new column with the information.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
---
 docs/acl.html.in       | 3 ++-
 scripts/genaclperms.py | 7 +++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/docs/acl.html.in b/docs/acl.html.in
index 3d0f651864..268d3aebd3 100644
--- a/docs/acl.html.in
+++ b/docs/acl.html.in
@@ -20,7 +20,8 @@
       state, where the only API operations allowed are those required
       to complete authentication. After successful authentication, a
       connection either has full, unrestricted access to all libvirt
-      API calls, or is locked down to only "read only" operations,
+      API calls, or is locked down to only "read only" (see 'Anonymous'
+      in the table below) operations,
       according to what socket a client connection originated on.
     </p>

diff --git a/scripts/genaclperms.py b/scripts/genaclperms.py
index e228b3ef60..43616dad04 100755
--- a/scripts/genaclperms.py
+++ b/scripts/genaclperms.py
@@ -96,6 +96,7 @@ for obj in sorted(perms.keys()):
     print('        <tr>')
     print('          <th>Permission</th>')
     print('          <th>Description</th>')
+    print('          <th>Anonymous</th>')
     print('        </tr>')
     print('      </thead>')
     print('      <tbody>')
@@ -103,6 +104,11 @@ for obj in sorted(perms.keys()):
     for perm in sorted(perms[obj].keys()):
         description = perms[obj][perm]["desc"]

+        if perms[obj][perm]["anonymous"]:
+            anonymous = 'yes'
+        else:
+            anonymous = ''
+
         if description is None:
             raise Exception("missing description for %s.%s" % (obj, perm))

@@ -112,6 +118,7 @@ for obj in sorted(perms.keys()):
         print('        <tr>')
         print('          <td><a id="%s">%s</a></td>' % (plink, perm))
         print('          <td>%s</td>' % description)
+        print('          <td>%s</td>' % anonymous)
         print('        </tr>')

     print('      </tbody>')
-- 
2.39.1
Re: [PATCH] docs: ACL: Show which permissions are allowed for unauthenticated connections
Posted by Daniel P. Berrangé 1 year, 1 month ago
On Fri, Feb 17, 2023 at 04:33:12PM +0100, Peter Krempa wrote:
> Certain APIs are allowed also without authentication but the ACL page
> didn't outline which. Generate a new column with the information.
> 
> Signed-off-by: Peter Krempa <pkrempa@redhat.com>
> ---
>  docs/acl.html.in       | 3 ++-
>  scripts/genaclperms.py | 7 +++++++
>  2 files changed, 9 insertions(+), 1 deletion(-)

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>


> 
> diff --git a/docs/acl.html.in b/docs/acl.html.in
> index 3d0f651864..268d3aebd3 100644
> --- a/docs/acl.html.in
> +++ b/docs/acl.html.in
> @@ -20,7 +20,8 @@
>        state, where the only API operations allowed are those required
>        to complete authentication. After successful authentication, a
>        connection either has full, unrestricted access to all libvirt
> -      API calls, or is locked down to only "read only" operations,
> +      API calls, or is locked down to only "read only" (see 'Anonymous'
> +      in the table below) operations,
>        according to what socket a client connection originated on.
>      </p>
> 
> diff --git a/scripts/genaclperms.py b/scripts/genaclperms.py
> index e228b3ef60..43616dad04 100755
> --- a/scripts/genaclperms.py
> +++ b/scripts/genaclperms.py
> @@ -96,6 +96,7 @@ for obj in sorted(perms.keys()):
>      print('        <tr>')
>      print('          <th>Permission</th>')
>      print('          <th>Description</th>')
> +    print('          <th>Anonymous</th>')
>      print('        </tr>')
>      print('      </thead>')
>      print('      <tbody>')
> @@ -103,6 +104,11 @@ for obj in sorted(perms.keys()):
>      for perm in sorted(perms[obj].keys()):
>          description = perms[obj][perm]["desc"]
> 
> +        if perms[obj][perm]["anonymous"]:
> +            anonymous = 'yes'
> +        else:
> +            anonymous = ''
> +
>          if description is None:
>              raise Exception("missing description for %s.%s" % (obj, perm))
> 
> @@ -112,6 +118,7 @@ for obj in sorted(perms.keys()):
>          print('        <tr>')
>          print('          <td><a id="%s">%s</a></td>' % (plink, perm))
>          print('          <td>%s</td>' % description)
> +        print('          <td>%s</td>' % anonymous)
>          print('        </tr>')
> 
>      print('      </tbody>')
> -- 
> 2.39.1
> 

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|