1. Patchew
  2. Libvirt
  3. [PATCH 0/2] Read-only access to node devices
  4. View patch

[PATCH 1/2] access: Allow 'node-device.read' permission for anonymous users

Peter Krempa posted 2 patches 2 years, 11 months ago
[PATCH 1/2] access: Allow 'node-device.read' permission for anonymous users
Posted by Peter Krempa 2 years, 11 months ago 
For all other objects we allow the 'read' permission for anonymous
users. In fact the idea is to allow all permissions users using the
readonly connection would have.

This impacts the following APIs (in terms of RPC procedure names):

  $ git grep -A 3 node_device:read | grep REMOTE
  src/remote/remote_protocol.x-    REMOTE_PROC_NODE_DEVICE_GET_XML_DESC = 114,
  src/remote/remote_protocol.x-    REMOTE_PROC_NODE_DEVICE_GET_PARENT = 115,
  src/remote/remote_protocol.x-    REMOTE_PROC_NODE_DEVICE_NUM_OF_CAPS = 116,
  src/remote/remote_protocol.x-    REMOTE_PROC_NODE_DEVICE_LIST_CAPS = 117,
  src/remote/remote_protocol.x-    REMOTE_PROC_NODE_DEVICE_GET_AUTOSTART = 433,
  src/remote/remote_protocol.x-    REMOTE_PROC_NODE_DEVICE_IS_PERSISTENT = 435,
  src/remote/remote_protocol.x-    REMOTE_PROC_NODE_DEVICE_IS_ACTIVE = 436,

Fixes: a93cd08f
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
---
 src/access/viraccessperm.h | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/access/viraccessperm.h b/src/access/viraccessperm.h
index 051246a7b6..2f04459ed9 100644
--- a/src/access/viraccessperm.h
+++ b/src/access/viraccessperm.h
@@ -473,6 +473,7 @@ typedef enum {
     /**
      * @desc: Read node device
      * @message: Reading node device configuration requires authorization
+     * @anonymous: 1
      */
     VIR_ACCESS_PERM_NODE_DEVICE_READ,

-- 
2.39.1
Re: [PATCH 1/2] access: Allow 'node-device.read' permission for anonymous users
Posted by Daniel P. Berrangé 2 years, 11 months ago 
On Fri, Feb 17, 2023 at 04:11:10PM +0100, Peter Krempa wrote:
> For all other objects we allow the 'read' permission for anonymous
> users. In fact the idea is to allow all permissions users using the
> readonly connection would have.
> 
> This impacts the following APIs (in terms of RPC procedure names):
> 
>   $ git grep -A 3 node_device:read | grep REMOTE
>   src/remote/remote_protocol.x-    REMOTE_PROC_NODE_DEVICE_GET_XML_DESC = 114,
>   src/remote/remote_protocol.x-    REMOTE_PROC_NODE_DEVICE_GET_PARENT = 115,
>   src/remote/remote_protocol.x-    REMOTE_PROC_NODE_DEVICE_NUM_OF_CAPS = 116,
>   src/remote/remote_protocol.x-    REMOTE_PROC_NODE_DEVICE_LIST_CAPS = 117,
>   src/remote/remote_protocol.x-    REMOTE_PROC_NODE_DEVICE_GET_AUTOSTART = 433,
>   src/remote/remote_protocol.x-    REMOTE_PROC_NODE_DEVICE_IS_PERSISTENT = 435,
>   src/remote/remote_protocol.x-    REMOTE_PROC_NODE_DEVICE_IS_ACTIVE = 436,
> 
> Fixes: a93cd08f
> Signed-off-by: Peter Krempa <pkrempa@redhat.com>
> ---
>  src/access/viraccessperm.h | 1 +
>  1 file changed, 1 insertion(+)

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>


> 
> diff --git a/src/access/viraccessperm.h b/src/access/viraccessperm.h
> index 051246a7b6..2f04459ed9 100644
> --- a/src/access/viraccessperm.h
> +++ b/src/access/viraccessperm.h
> @@ -473,6 +473,7 @@ typedef enum {
>      /**
>       * @desc: Read node device
>       * @message: Reading node device configuration requires authorization
> +     * @anonymous: 1
>       */
>      VIR_ACCESS_PERM_NODE_DEVICE_READ,
> 
> -- 
> 2.39.1
> 

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.