|
 |
edecca |
From 541a154e0f98604f63cb22356287dfa3858748c9 Mon Sep 17 00:00:00 2001
|
|
|
edecca |
Message-Id: <541a154e0f98604f63cb22356287dfa3858748c9@dist-git>
|
|
|
edecca |
From: John Ferlan <jferlan@redhat.com>
|
|
|
edecca |
Date: Thu, 15 Nov 2018 06:43:59 -0500
|
|
|
edecca |
Subject: [PATCH] access: Modify the VIR_ERR_ACCESS_DENIED to include
|
|
|
edecca |
driverName
|
|
|
edecca |
|
|
|
edecca |
https://bugzilla.redhat.com/show_bug.cgi?id=1631608 (RHEL8)
|
|
|
edecca |
https://bugzilla.redhat.com/show_bug.cgi?id=1631606 (RHEL7)
|
|
|
edecca |
|
|
|
edecca |
Changes made to manage and utilize a secondary connection
|
|
|
edecca |
driver to APIs outside the scope of the primary connection
|
|
|
edecca |
driver have resulted in some confusion processing polkit rules
|
|
|
edecca |
since the simple "access denied" error message doesn't provide
|
|
|
edecca |
enough of a clue when combined with the "authentication failed:
|
|
|
edecca |
access denied by policy" as to which connection driver refused
|
|
|
edecca |
or failed the ACL check.
|
|
|
edecca |
|
|
|
edecca |
In order to provide some context, let's modify the existing
|
|
|
edecca |
"access denied" error returned from the various vir*EnsureACL
|
|
|
edecca |
API's to provide the connection driver name that is causing
|
|
|
edecca |
the failure. This should provide the context for writing the
|
|
|
edecca |
polkit rules that would allow access via the driver, but yet
|
|
|
edecca |
still adhere to the virAccessManagerSanitizeError commentary
|
|
|
edecca |
regarding not telling the user why access was denied.
|
|
|
edecca |
|
|
|
edecca |
Signed-off-by: John Ferlan <jferlan@redhat.com>
|
|
|
edecca |
(cherry picked from commit 605496be609e153526fcdd3e98df8cf5244bc8fa)
|
|
|
edecca |
Reviewed-by: Erik Skultety <eskultet@redhat.com>
|
|
|
edecca |
---
|
|
|
edecca |
src/access/viraccessmanager.c | 26 ++++++++++++++------------
|
|
|
edecca |
src/rpc/gendispatch.pl | 3 ++-
|
|
|
edecca |
2 files changed, 16 insertions(+), 13 deletions(-)
|
|
|
edecca |
|
|
|
edecca |
diff --git a/src/access/viraccessmanager.c b/src/access/viraccessmanager.c
|
|
|
edecca |
index e7b5bf38da..f5d62604cf 100644
|
|
|
edecca |
--- a/src/access/viraccessmanager.c
|
|
|
edecca |
+++ b/src/access/viraccessmanager.c
|
|
|
edecca |
@@ -196,11 +196,13 @@ static void virAccessManagerDispose(void *object)
|
|
|
edecca |
* should the admin need to debug things
|
|
|
edecca |
*/
|
|
|
edecca |
static int
|
|
|
edecca |
-virAccessManagerSanitizeError(int ret)
|
|
|
edecca |
+virAccessManagerSanitizeError(int ret,
|
|
|
edecca |
+ const char *driverName)
|
|
|
edecca |
{
|
|
|
edecca |
if (ret < 0) {
|
|
|
edecca |
virResetLastError();
|
|
|
edecca |
- virAccessError(VIR_ERR_ACCESS_DENIED, NULL);
|
|
|
edecca |
+ virAccessError(VIR_ERR_ACCESS_DENIED,
|
|
|
edecca |
+ _("'%s' denied access"), driverName);
|
|
|
edecca |
}
|
|
|
edecca |
|
|
|
edecca |
return ret;
|
|
|
edecca |
@@ -217,7 +219,7 @@ int virAccessManagerCheckConnect(virAccessManagerPtr manager,
|
|
|
edecca |
if (manager->drv->checkConnect)
|
|
|
edecca |
ret = manager->drv->checkConnect(manager, driverName, perm);
|
|
|
edecca |
|
|
|
edecca |
- return virAccessManagerSanitizeError(ret);
|
|
|
edecca |
+ return virAccessManagerSanitizeError(ret, driverName);
|
|
|
edecca |
}
|
|
|
edecca |
|
|
|
edecca |
|
|
|
edecca |
@@ -233,7 +235,7 @@ int virAccessManagerCheckDomain(virAccessManagerPtr manager,
|
|
|
edecca |
if (manager->drv->checkDomain)
|
|
|
edecca |
ret = manager->drv->checkDomain(manager, driverName, domain, perm);
|
|
|
edecca |
|
|
|
edecca |
- return virAccessManagerSanitizeError(ret);
|
|
|
edecca |
+ return virAccessManagerSanitizeError(ret, driverName);
|
|
|
edecca |
}
|
|
|
edecca |
|
|
|
edecca |
int virAccessManagerCheckInterface(virAccessManagerPtr manager,
|
|
|
edecca |
@@ -248,7 +250,7 @@ int virAccessManagerCheckInterface(virAccessManagerPtr manager,
|
|
|
edecca |
if (manager->drv->checkInterface)
|
|
|
edecca |
ret = manager->drv->checkInterface(manager, driverName, iface, perm);
|
|
|
edecca |
|
|
|
edecca |
- return virAccessManagerSanitizeError(ret);
|
|
|
edecca |
+ return virAccessManagerSanitizeError(ret, driverName);
|
|
|
edecca |
}
|
|
|
edecca |
|
|
|
edecca |
int virAccessManagerCheckNetwork(virAccessManagerPtr manager,
|
|
|
edecca |
@@ -263,7 +265,7 @@ int virAccessManagerCheckNetwork(virAccessManagerPtr manager,
|
|
|
edecca |
if (manager->drv->checkNetwork)
|
|
|
edecca |
ret = manager->drv->checkNetwork(manager, driverName, network, perm);
|
|
|
edecca |
|
|
|
edecca |
- return virAccessManagerSanitizeError(ret);
|
|
|
edecca |
+ return virAccessManagerSanitizeError(ret, driverName);
|
|
|
edecca |
}
|
|
|
edecca |
|
|
|
edecca |
int virAccessManagerCheckNodeDevice(virAccessManagerPtr manager,
|
|
|
edecca |
@@ -278,7 +280,7 @@ int virAccessManagerCheckNodeDevice(virAccessManagerPtr manager,
|
|
|
edecca |
if (manager->drv->checkNodeDevice)
|
|
|
edecca |
ret = manager->drv->checkNodeDevice(manager, driverName, nodedev, perm);
|
|
|
edecca |
|
|
|
edecca |
- return virAccessManagerSanitizeError(ret);
|
|
|
edecca |
+ return virAccessManagerSanitizeError(ret, driverName);
|
|
|
edecca |
}
|
|
|
edecca |
|
|
|
edecca |
int virAccessManagerCheckNWFilter(virAccessManagerPtr manager,
|
|
|
edecca |
@@ -293,7 +295,7 @@ int virAccessManagerCheckNWFilter(virAccessManagerPtr manager,
|
|
|
edecca |
if (manager->drv->checkNWFilter)
|
|
|
edecca |
ret = manager->drv->checkNWFilter(manager, driverName, nwfilter, perm);
|
|
|
edecca |
|
|
|
edecca |
- return virAccessManagerSanitizeError(ret);
|
|
|
edecca |
+ return virAccessManagerSanitizeError(ret, driverName);
|
|
|
edecca |
}
|
|
|
edecca |
|
|
|
edecca |
int virAccessManagerCheckNWFilterBinding(virAccessManagerPtr manager,
|
|
|
edecca |
@@ -308,7 +310,7 @@ int virAccessManagerCheckNWFilterBinding(virAccessManagerPtr manager,
|
|
|
edecca |
if (manager->drv->checkNWFilterBinding)
|
|
|
edecca |
ret = manager->drv->checkNWFilterBinding(manager, driverName, binding, perm);
|
|
|
edecca |
|
|
|
edecca |
- return virAccessManagerSanitizeError(ret);
|
|
|
edecca |
+ return virAccessManagerSanitizeError(ret, driverName);
|
|
|
edecca |
}
|
|
|
edecca |
|
|
|
edecca |
int virAccessManagerCheckSecret(virAccessManagerPtr manager,
|
|
|
edecca |
@@ -323,7 +325,7 @@ int virAccessManagerCheckSecret(virAccessManagerPtr manager,
|
|
|
edecca |
if (manager->drv->checkSecret)
|
|
|
edecca |
ret = manager->drv->checkSecret(manager, driverName, secret, perm);
|
|
|
edecca |
|
|
|
edecca |
- return virAccessManagerSanitizeError(ret);
|
|
|
edecca |
+ return virAccessManagerSanitizeError(ret, driverName);
|
|
|
edecca |
}
|
|
|
edecca |
|
|
|
edecca |
int virAccessManagerCheckStoragePool(virAccessManagerPtr manager,
|
|
|
edecca |
@@ -338,7 +340,7 @@ int virAccessManagerCheckStoragePool(virAccessManagerPtr manager,
|
|
|
edecca |
if (manager->drv->checkStoragePool)
|
|
|
edecca |
ret = manager->drv->checkStoragePool(manager, driverName, pool, perm);
|
|
|
edecca |
|
|
|
edecca |
- return virAccessManagerSanitizeError(ret);
|
|
|
edecca |
+ return virAccessManagerSanitizeError(ret, driverName);
|
|
|
edecca |
}
|
|
|
edecca |
|
|
|
edecca |
int virAccessManagerCheckStorageVol(virAccessManagerPtr manager,
|
|
|
edecca |
@@ -354,5 +356,5 @@ int virAccessManagerCheckStorageVol(virAccessManagerPtr manager,
|
|
|
edecca |
if (manager->drv->checkStorageVol)
|
|
|
edecca |
ret = manager->drv->checkStorageVol(manager, driverName, pool, vol, perm);
|
|
|
edecca |
|
|
|
edecca |
- return virAccessManagerSanitizeError(ret);
|
|
|
edecca |
+ return virAccessManagerSanitizeError(ret, driverName);
|
|
|
edecca |
}
|
|
|
edecca |
diff --git a/src/rpc/gendispatch.pl b/src/rpc/gendispatch.pl
|
|
|
edecca |
index 0c4648c0fb..a8b9f5aeca 100755
|
|
|
edecca |
--- a/src/rpc/gendispatch.pl
|
|
|
edecca |
+++ b/src/rpc/gendispatch.pl
|
|
|
edecca |
@@ -2199,7 +2199,8 @@ elsif ($mode eq "client") {
|
|
|
edecca |
print " virObjectUnref(mgr);\n";
|
|
|
edecca |
if ($action eq "Ensure") {
|
|
|
edecca |
print " if (rv == 0)\n";
|
|
|
edecca |
- print " virReportError(VIR_ERR_ACCESS_DENIED, NULL);\n";
|
|
|
edecca |
+ print " virReportError(VIR_ERR_ACCESS_DENIED,\n";
|
|
|
edecca |
+ print" _(\"'%s' denied access\"), conn->driver->name);\n";
|
|
|
edecca |
print " return $fail;\n";
|
|
|
edecca |
} else {
|
|
|
edecca |
print " virResetLastError();\n";
|
|
|
edecca |
--
|
|
|
edecca |
2.19.2
|
|
|
edecca |
|