|
 |
9c6c51 |
From 075028e74f4d11c8b0d3bb3e857e4811b148a4e1 Mon Sep 17 00:00:00 2001
|
|
|
9c6c51 |
Message-Id: <075028e74f4d11c8b0d3bb3e857e4811b148a4e1@dist-git>
|
|
|
9c6c51 |
From: John Ferlan <jferlan@redhat.com>
|
|
|
9c6c51 |
Date: Mon, 5 Nov 2018 07:48:38 -0500
|
|
|
9c6c51 |
Subject: [PATCH] docs: Enhance polkit documentation to describe secondary
|
|
|
9c6c51 |
connection
|
|
|
9c6c51 |
|
|
|
9c6c51 |
https://bugzilla.redhat.com/show_bug.cgi?id=1631608 (RHEL 8.0)
|
|
|
9c6c51 |
https://bugzilla.redhat.com/show_bug.cgi?id=1631606 (RHEL 7.7)
|
|
|
9c6c51 |
|
|
|
9c6c51 |
Since commit 8259255 usage of a primary connection driver for
|
|
|
9c6c51 |
a virConnect has been modified to open (virConnectOpen) and use
|
|
|
9c6c51 |
a connection to the specific driver in order to handle the API
|
|
|
9c6c51 |
calls to/for that driver. This causes some confusion and issues
|
|
|
9c6c51 |
for ACL polkit rule scripts to know exactly which driver by
|
|
|
9c6c51 |
name will be used.
|
|
|
9c6c51 |
|
|
|
9c6c51 |
Add some documentation describing the processing of the primary
|
|
|
9c6c51 |
and secondary connection as well as the list of the connect_driver
|
|
|
9c6c51 |
names used for each driver.
|
|
|
9c6c51 |
|
|
|
9c6c51 |
Signed-off-by: John Ferlan <jferlan@redhat.com>
|
|
|
9c6c51 |
ACKed-by: Michal Privoznik <mprivozn@redhat.com>
|
|
|
9c6c51 |
(cherry picked from commit 4f1107614dc1384c4aa7a5582a16aecba8b9310f)
|
|
|
9c6c51 |
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
|
|
|
9c6c51 |
---
|
|
|
9c6c51 |
docs/aclpolkit.html.in | 117 +++++++++++++++++++++++++++++++++++++++++
|
|
|
9c6c51 |
docs/libvirt.css | 1 +
|
|
|
9c6c51 |
2 files changed, 118 insertions(+)
|
|
|
9c6c51 |
|
|
|
9c6c51 |
diff --git a/docs/aclpolkit.html.in b/docs/aclpolkit.html.in
|
|
|
9c6c51 |
index ee00b98461..ac54f125da 100644
|
|
|
9c6c51 |
--- a/docs/aclpolkit.html.in
|
|
|
9c6c51 |
+++ b/docs/aclpolkit.html.in
|
|
|
9c6c51 |
@@ -287,6 +287,123 @@
|
|
|
9c6c51 |
|
|
|
9c6c51 |
|
|
|
9c6c51 |
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+ The connect_driver parameter describes the
|
|
|
9c6c51 |
+ client's remote Connection Driver
|
|
|
9c6c51 |
+ name based on the URI used for the
|
|
|
9c6c51 |
+ connection.
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+ Since 4.1.0, when calling an API
|
|
|
9c6c51 |
+ outside the scope of the primary connection driver, the
|
|
|
9c6c51 |
+ primary driver will attempt to open a secondary connection
|
|
|
9c6c51 |
+ to the specific API driver in order to process the API. For
|
|
|
9c6c51 |
+ example, when hypervisor domain processing needs to make an
|
|
|
9c6c51 |
+ API call within the storage driver or the network filter driver
|
|
|
9c6c51 |
+ an attempt to open a connection to the "storage" or "nwfilter"
|
|
|
9c6c51 |
+ driver will be made. Similarly, a "storage" primary connection
|
|
|
9c6c51 |
+ may need to create a connection to the "secret" driver in order
|
|
|
9c6c51 |
+ to process secrets for the API. If successful, then calls to
|
|
|
9c6c51 |
+ those API's will occur in the connect_driver context
|
|
|
9c6c51 |
+ of the secondary connection driver rather than in the context of
|
|
|
9c6c51 |
+ the primary driver. This affects the connect_driver
|
|
|
9c6c51 |
+ returned from rule generation from the action.loookup
|
|
|
9c6c51 |
+ function. The following table provides a list of the various
|
|
|
9c6c51 |
+ connection drivers and the connect_driver name
|
|
|
9c6c51 |
+ used by each regardless of primary or secondary connection.
|
|
|
9c6c51 |
+ The access denied error message from libvirt will list the
|
|
|
9c6c51 |
+ connection driver by name that denied the access.
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+ Connection Driver
|
|
|
9c6c51 |
+ connect_driver name
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+ bhyve
|
|
|
9c6c51 |
+ bhyve
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+ esx
|
|
|
9c6c51 |
+ ESX
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+ hyperv
|
|
|
9c6c51 |
+ Hyper-V
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+ interface
|
|
|
9c6c51 |
+ interface
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+ libxl
|
|
|
9c6c51 |
+ xenlight
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+ lxc
|
|
|
9c6c51 |
+ LXC
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+ network
|
|
|
9c6c51 |
+ network
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+ nodedev
|
|
|
9c6c51 |
+ nodedev
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+ nwfilter
|
|
|
9c6c51 |
+ NWFilter
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+ openvz
|
|
|
9c6c51 |
+ OPENVZ
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+ phyp
|
|
|
9c6c51 |
+ PHYP
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+ qemu
|
|
|
9c6c51 |
+ QEMU
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+ secret
|
|
|
9c6c51 |
+ secret
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+ storage
|
|
|
9c6c51 |
+ storage
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+ uml
|
|
|
9c6c51 |
+ UML
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+ vbox
|
|
|
9c6c51 |
+ VBOX
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+ vmware
|
|
|
9c6c51 |
+ VMWARE
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+ vz
|
|
|
9c6c51 |
+ vz
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+ xenapi
|
|
|
9c6c51 |
+ XenAPI
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
|
|
|
9c6c51 |
|
|
|
9c6c51 |
|
|
|
9c6c51 |
diff --git a/docs/libvirt.css b/docs/libvirt.css
|
|
|
9c6c51 |
index b2ed33926a..e590b33cfb 100644
|
|
|
9c6c51 |
--- a/docs/libvirt.css
|
|
|
9c6c51 |
+++ b/docs/libvirt.css
|
|
|
9c6c51 |
@@ -393,6 +393,7 @@ table.acl {
|
|
|
9c6c51 |
|
|
|
9c6c51 |
table.acl tr, table.acl td {
|
|
|
9c6c51 |
padding: 0.3em;
|
|
|
9c6c51 |
+ border: 1px solid #ccc;
|
|
|
9c6c51 |
}
|
|
|
9c6c51 |
|
|
|
9c6c51 |
table.acl thead {
|
|
|
9c6c51 |
--
|
|
|
9c6c51 |
2.19.1
|
|
|
9c6c51 |
|