On 19.06.2013 19:00, Daniel P. Berrange wrote:
From: "Daniel P. Berrange" <berrange@redhat.com>
Extend the 'gendispatch.pl' script to be able to generate three new types of file.
- 'aclheader' - defines signatures of helper APIs for doing authorization checks. There is one helper API for each API requiring an auth check. Any @acl annotations result in a method being generated with a suffix of 'EnsureACL'. If the ACL check requires examination of flags, an extra 'flags' param will be present. Some examples
extern int virConnectBaselineCPUEnsureACL(void); extern int virConnectDomainEventDeregisterEnsureACL(virDomainDefPtr domain); extern int virDomainAttachDeviceFlagsEnsureACL(virDomainDefPtr domain, unsigned int flags);
Any @aclfilter annotations resuilt in a method being generated with a suffix of 'CheckACL'.
extern int virConnectListAllDomainsCheckACL(virDomainDefPtr domain);
These are used for filtering individual objects from APIs which return a list of objects
- 'aclbody' - defines the actual implementation of the methods described above. This calls into the access manager APIs. A complex example:
/* Returns: -1 on error (denied==error), 0 on allowed */ int virDomainAttachDeviceFlagsEnsureACL(virConnectPtr conn, virDomainDefPtr domain, unsigned int flags) { virAccessManagerPtr mgr; int rv;
if (!(mgr = virAccessManagerGetDefault())) return -1;
The virAccessManagerGetDefault increments the refcount on @mgr. However, you are not decrementing it anywhere.
if ((rv = virAccessManagerCheckDomain(mgr, conn->driver->name, domain, VIR_ACCESS_PERM_DOMAIN_WRITE)) <= 0) { if (rv == 0) virReportError(VIR_ERR_ACCESS_DENIED, NULL); return -1; } if (((flags & (VIR_DOMAIN_AFFECT_CONFIG|VIR_DOMAIN_AFFECT_LIVE)) == 0) && (rv = virAccessManagerCheckDomain(mgr, conn->driver->name, domain, VIR_ACCESS_PERM_DOMAIN_SAVE)) <= 0) { if (rv == 0) virReportError(VIR_ERR_ACCESS_DENIED, NULL); return -1; } if (((flags & (VIR_DOMAIN_AFFECT_CONFIG)) == (VIR_DOMAIN_AFFECT_CONFIG)) && (rv = virAccessManagerCheckDomain(mgr, conn->driver->name, domain, VIR_ACCESS_PERM_DOMAIN_SAVE)) <= 0) { if (rv == 0) virReportError(VIR_ERR_ACCESS_DENIED, NULL); return -1; } return 0; }
- 'aclsyms' - generates a linker script to export the APIs to drivers. Some examples
virConnectBaselineCPUEnsureACL; virConnectCompareCPUEnsureACL;
Signed-off-by: Daniel P. Berrange <berrange@redhat.com> --- .gitignore | 9 +++ src/Makefile.am | 55 ++++++++++++- src/rpc/gendispatch.pl | 209 ++++++++++++++++++++++++++++++++++++++++++++++++- 3 files changed, 268 insertions(+), 5 deletions(-)
Michal