On 3/6/19 11:47 PM, Eric Blake wrote:
The remote code generator had to be taught about the new
virDomainCheckpointPtr type, at which point the remote driver
code for backups can be generated.
Signed-off-by: Eric Blake <eblake(a)redhat.com>
---
Question for Dan:
+ /**
+ * @generate: both
+ * @acl: domain:checkpoint
+ */
+ REMOTE_PROC_DOMAIN_CHECKPOINT_CREATE_XML = 404,
Patch 8/20 created a new domain:checkpoint access category, which works
well here...
+
+ /**
+ * @generate: both
+ * @acl: domain:checkpoint
+ * @acl: domain:block_read
This one should be block_write, not block_read, because it is copying
out guest data (which could be a security consideration); basically, the
same as virDomainBlockCopy.
+ */
+ REMOTE_PROC_DOMAIN_BACKUP_BEGIN = 415,
...my question is whether it is possible to make the domain:checkpoint
permission be conditional on whether the checkpointXml argument was
supplied. It's unlikely that someone with domain:block_write to copy
disks won't also have domain:checkpoint, but if they aren't creating a
checkpoint, it would be nicer to not require that access right. Is the
only way to do that by having libvirt declare a flag which gets set any
time checkpointXml is non-NULL, so that we can then do
domain:checkpoint:FLAG_NAME? (This would be an unusual case where
libvirt would set the flag on the user's behalf, and where the flag
exists more for the ACL checking than for something inherent to what the
user has to tell the driver). The same question applies to my proposed
virDomainSnapshotCreateXML2 (there, it would be domain:snapshot instead
of domain:block_write as the unconditional permission, but a conditional
permission on domain:checkpoint when checkpointXml is non-NULL would be
nice to figure out).
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3226
Virtualization:
qemu.org |
libvirt.org