[libvirt] [PATCH] access: Fix nwfilter-binding ACL access API name generation
https://bugzilla.redhat.com/show_bug.cgi?id=1611320 Generation of the ACL API policy is a "automated process" based on this perl script which "worked" with the changes to add nwfilter binding API's because they had the "nwfilter" prefix; however, the generated output name was incorrect based on the remote protocol algorithm which expected to generate names such as 'nwfilter-binding.action' instead of 'nwfilter.binding-action'. This effectively changes src/access/org.libvirt.api.policy entries: org.libvirt.api.nwfilter.binding-create ==> org.libvirt.api.nwfilter-binding.create org.libvirt.api.nwfilter.binding-delete ==> org.libvirt.api.nwfilter-binding.delete org.libvirt.api.nwfilter.binding-getattr ==> org.libvirt.api.nwfilter-binding.getattr org.libvirt.api.nwfilter.binding-read ==> org.libvirt.api.nwfilter-binding.read Signed-off-by: John Ferlan <jferlan@redhat.com> --- If someone can explain better exactly what is happening in this processing, I'd be more than willing to update the commit message. I'm sure my wording isn't "precise" enough, but I feel like I hit the lottery finding this needle in the haystack. src/access/genpolkit.pl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/access/genpolkit.pl b/src/access/genpolkit.pl index 968cb8c55c..e074c90eb6 100755 --- a/src/access/genpolkit.pl +++ b/src/access/genpolkit.pl @@ -22,8 +22,8 @@ use warnings; my @objects = ( "CONNECT", "DOMAIN", "INTERFACE", - "NETWORK","NODE_DEVICE", "NWFILTER", - "SECRET", "STORAGE_POOL", "STORAGE_VOL", + "NETWORK","NODE_DEVICE", "NWFILTER_BINDING", "NWFILTER", + "SECRET", "STORAGE_POOL", "STORAGE_VOL", ); my $objects = join ("|", @objects); -- 2.17.1
On Tue, Aug 21, 2018 at 04:23:25PM -0400, John Ferlan wrote:
https://bugzilla.redhat.com/show_bug.cgi?id=1611320
Generation of the ACL API policy is a "automated process" based on this perl script which "worked" with the changes to add nwfilter binding API's because they had the "nwfilter" prefix; however, the generated output name was incorrect based on the remote protocol algorithm which expected to generate names such as 'nwfilter-binding.action' instead of 'nwfilter.binding-action'.
This effectively changes src/access/org.libvirt.api.policy entries:
org.libvirt.api.nwfilter.binding-create ==> org.libvirt.api.nwfilter-binding.create
org.libvirt.api.nwfilter.binding-delete ==> org.libvirt.api.nwfilter-binding.delete
org.libvirt.api.nwfilter.binding-getattr ==> org.libvirt.api.nwfilter-binding.getattr
org.libvirt.api.nwfilter.binding-read ==> org.libvirt.api.nwfilter-binding.read
Signed-off-by: John Ferlan <jferlan@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
---
If someone can explain better exactly what is happening in this processing, I'd be more than willing to update the commit message. I'm sure my wording isn't "precise" enough, but I feel like I hit the lottery finding this needle in the haystack.
As you say, it is simply bad luck because the new APIs happened to match the existing "nwfilter" prefix, so we didn't see the error
src/access/genpolkit.pl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/access/genpolkit.pl b/src/access/genpolkit.pl index 968cb8c55c..e074c90eb6 100755 --- a/src/access/genpolkit.pl +++ b/src/access/genpolkit.pl @@ -22,8 +22,8 @@ use warnings;
my @objects = ( "CONNECT", "DOMAIN", "INTERFACE", - "NETWORK","NODE_DEVICE", "NWFILTER", - "SECRET", "STORAGE_POOL", "STORAGE_VOL", + "NETWORK","NODE_DEVICE", "NWFILTER_BINDING", "NWFILTER", + "SECRET", "STORAGE_POOL", "STORAGE_VOL", );
my $objects = join ("|", @objects); -- 2.17.1
-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
participants (2)
-
Daniel P. Berrangé -
John Ferlan