[PATCH 0/2] Read-only access to node devices

See individual patches. Peter Krempa (2): access: Allow 'node-device.read' permission for anonymous users libvirt-nodedev: Allow read-only access to virNodeDeviceGetAutostart src/access/viraccessperm.h | 1 + src/libvirt-nodedev.c | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) -- 2.39.1

For all other objects we allow the 'read' permission for anonymous users. In fact the idea is to allow all permissions users using the readonly connection would have. This impacts the following APIs (in terms of RPC procedure names): $ git grep -A 3 node_device:read | grep REMOTE src/remote/remote_protocol.x- REMOTE_PROC_NODE_DEVICE_GET_XML_DESC = 114, src/remote/remote_protocol.x- REMOTE_PROC_NODE_DEVICE_GET_PARENT = 115, src/remote/remote_protocol.x- REMOTE_PROC_NODE_DEVICE_NUM_OF_CAPS = 116, src/remote/remote_protocol.x- REMOTE_PROC_NODE_DEVICE_LIST_CAPS = 117, src/remote/remote_protocol.x- REMOTE_PROC_NODE_DEVICE_GET_AUTOSTART = 433, src/remote/remote_protocol.x- REMOTE_PROC_NODE_DEVICE_IS_PERSISTENT = 435, src/remote/remote_protocol.x- REMOTE_PROC_NODE_DEVICE_IS_ACTIVE = 436, Fixes: a93cd08f Signed-off-by: Peter Krempa <pkrempa@redhat.com> --- src/access/viraccessperm.h | 1 + 1 file changed, 1 insertion(+) diff --git a/src/access/viraccessperm.h b/src/access/viraccessperm.h index 051246a7b6..2f04459ed9 100644 --- a/src/access/viraccessperm.h +++ b/src/access/viraccessperm.h @@ -473,6 +473,7 @@ typedef enum { /** * @desc: Read node device * @message: Reading node device configuration requires authorization + * @anonymous: 1 */ VIR_ACCESS_PERM_NODE_DEVICE_READ, -- 2.39.1

On Fri, Feb 17, 2023 at 04:11:10PM +0100, Peter Krempa wrote:
For all other objects we allow the 'read' permission for anonymous users. In fact the idea is to allow all permissions users using the readonly connection would have.
This impacts the following APIs (in terms of RPC procedure names):
$ git grep -A 3 node_device:read | grep REMOTE src/remote/remote_protocol.x- REMOTE_PROC_NODE_DEVICE_GET_XML_DESC = 114, src/remote/remote_protocol.x- REMOTE_PROC_NODE_DEVICE_GET_PARENT = 115, src/remote/remote_protocol.x- REMOTE_PROC_NODE_DEVICE_NUM_OF_CAPS = 116, src/remote/remote_protocol.x- REMOTE_PROC_NODE_DEVICE_LIST_CAPS = 117, src/remote/remote_protocol.x- REMOTE_PROC_NODE_DEVICE_GET_AUTOSTART = 433, src/remote/remote_protocol.x- REMOTE_PROC_NODE_DEVICE_IS_PERSISTENT = 435, src/remote/remote_protocol.x- REMOTE_PROC_NODE_DEVICE_IS_ACTIVE = 436,
Fixes: a93cd08f Signed-off-by: Peter Krempa <pkrempa@redhat.com> --- src/access/viraccessperm.h | 1 + 1 file changed, 1 insertion(+)
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
diff --git a/src/access/viraccessperm.h b/src/access/viraccessperm.h index 051246a7b6..2f04459ed9 100644 --- a/src/access/viraccessperm.h +++ b/src/access/viraccessperm.h @@ -473,6 +473,7 @@ typedef enum { /** * @desc: Read node device * @message: Reading node device configuration requires authorization + * @anonymous: 1 */ VIR_ACCESS_PERM_NODE_DEVICE_READ,
-- 2.39.1
With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|

Fetching whether a node-device is marked for autostart can be allowed from read-only connections similarly to other objects. Fixes: c6607a25b93 Signed-off-by: Peter Krempa <pkrempa@redhat.com> --- src/libvirt-nodedev.c | 1 - 1 file changed, 1 deletion(-) diff --git a/src/libvirt-nodedev.c b/src/libvirt-nodedev.c index 1b7dee113e..366d2cfdbe 100644 --- a/src/libvirt-nodedev.c +++ b/src/libvirt-nodedev.c @@ -1089,7 +1089,6 @@ virNodeDeviceGetAutostart(virNodeDevicePtr dev, virResetLastError(); virCheckNodeDeviceReturn(dev, -1); - virCheckReadOnlyGoto(dev->conn->flags, error); if (dev->conn->nodeDeviceDriver && dev->conn->nodeDeviceDriver->nodeDeviceGetAutostart) { -- 2.39.1

On Fri, Feb 17, 2023 at 04:11:11PM +0100, Peter Krempa wrote:
Fetching whether a node-device is marked for autostart can be allowed from read-only connections similarly to other objects.
Fixes: c6607a25b93 Signed-off-by: Peter Krempa <pkrempa@redhat.com> --- src/libvirt-nodedev.c | 1 - 1 file changed, 1 deletion(-)
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
participants (2)
-
Daniel P. Berrangé
-
Peter Krempa