From: John Ferlan Date: Sat, 13 Jul 2013 18:29:55 +0000 (-0400) Subject: storage_pool: Rework chap XML to mimic ceph X-Git-Tag: CVE-2013-4154~12 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=eb0d79c64be49950a42497c79709c1386bf588ce;p=thirdparty%2Flibvirt.git storage_pool: Rework chap XML to mimic ceph The existing 'chap' XML logic was never used - just defined. Rather than try to insert a square peg into a round hole, blow it up and rewrite the logic to follow the 'ceph' format. Remove the former "chap.login" and "chap.passwd" fields and replace with "chap.username" and "chap.secret" in _virStoragePoolAuthChap. Adjust the virStoragePoolDefParseAuthChap() to process. Change the rng file to describe the new layout Update the formatstorage.html to describe the usage of the secret element to mention that the secret type "iscsi" and "ceph" can be used to storage pool too. Update the formatsecret.html to include a reference to the storage pool Update tests to handle the changes from 'login' and 'passwd' to 'username' and '' format --- diff --git a/docs/formatsecret.html.in b/docs/formatsecret.html.in index 50c9533648..3e306b5566 100644 --- a/docs/formatsecret.html.in +++ b/docs/formatsecret.html.in @@ -64,8 +64,9 @@ a single name element that specifies a usage name for the secret. The Ceph secret can then be used by UUID or by this usage name via the <auth> element of - a disk - device. Since 0.9.7. + a disk device or + a storage pool (rbd). + Since 0.9.7.

Usage type "iscsi"

@@ -76,8 +77,9 @@ a single target element that specifies a usage name for the secret. The iSCSI secret can then be used by UUID or by this usage name via the <auth> element of - a disk - device. Since 1.0.4. + a disk device or + a storage pool (iscsi). + Since 1.0.4.

Example

diff --git a/docs/formatstorage.html.in b/docs/formatstorage.html.in index d702eb17d1..f4d561fcf0 100644 --- a/docs/formatstorage.html.in +++ b/docs/formatstorage.html.in @@ -72,6 +72,9 @@ <source> <host name="iscsi.example.com"/> <device path="demo-target"/> + <auth type='chap' username='myname'> + <secret type='iscsi' usage='mycluster_myname'/> + </auth> <vendor name="Acme"/> <product name="model"/> </source> @@ -79,7 +82,6 @@ 
         ...
-        <source>
         <source>
           <adapter type='fc_host' parent='scsi_host5' wwnn='20000000c9831b4b' wwpn='10000000c9831b4b'/>
         </source>
@@ -123,6 +125,27 @@
         which is the hostname or IP address of the server. May optionally
         contain a port attribute for the protocol specific
         port number. Since 0.4.1
+      
auth

+      
If present, the auth element provides the
+        authentication credentials needed to access the source by the
+        setting of the type attribute. The type
+        must be either "chap" or "ceph". Additionally a mandatory attribute
+        username identifies the username to use during
+        authentication as well as a sub-element secret with
+        a mandatory attribute type, to tie back to a
+        libvirt secret object that
+        holds the actual password or other credentials. The domain XML
+        intentionally does not expose the password, only the reference
+        to the object that manages the password. The secret element
+        type must be either "ceph" or "iscsi". Use "ceph" for
+        Ceph RBD (Rados Block Device) network sources and use "iscsi" for CHAP
+        (Challenge-Handshake Authentication Protocol) iSCSI targets.
+        The secret element requires either a uuid
+        attribute with the UUID of the secret object or a usage
+        attribute matching the key that was specified in the
+        secret object.  Since 0.9.7 for "ceph" and
+        1.1.1 for "chap"
+      

       
name

       
Provides the source for pools backed by storage from a
         named element (e.g., a logical volume group name).
diff --git a/docs/schemas/storagepool.rng b/docs/schemas/storagepool.rng
index 3c2158a18f..6da3c11ac1 100644
--- a/docs/schemas/storagepool.rng
+++ b/docs/schemas/storagepool.rng
@@ -286,22 +286,10 @@
           ceph
         
       
-      
-        
-          
-        
-        
-          
-        
-      
-      
-        
-          
-        
-      
-      
-        
-      
+      
+        
+      
+      
     
   
 
diff --git a/src/conf/storage_conf.c b/src/conf/storage_conf.c
index 1097de8c11..404545a453 100644
--- a/src/conf/storage_conf.c
+++ b/src/conf/storage_conf.c
@@ -365,8 +365,8 @@ virStoragePoolSourceClear(virStoragePoolSourcePtr source)
     VIR_FREE(source->product);
 
     if (source->authType == VIR_STORAGE_POOL_AUTH_CHAP) {
-        VIR_FREE(source->auth.chap.login);
-        VIR_FREE(source->auth.chap.passwd);
+        VIR_FREE(source->auth.chap.username);
+        VIR_FREE(source->auth.chap.secret.usage);
     }
 
     if (source->authType == VIR_STORAGE_POOL_AUTH_CEPHX) {
@@ -461,21 +461,44 @@ static int
 virStoragePoolDefParseAuthChap(xmlXPathContextPtr ctxt,
                                virStoragePoolAuthChapPtr auth)
 {
-    auth->login = virXPathString("string(./auth/@login)", ctxt);
-    if (auth->login == NULL) {
+    char *uuid = NULL;
+    int ret = -1;
+
+    auth->username = virXPathString("string(./auth/@username)", ctxt);
+    if (auth->username == NULL) {
         virReportError(VIR_ERR_XML_ERROR, "%s",
-                       _("missing auth login attribute"));
+                       _("missing auth username attribute"));
         return -1;
     }
 
-    auth->passwd = virXPathString("string(./auth/@passwd)", ctxt);
-    if (auth->passwd == NULL) {
+    uuid = virXPathString("string(./auth/secret/@uuid)", ctxt);
+    auth->secret.usage = virXPathString("string(./auth/secret/@usage)", ctxt);
+    if (uuid == NULL && auth->secret.usage == NULL) {
         virReportError(VIR_ERR_XML_ERROR, "%s",
-                       _("missing auth passwd attribute"));
+                       _("missing auth secret uuid or usage attribute"));
         return -1;
     }
 
-    return 0;
+    if (uuid != NULL) {
+        if (auth->secret.usage != NULL) {
+            virReportError(VIR_ERR_XML_ERROR, "%s",
+                           _("either auth secret uuid or usage expected"));
+            goto cleanup;
+        }
+        if (virUUIDParse(uuid, auth->secret.uuid) < 0) {
+            virReportError(VIR_ERR_XML_ERROR, "%s",
+                           _("invalid auth secret uuid"));
+            goto cleanup;
+        }
+        auth->secret.uuidUsable = true;
+    } else {
+        auth->secret.uuidUsable = false;
+    }
+
+    ret = 0;
+cleanup:
+    VIR_FREE(uuid);
+    return ret;
 }
 
 static int
@@ -1134,16 +1157,13 @@ virStoragePoolSourceFormat(virBufferPtr buf,
         virBufferAsprintf(buf,"    \n", format);
     }
 
-    if (src->authType == VIR_STORAGE_POOL_AUTH_CHAP)
-        virBufferAsprintf(buf,"    \n",
+    if (src->authType == VIR_STORAGE_POOL_AUTH_CHAP ||
+        src->authType == VIR_STORAGE_POOL_AUTH_CEPHX) {
+        virBufferAsprintf(buf,"    \n",
                           virStoragePoolAuthTypeTypeToString(src->authType),
-                          src->auth.chap.login,
-                          src->auth.chap.passwd);
-
-    if (src->authType == VIR_STORAGE_POOL_AUTH_CEPHX) {
-        virBufferAsprintf(buf,"    \n",
-                          src->auth.cephx.username,
-                          virStoragePoolAuthTypeTypeToString(src->authType));
+                          (src->authType == VIR_STORAGE_POOL_AUTH_CHAP ?
+                           src->auth.chap.username :
+                           src->auth.cephx.username));
 
         virBufferAddLit(buf,"      auth.cephx.secret.uuidUsable) {
diff --git a/src/conf/storage_conf.h b/src/conf/storage_conf.h
index 5fbecf4874..fd9b2e7627 100644
--- a/src/conf/storage_conf.h
+++ b/src/conf/storage_conf.h
@@ -162,8 +162,8 @@ struct _virStoragePoolAuthSecret {
 typedef struct _virStoragePoolAuthChap virStoragePoolAuthChap;
 typedef virStoragePoolAuthChap *virStoragePoolAuthChapPtr;
 struct _virStoragePoolAuthChap {
-    char *login;
-    char *passwd;
+    char *username;
+    virStoragePoolAuthSecret secret;
 };
 
 typedef struct _virStoragePoolAuthCephx virStoragePoolAuthCephx;
diff --git a/tests/storagepoolxml2xmlin/pool-iscsi-auth.xml b/tests/storagepoolxml2xmlin/pool-iscsi-auth.xml
index f7d4d52aa4..c81eb6094b 100644
--- a/tests/storagepoolxml2xmlin/pool-iscsi-auth.xml
+++ b/tests/storagepoolxml2xmlin/pool-iscsi-auth.xml
@@ -4,7 +4,9 @@
   
     
     
-    
+    
+      
+    
   
   
     /dev/disk/by-path
diff --git a/tests/storagepoolxml2xmlin/pool-iscsi-vendor-product.xml b/tests/storagepoolxml2xmlin/pool-iscsi-vendor-product.xml
index 01fbd9b7ce..821feb1c66 100644
--- a/tests/storagepoolxml2xmlin/pool-iscsi-vendor-product.xml
+++ b/tests/storagepoolxml2xmlin/pool-iscsi-vendor-product.xml
@@ -4,7 +4,9 @@
   
     
     
-    
+    
+      
+    
     
     
   
diff --git a/tests/storagepoolxml2xmlout/pool-iscsi-auth.xml b/tests/storagepoolxml2xmlout/pool-iscsi-auth.xml
index 4fa8f6493a..3d84c1c102 100644
--- a/tests/storagepoolxml2xmlout/pool-iscsi-auth.xml
+++ b/tests/storagepoolxml2xmlout/pool-iscsi-auth.xml
@@ -7,7 +7,9 @@
   
     
     
-    
+    
+      
+    
   
   
     /dev/disk/by-path
diff --git a/tests/storagepoolxml2xmlout/pool-iscsi-vendor-product.xml b/tests/storagepoolxml2xmlout/pool-iscsi-vendor-product.xml
index 6ae1c393d6..4fb19bb708 100644
--- a/tests/storagepoolxml2xmlout/pool-iscsi-vendor-product.xml
+++ b/tests/storagepoolxml2xmlout/pool-iscsi-vendor-product.xml
@@ -7,7 +7,9 @@
   
     
     
-    
+    
+      
+    
     
     
   
diff --git a/tests/storagepoolxml2xmlout/pool-rbd.xml b/tests/storagepoolxml2xmlout/pool-rbd.xml
index 309a6d9076..4fe2fce767 100644
--- a/tests/storagepoolxml2xmlout/pool-rbd.xml
+++ b/tests/storagepoolxml2xmlout/pool-rbd.xml
@@ -8,7 +8,7 @@
     rbd
     
     
-    
+