<td>secret_usage_target</td>
<td>Name of the associated iSCSI target, if any</td>
</tr>
+ <tr>
+ <td>secret_usage_name</td>
+ <td>Name of the associated TLS secret, if any</td>
+ </tr>
</tbody>
</table>
<dd>
Specifies what this secret is used for. A mandatory
<code>type</code> attribute specifies the usage category, currently
- only <code>volume</code>, <code>ceph</code>, and <code>iscsi</code>
- are defined. Specific usage categories are described below.
+ only <code>volume</code>, <code>ceph</code>, <code>iscsi</code>,
+ and <code>tls</code> are defined. Specific usage categories
+ are described below.
</dd>
</dl>
</auth>
</pre>
+ <h3><a name="tlsUsageType">Usage type "tls"</a></h3>
+
+ <p>
+ This secret may be used in order to provide the passphrase for the
+ private key used to provide TLS credentials.
+ The <code><usage type='tls'></code> element must contain a
+ single <code>name</code> element that specifies a usage name
+ for the secret.
+ <span class="since">Since 2.3.0</span>.
+ The following is an example of the expected XML and processing to
+ define the secret:
+ </p>
+
+ <pre>
+ # cat tls-secret.xml
+ <secret ephemeral='no' private='yes'>
+ <description>sample tls secret</description>
+ <usage type='tls'>
+ <name>TLS_example</name>
+ </usage>
+ </secret>
+
+ # virsh secret-define tls-secret.xml
+ Secret 718c71bd-67b5-4a2b-87ec-a24e8ca200dc created
+
+ # virsh secret-list
+ UUID Usage
+ -----------------------------------------------------------
+ 718c71bd-67b5-4a2b-87ec-a24e8ca200dc tls TLS_example
+ #
+
+ </pre>
+
+ <p>
+ A secret may also be defined via the
+ <a href="html/libvirt-libvirt-secret.html#virSecretDefineXML">
+ <code>virSecretDefineXML</code></a> API.
+
+ Once the secret is defined, a secret value will need to be set. The
+ secret would be the passphrase used to access the TLS credentials.
+ The following is a simple example of using
+ <code>virsh secret-set-value</code> to set the secret value. The
+ <a href="html/libvirt-libvirt-secret.html#virSecretSetValue">
+ <code>virSecretSetValue</code></a> API may also be used to set
+ a more secure secret without using printable/readable characters.
+ </p>
+
+ <pre>
+ # MYSECRET=`printf %s "letmein" | base64`
+ # virsh secret-set-value 718c71bd-67b5-4a2b-87ec-a24e8ca200dc $MYSECRET
+ Secret value set
+
+ </pre>
+
</body>
</html>
<ref name='usagevolume'/>
<ref name='usageceph'/>
<ref name='usageiscsi'/>
+ <ref name='usagetls'/>
<!-- More choices later -->
</choice>
</element>
</element>
</define>
+ <define name='usagetls'>
+ <attribute name='type'>
+ <value>tls</value>
+ </attribute>
+ <element name='name'>
+ <ref name='genericName'/>
+ </element>
+ </define>
+
</grammar>
VIR_SECRET_USAGE_TYPE_VOLUME = 1,
VIR_SECRET_USAGE_TYPE_CEPH = 2,
VIR_SECRET_USAGE_TYPE_ISCSI = 3,
+ VIR_SECRET_USAGE_TYPE_TLS = 4,
# ifdef VIR_ENUM_SENTINELS
VIR_SECRET_USAGE_TYPE_LAST
virAccessPermSecretTypeToString(perm),
attrs);
} break;
+ case VIR_SECRET_USAGE_TYPE_TLS: {
+ const char *attrs[] = {
+ "connect_driver", driverName,
+ "secret_uuid", uuidstr,
+ "secret_usage_name", secret->usage.name,
+ NULL,
+ };
+
+ return virAccessDriverPolkitCheck(manager,
+ "secret",
+ virAccessPermSecretTypeToString(perm),
+ attrs);
+ } break;
}
}
#include "secret_conf.h"
#include "virsecretobj.h"
#include "virerror.h"
+#include "virstring.h"
#include "virxml.h"
#include "viruuid.h"
VIR_LOG_INIT("conf.secret_conf");
VIR_ENUM_IMPL(virSecretUsage, VIR_SECRET_USAGE_TYPE_LAST,
- "none", "volume", "ceph", "iscsi")
+ "none", "volume", "ceph", "iscsi", "tls")
const char *
virSecretUsageIDForDef(virSecretDefPtr def)
case VIR_SECRET_USAGE_TYPE_ISCSI:
return def->usage.target;
+ case VIR_SECRET_USAGE_TYPE_TLS:
+ return def->usage.name;
+
default:
return NULL;
}
VIR_FREE(def->usage.target);
break;
+ case VIR_SECRET_USAGE_TYPE_TLS:
+ VIR_FREE(def->usage.name);
+ break;
+
default:
VIR_ERROR(_("unexpected secret usage type %d"), def->usage_type);
break;
}
break;
+ case VIR_SECRET_USAGE_TYPE_TLS:
+ def->usage.name = virXPathString("string(./usage/name)", ctxt);
+ if (!def->usage.name) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("TLS usage specified, but name is missing"));
+ return -1;
+ }
+ break;
+
default:
virReportError(VIR_ERR_INTERNAL_ERROR,
_("unexpected secret usage type %d"),
virBufferEscapeString(buf, "<target>%s</target>\n", def->usage.target);
break;
+ case VIR_SECRET_USAGE_TYPE_TLS:
+ virBufferEscapeString(buf, "<name>%s</name>\n", def->usage.name);
+ break;
+
default:
virReportError(VIR_ERR_INTERNAL_ERROR,
_("unexpected secret usage type %d"),
char *volume; /* May be NULL */
char *ceph;
char *target;
+ char *name;
} usage;
};
if (STREQ(secret->def->usage.target, data->usageID))
found = 1;
break;
+
+ case VIR_SECRET_USAGE_TYPE_TLS:
+ if (STREQ(secret->def->usage.name, data->usageID))
+ found = 1;
+ break;
}
cleanup:
--- /dev/null
+<secret ephemeral='no' private='no'>
+ <uuid>f52a81b2-424e-490c-823d-6bd4235bc572</uuid>
+ <description>Sample TLS Secret</description>
+ <usage type='tls'>
+ <name>mumblyfratz</name>
+ </usage>
+</secret>
DO_TEST("usage-volume");
DO_TEST("usage-ceph");
DO_TEST("usage-iscsi");
+ DO_TEST("usage-tls");
return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
}
projects / libvirt.git / commitdiff