[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH v3 09/11] authz: add QAuthZListFile object type
|
From: |
Daniel P . Berrangé |
|
Subject: |
Re: [Qemu-devel] [PATCH v3 09/11] authz: add QAuthZListFile object type for a file access control list |
|
Date: |
Wed, 20 Jun 2018 12:34:42 +0100 |
|
User-agent: |
Mutt/1.9.5 (2018-04-13) |
On Wed, Jun 20, 2018 at 12:29:38PM +0100, Dr. David Alan Gilbert wrote:
> * Daniel P. Berrangé (address@hidden) wrote:
> > On Wed, Jun 20, 2018 at 11:58:01AM +0100, Dr. David Alan Gilbert wrote:
> > > * Daniel P. Berrangé (address@hidden) wrote:
> > > > Add a QAuthZListFile object type that implements the QAuthZ interface.
> > > > This
> > > > built-in implementation is a proxy around the QAtuhZList object type,
> > > > initializing it from an external file, and optionally, automatically
> > > > reloading it whenever it changes.
> > > >
> > > > To create an instance of this object via the QMP monitor, the syntax
> > > > used would be:
> > > >
> > > > {
> > > > "execute": "object-add",
> > > > "arguments": {
> > > > "qom-type": "authz-list-file",
> > > > "id": "authz0",
> > > > "parameters": {
> > > > "filename": "/etc/qemu/vnc.acl",
> > > > "refresh": "yes"
> > > > }
> > > > }
> > > > }
> > > >
> > > > If "refresh" is "yes", inotify is used to monitor the file,
> > > > automatically reloading changes. If an error occurs during reloading,
> > > > all authorizations will fail until the file is next successfully
> > > > loaded.
> > >
> > > I'm curious about the 'refresh' stuff:
> > > a) If refresh=no is there a way to explicitly ask for a refresh
> > > when some tool knows it's finished with fiddling with the file.
> >
> > If refresh=no, then you can still use object_del + object_add to
> > recreate the ACL object which will cause new content to be picked
> > up.
>
> But if I have a VNC/NBD/etc listening, won't it be bound to the old
> object, so I can't delete the old object?
That's ok actually - the network servers merely record the ID of the
authz object. They resolve that to an actual object instance at the
time they do the authorization check, and failsafe to DENY if it is
missing. So you can safely delete & recreate on the fly.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
- [Qemu-devel] [PATCH v3 03/11] hw/usb: don't set IN_ISDIR for inotify watch in MTP driver, (continued)
- [Qemu-devel] [PATCH v3 03/11] hw/usb: don't set IN_ISDIR for inotify watch in MTP driver, Daniel P . Berrangé, 2018/06/20
- [Qemu-devel] [PATCH v3 01/11] util: add helper APIs for dealing with inotify in portable manner, Daniel P . Berrangé, 2018/06/20
- [Qemu-devel] [PATCH v3 04/11] hw/usb: fix const-ness for string params in MTP driver, Daniel P . Berrangé, 2018/06/20
- [Qemu-devel] [PATCH v3 05/11] hw/usb: switch MTP to use new inotify APIs, Daniel P . Berrangé, 2018/06/20
- [Qemu-devel] [PATCH v3 07/11] authz: add QAuthZSimple object type for easy whitelist auth checks, Daniel P . Berrangé, 2018/06/20
- [Qemu-devel] [PATCH v3 06/11] authz: add QAuthZ object as an authorization base class, Daniel P . Berrangé, 2018/06/20
- [Qemu-devel] [PATCH v3 09/11] authz: add QAuthZListFile object type for a file access control list, Daniel P . Berrangé, 2018/06/20
[Qemu-devel] [PATCH v3 08/11] authz: add QAuthZList object type for an access control list, Daniel P . Berrangé, 2018/06/20
[Qemu-devel] [PATCH v3 10/11] authz: add QAuthZPAM object type for authorizing using PAM, Daniel P . Berrangé, 2018/06/20
[Qemu-devel] [PATCH v3 11/11] authz: delete existing ACL implementation, Daniel P . Berrangé, 2018/06/20