[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH v3 09/11] authz: add QAuthZListFile object type
|
From: |
Dr. David Alan Gilbert |
|
Subject: |
Re: [Qemu-devel] [PATCH v3 09/11] authz: add QAuthZListFile object type for a file access control list |
|
Date: |
Wed, 20 Jun 2018 12:38:42 +0100 |
|
User-agent: |
Mutt/1.10.0 (2018-05-17) |
* Daniel P. Berrangé (address@hidden) wrote:
> On Wed, Jun 20, 2018 at 12:29:38PM +0100, Dr. David Alan Gilbert wrote:
> > * Daniel P. Berrangé (address@hidden) wrote:
> > > On Wed, Jun 20, 2018 at 11:58:01AM +0100, Dr. David Alan Gilbert wrote:
> > > > * Daniel P. Berrangé (address@hidden) wrote:
> > > > > Add a QAuthZListFile object type that implements the QAuthZ
> > > > > interface. This
> > > > > built-in implementation is a proxy around the QAtuhZList object type,
> > > > > initializing it from an external file, and optionally, automatically
> > > > > reloading it whenever it changes.
> > > > >
> > > > > To create an instance of this object via the QMP monitor, the syntax
> > > > > used would be:
> > > > >
> > > > > {
> > > > > "execute": "object-add",
> > > > > "arguments": {
> > > > > "qom-type": "authz-list-file",
> > > > > "id": "authz0",
> > > > > "parameters": {
> > > > > "filename": "/etc/qemu/vnc.acl",
> > > > > "refresh": "yes"
> > > > > }
> > > > > }
> > > > > }
> > > > >
> > > > > If "refresh" is "yes", inotify is used to monitor the file,
> > > > > automatically reloading changes. If an error occurs during reloading,
> > > > > all authorizations will fail until the file is next successfully
> > > > > loaded.
> > > >
> > > > I'm curious about the 'refresh' stuff:
> > > > a) If refresh=no is there a way to explicitly ask for a refresh
> > > > when some tool knows it's finished with fiddling with the file.
> > >
> > > If refresh=no, then you can still use object_del + object_add to
> > > recreate the ACL object which will cause new content to be picked
> > > up.
> >
> > But if I have a VNC/NBD/etc listening, won't it be bound to the old
> > object, so I can't delete the old object?
>
> That's ok actually - the network servers merely record the ID of the
> authz object. They resolve that to an actual object instance at the
> time they do the authorization check, and failsafe to DENY if it is
> missing. So you can safely delete & recreate on the fly.
OK, that needs documenting; binding it at the time of parsing wouldn't
be surprising to anyone except for that use.
Dave
> Regards,
> Daniel
> --
> |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
> |: https://libvirt.org -o- https://fstop138.berrange.com :|
> |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
--
Dr. David Alan Gilbert / address@hidden / Manchester, UK
- [Qemu-devel] [PATCH v3 01/11] util: add helper APIs for dealing with inotify in portable manner, (continued)
- [Qemu-devel] [PATCH v3 01/11] util: add helper APIs for dealing with inotify in portable manner, Daniel P . Berrangé, 2018/06/20
- [Qemu-devel] [PATCH v3 04/11] hw/usb: fix const-ness for string params in MTP driver, Daniel P . Berrangé, 2018/06/20
- [Qemu-devel] [PATCH v3 05/11] hw/usb: switch MTP to use new inotify APIs, Daniel P . Berrangé, 2018/06/20
- [Qemu-devel] [PATCH v3 07/11] authz: add QAuthZSimple object type for easy whitelist auth checks, Daniel P . Berrangé, 2018/06/20
- [Qemu-devel] [PATCH v3 06/11] authz: add QAuthZ object as an authorization base class, Daniel P . Berrangé, 2018/06/20
- [Qemu-devel] [PATCH v3 09/11] authz: add QAuthZListFile object type for a file access control list, Daniel P . Berrangé, 2018/06/20
[Qemu-devel] [PATCH v3 08/11] authz: add QAuthZList object type for an access control list, Daniel P . Berrangé, 2018/06/20
[Qemu-devel] [PATCH v3 10/11] authz: add QAuthZPAM object type for authorizing using PAM, Daniel P . Berrangé, 2018/06/20
[Qemu-devel] [PATCH v3 11/11] authz: delete existing ACL implementation, Daniel P . Berrangé, 2018/06/20