[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH v2 09/11] authz: add QAuthZListFile object type
From: |
Eric Blake |
Subject: |
Re: [Qemu-devel] [PATCH v2 09/11] authz: add QAuthZListFile object type for a file access control list |
Date: |
Thu, 21 Jun 2018 10:30:59 -0500 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0 |
On 06/15/2018 10:42 AM, Daniel P. Berrangé wrote:
Add a QAuthZListFile object type that implements the QAuthZ interface. This
built-in implementation is a proxy around the QAtuhZList object type,
initializing it from an external file, and optionally, automatically
reloading it whenever it changes.
To create an instance of this object via the QMP monitor, the syntax
used would be:
{
"execute": "object-add",
"arguments": {
"qom-type": "authz-list",
"id": "auth0",
"parameters": {
"filename": "/etc/qemu/vnc.acl",
"refresh": "yes"
Would this be better as a JSON bool instead of a "yes"/"no" string?
TAB damage.
}
}
}
If "refresh" is "yes", inotify is used to monitor the file,
automatically reloading changes. If an error occurs during reloading,
all authorizations will fail until the file is next successfully
loaded.
The /etc/qemu/vnc.acl file would contain a JSON representation of a
QAuthZList object
{
"rules": [
{ "match": "fred", "policy": "allow", "format": "exact" },
{ "match": "bob", "policy": "allow", "format": "exact" },
{ "match": "danb", "policy": "deny", "format": "glob" },
{ "match": "dan*", "policy": "allow", "format": "exact" },
],
"policy": "deny"
}
This sets up an authorization rule that allows 'fred', 'bob' and anyone
whose name starts with 'dan', except for 'danb'. Everyone unmatched is
denied.
The object can be loaded on the comand line using
s/comand/command/
-object authz-list-file,id=authz0,filename=/etc/qemu/vnc.acl,refresh=yes
Double dash, for the sake of qemu-img
Signed-off-by: Daniel P. Berrangé <address@hidden>
---
+/**
+ * QAuthZListFile:
+ *
+ * This authorization driver provides a file mechanism
+ * for granting access by matching user names against a
+ * file of globs. Each match rule has an associated policy
+ * and a catch all policy applies if no rule matches
+ *
+ * To create an instance of this class via QMP:
+ *
+ * {
+ * "execute": "object-add",
+ * "arguments": {
+ * "qom-type": "authz-list-file",
+ * "id": "authz0",
+ * "parameters": {
+ * "filename": "/etc/qemu/myvm-vnc.acl",
+ * "refresh": "yes"
+ * }
If you change the commit message to use bool, also change this comment
to match.
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3266
Virtualization: qemu.org | libvirt.org
- [Qemu-devel] [PATCH v2 00/11] Add a standard authorization framework, Daniel P . Berrangé, 2018/06/15
- [Qemu-devel] [PATCH v2 03/11] hw/usb: don't set IN_ISDIR for inotify watch in MTP driver, Daniel P . Berrangé, 2018/06/15
- [Qemu-devel] [PATCH v2 02/11] qom: don't require user creatable objects to be registered, Daniel P . Berrangé, 2018/06/15
- [Qemu-devel] [PATCH v2 04/11] hw/usb: fix const-ness for string params in MTP driver, Daniel P . Berrangé, 2018/06/15
- [Qemu-devel] [PATCH v2 01/11] util: add helper APIs for dealing with inotify in portable manner, Daniel P . Berrangé, 2018/06/15
- [Qemu-devel] [PATCH v2 06/11] authz: add QAuthZ object as an authorization base class, Daniel P . Berrangé, 2018/06/15
- [Qemu-devel] [PATCH v2 05/11] hw/usb: switch MTP to use new inotify APIs, Daniel P . Berrangé, 2018/06/15
- [Qemu-devel] [PATCH v2 07/11] authz: add QAuthZSimple object type for easy whitelist auth checks, Daniel P . Berrangé, 2018/06/15
- [Qemu-devel] [PATCH v2 09/11] authz: add QAuthZListFile object type for a file access control list, Daniel P . Berrangé, 2018/06/15
- Re: [Qemu-devel] [PATCH v2 09/11] authz: add QAuthZListFile object type for a file access control list,
Eric Blake <=
- [Qemu-devel] [PATCH v2 08/11] authz: add QAuthZList object type for an access control list, Daniel P . Berrangé, 2018/06/15
[Qemu-devel] [PATCH v2 10/11] authz: add QAuthZPAM object type for authorizing using PAM, Daniel P . Berrangé, 2018/06/15
[Qemu-devel] [PATCH v2 11/11] authz: delete existing ACL implementation, Daniel P . Berrangé, 2018/06/15